The following checklist should be completed prior to auditing a Local Area Network (LAN). Completing the suggested tasks will help you to gain an overall understanding of LANs in general, and a more specific understanding of the LAN environment you will be looking at. Once this section is completed, use the LAN Package as a guideline to assist you throughout the review.
I. Familiarization with LANs and a LAN Review:
Familiarize yourself with the LAN Package.
Review contents, and understand the objectives and scope of each topic/section.
Review and become familiar with the applicable company standards.
Read the reference materials to help you:
Gain a general understanding of LAN issues, risks, impacts
Become familiar with LAN and Novell specific terminology
Better communicate with the LAN Administrator
Talk with an auditor who has audited a LAN.
Gain their insight on how to get started, what areas to focus on, who to go to for help, etc.
Determine what problems, if any, they came across and how they solved them.
Determine if the business area, or a similar area (e.g. claim service centers) has previously been reviewed.
Receive training on the utilities available to audit a LAN (e.g. BINDVIEW).
Get trained using the test server in the Internal Audit Department (contact Heidi Papalia or Steve Tarca).
Execute sample reports.
Become familiar with the utilities products.
II. Planning:
Understand the security aspects of the environment.
Determine what facilities are relied upon for what information (i.e. where does LAN security "hand-off" to the mainframe?, does the LAN identify, authenticate, and validate authorization to resource?, etc.).
Obtain, from the LAN Administrator, a list of all file server, database server, and print server names that support the business being audited.
Determine what data is stored on each server (i.e. executable code, data files, confidential?)
Determine if the LAN is attached to other LANs, or the corporate backbone. (For an example, see Page 3 of "Auditing Novell NetWare LANs using Traveling BINDVIEW NCS", in the Logical Access Security section.)
Draw a map of the LAN environment (i.e. using a flow chart).
Understand key components and interfaces.
Get a basic overall understanding of how the LAN environment, and applications on the LAN, support the business area by talking to the LAN Administrator and/or business area. (This will help you focus your efforts during the execution of detail steps found in this package.)
Define an initial scope of what you are planning to review.
Determine which areas of the LAN environment are critical to the business area you are auditing.
Determine any areas that have been experiencing problems.
Determine with the LAN Administrator any additional areas or aspects that you may want to include in your scope.
III. Planning: Test Strategy
Determine what tests are going to be done, what criteria is to be evaluated, etc.
Determine which software product will be used to analyze workstations for software compliance testing (e.g. SPAudit).
Identify where in the process you will need assistance from other people (i.e. department experts, CAAT Team, etc.).
Contact them to let them know what you will need from them and the amount of time they will need to provide.
Walk through your detailed scope with the customer/business area.
Let the customer know what standards you will be using for evaluation criteria. Provide copies if necessary.
Determine if the LAN Administrator will use his/her ID to run utilities with you, or if you need to obtain an Supervisor ID and password to gain access to the LAN environment.