Network Operations and Distributed Computing Controls

CTIS (Computing, Telecommunications and Information Services) management should implement procedures to monitor and control the communications software and system software used by the network.

Software Communications

Control Objective: The CTIS department must establish procedures for managing and monitoring the use of communications software in the University's distributed data processing network.

Audit Guideline: The network communications software procedures established by the CTIS department for managing and monitoring the use of the communications software shall be reviewed.

1. Determine, through interviews with the CTIS department staff members who are responsible for the design and maintenance of the communications aspects of the University's distributed data processing network, that standard communications transmission procedures are in use and that written statements of these procedures have been sent to each of the sites served by the network.
2. Determine whether each network message or transmitted data unit, sent through the University's distributed data processing network, contains codes which identify the sender and the intended receiver. Verify that all outgoing messages routinely are edited to assure that they contain valid destination addresses.
3. Determine whether procedures exist within the University's distributed data processing network: (1) for temporarily storing messages that are destined for user department sites that are not in service at the time of the message's original transmission and (2) for retransmitting these messages automatically when service is resumed at these sites.
4. Verify that the CTIS department has issued written statements dealing with the maintenance of normal and alternate communications capabilities in the University's distributed data processing network, and that current copies of these documents exist at each of the user department sites served by the network.
5. Review transmission priorities assigned to messages sent on the University's distributed data processing network. Those defined by class of user should be using log-on mode tables. Those defined by line should be using line interrupt priorities.
6. Determine that these assignments are consistent with the relevant policies of the University's senior management and are appropriate to the needs of the user departments involved.
7. Verify that any software purchased for use in the University's distributed data processing network contains adequate built-in error correction routines and performance analysis monitoring capabilities.
8. Verify that the software used in the University's distributed data processing network is maintained either by assigned members of the CTIS department's staff or by representatives of the appropriate vendor.

Access to Network Operating Systems Software

Control Objective: The CTIS department should establish procedures for managing and monitoring the secure use of -- and any changes to -- operating system software used in the University's distributed data processing network.

Audit Guideline: The CTIS department's procedures for managing and monitoring the use of network operating system software shall be reviewed.

1. Verify that all of the changes, made at the user department sites and by the CTIS department to the operating system software used by the University's distributed data processing network, are controlled by the department and that any unauthorized changes can be detected promptly by those department staff members who are responsible for managing the operations of the network.

Control Objective: Logical access to the University's computing resources should be restricted by the use of a password associated with access rules.

Audit Guideline: The CTIS department's procedures for password use and other logical restrictions on access to computer resources shall be examined.

1. Review the CTIS department's procedure for adding individuals to the list of those authorized to have access to computer resources, changing their access capabilities, and deleting them from this list.
2. Review the CTIS department's procedure for issuing passwords to ensure that individual passwords are not disclosed inadvertently and determine if -- and when -- individuals are required to change newly assigned passwords.
3. Determine if the password issued by the CTIS department are of adequate length, cannot be easily guessed, and do not contain repeating characters.
4. Ascertain if the CTIS department's procedure requires that passwords be changed periodically and that particular passwords cannot be reused by the same individual.
5. Verify that the CTIS department's procedures assure that passwords are not displayed during the logon process, are not printed on output, and are stored by data processing operations in an encrypted file.
6. Determine if users are restricted by CTIS department procedures to specific terminals, time of day, and days of the week where exposures warrant additional access controls.
7. Interview selected users either in person or via e-mail to determine when passwords were last changed.
8. In a department where an employee has recently terminated employment, determine if the employee's password has been deleted.
9. Determine how access to password tables is restricted. Determine if access is restricted to only those who really need access to the table.
10. Determine if users are logged-off automatically under CTIS department procedures if they have not been active for a specific length of time -- usually expressed in minutes of inactivity.
11. Determine if the University's user department management periodically validates the access capabilities currently provided to individuals in their department.
12. Determine if the University's user department procedures provide for prompt cancellation of identification codes and passwords when the employment of the individual to whom they are assigned has been terminated.
13. Determine whether CTIS department procedures provide for the suspension of user identification codes or the disability of terminal, microcomputer, or data entry device activity after a particular number of security procedure violations. Test to see that there is a limit on the number of unsuccessful attempts to sign on.

Control Objective: The CTIS department's information security procedures should assure that violation and security activity reports are reviewed regularly to identify and resolve incidents involving unauthorized activity.

Audit Guideline: The adequacy and effectiveness of the CTIS department's procedures for reviewing and resolving reports of security violations and associated activities shall be examined.

1. Review the CTIS department's procedures for reviewing and resolving reports of information security violations and verify that these are being applied.
2. Determine if changes t the CTIS department's records of security violations are recorded and that these changes are reviewed by an independent individual and verify that documents authorizing these file changes exist.
3. Determine if the CTIS department's records of security violations are protected from accidental or intentional destruction.

Control Objective: The CTIS department should establish automated rules governing access to its computing resources.

Audit Guideline: The CTIS department's procedures for granting access to its computing resources including TCP/IP screens shall be examined.

1. Determine if the CTIS procedures provide that authorized users of its computing resources must be given specific permission to access particular resources, including data files, application processing programs, the operating system, and various commands.
2. Determine if documentation exists justifying the users' needs and authorization to access specific information system resources.
3. Review procedures for emergency or temporary access to information system resources. Determine if special authorization must be obtained, only temporary access is granted, and management is notified of the access. Verify that temporary access is granted infrequently.
4. Verify that separation of duties among the information system functions is maintained by the access control system and determine that systems programmers and application programmers do not have access to production programs and data.

Control Objective: In an on-line data processing environment, the CTIS procedures should provide access security control based on the individual's demonstrated need to view, add, change, or delete data.

Audit Guideline: The CTIS procedures for authorizing access to an on-line data processing environment (TCP/IP) shall be reviewed.

1. Determine if the CTIS procedures for authorizing access to an on-line processing environment (TCP/IP) permits limiting the functions of viewing, adding, changing, and deleting data, and restricting individual access to only the data transactions with a demonstrated need for such access.
2. Determine if the University's user department management periodically validates the access capabilities currently provided to the on-line data processing environment (TCP/IP) for individual in their department.