Network Operations and Distributed Computing Controls
Audit Program
CTIS (Computing, Telecommunications and Information Services)
management should implement procedures to monitor and control
the communications software and system software used by the network.
Software Communications
Control Objective: The CTIS department must establish
procedures for managing and monitoring the use of communications
software in the University's distributed data processing network.
Audit Guideline: The network communications software
procedures established by the CTIS department for managing and
monitoring the use of the communications software shall be reviewed.
- Determine, through interviews with the CTIS department staff
members who are responsible for the design and maintenance of
the communications aspects of the University's distributed data
processing network, that standard communications transmission
procedures are in use and that written statements of these procedures
have been sent to each of the sites served by the network.
- Determine whether each network message or transmitted data
unit, sent through the University's distributed data processing
network, contains codes which identify the sender and the intended
receiver. Verify that all outgoing messages routinely are edited
to assure that they contain valid destination addresses.
- Determine whether procedures exist within the University's
distributed data processing network: (1) for temporarily storing
messages that are destined for user department sites that are
not in service at the time of the message's original transmission
and (2) for retransmitting these messages automatically when service
is resumed at these sites.
- Verify that the CTIS department has issued written statements
dealing with the maintenance of normal and alternate communications
capabilities in the University's distributed data processing network,
and that current copies of these documents exist at each of the
user department sites served by the network.
- Review transmission priorities assigned to messages sent on
the University's distributed data processing network. Those defined
by class of user should be using log-on mode tables. Those defined
by line should be using line interrupt priorities.
- Determine that these assignments are consistent with the relevant
policies of the University's senior management and are appropriate
to the needs of the user departments involved.
- Verify that any software purchased for use in the University's
distributed data processing network contains adequate built-in
error correction routines and performance analysis monitoring
capabilities.
- Verify that the software used in the University's distributed
data processing network is maintained either by assigned members
of the CTIS department's staff or by representatives of the appropriate
vendor.
Control Objective: The CTIS department should establish
procedures for managing and monitoring the secure use of -- and
any changes to -- operating system software used in the University's
distributed data processing network.
Audit Guideline: The CTIS department's procedures
for managing and monitoring the use of network operating system
software shall be reviewed.
- Verify that all of the changes, made at the user department
sites and by the CTIS department to the operating system software
used by the University's distributed data processing network,
are controlled by the department and that any unauthorized changes
can be detected promptly by those department staff members who
are responsible for managing the operations of the network.
Control Objective: Logical access to the University's
computing resources should be restricted by the use of a password
associated with access rules.
Audit Guideline: The CTIS department's procedures
for password use and other logical restrictions on access to computer
resources shall be examined.
- Review the CTIS department's procedure for adding individuals
to the list of those authorized to have access to computer resources,
changing their access capabilities, and deleting them from this
list.
- Review the CTIS department's procedure for issuing passwords
to ensure that individual passwords are not disclosed inadvertently
and determine if -- and when -- individuals are required to change
newly assigned passwords.
- Determine if the password issued by the CTIS department are
of adequate length, cannot be easily guessed, and do not contain
repeating characters.
- Ascertain if the CTIS department's procedure requires that
passwords be changed periodically and that particular passwords
cannot be reused by the same individual.
- Verify that the CTIS department's procedures assure that passwords
are not displayed during the logon process, are not printed on
output, and are stored by data processing operations in an encrypted
file.
- Determine if users are restricted by CTIS department procedures
to specific terminals, time of day, and days of the week where
exposures warrant additional access controls.
- Interview selected users either in person or via e-mail to
determine when passwords were last changed.
- In a department where an employee has recently terminated
employment, determine if the employee's password has been deleted.
- Determine how access to password tables is restricted. Determine
if access is restricted to only those who really need access to
the table.
- Determine if users are logged-off automatically under CTIS
department procedures if they have not been active for a specific
length of time -- usually expressed in minutes of inactivity.
- Determine if the University's user department management periodically
validates the access capabilities currently provided to individuals
in their department.
- Determine if the University's user department procedures provide
for prompt cancellation of identification codes and passwords
when the employment of the individual to whom they are assigned
has been terminated.
- Determine whether CTIS department procedures provide for the
suspension of user identification codes or the disability of terminal,
microcomputer, or data entry device activity after a particular
number of security procedure violations. Test to see that there
is a limit on the number of unsuccessful attempts to sign on.
Control Objective: The CTIS department's information
security procedures should assure that violation and security
activity reports are reviewed regularly to identify and resolve
incidents involving unauthorized activity.
Audit Guideline: The adequacy and effectiveness
of the CTIS department's procedures for reviewing and resolving
reports of security violations and associated activities shall
be examined.
- Review the CTIS department's procedures for reviewing and
resolving reports of information security violations and verify
that these are being applied.
- Determine if changes t the CTIS department's records of security
violations are recorded and that these changes are reviewed by
an independent individual and verify that documents authorizing
these file changes exist.
- Determine if the CTIS department's records of security violations
are protected from accidental or intentional destruction.
Control Objective: The CTIS department should establish
automated rules governing access to its computing resources.
Audit Guideline: The CTIS department's procedures
for granting access to its computing resources including TCP/IP
screens shall be examined.
- Determine if the CTIS procedures provide that authorized users
of its computing resources must be given specific permission to
access particular resources, including data files, application
processing programs, the operating system, and various commands.
- Determine if documentation exists justifying the users' needs
and authorization to access specific information system resources.
- Review procedures for emergency or temporary access to information
system resources. Determine if special authorization must be obtained,
only temporary access is granted, and management is notified of
the access. Verify that temporary access is granted infrequently.
- Verify that separation of duties among the information system
functions is maintained by the access control system and determine
that systems programmers and application programmers do not have
access to production programs and data.
Control Objective: In an on-line data processing
environment, the CTIS procedures should provide access security
control based on the individual's demonstrated need to view, add,
change, or delete data.
Audit Guideline: The CTIS procedures for authorizing
access to an on-line data processing environment (TCP/IP) shall
be reviewed.
- Determine if the CTIS procedures for authorizing access to
an on-line processing environment (TCP/IP) permits limiting the
functions of viewing, adding, changing, and deleting data, and
restricting individual access to only the data transactions with
a demonstrated need for such access.
- Determine if the University's user department management periodically
validates the access capabilities currently provided to the on-line
data processing environment (TCP/IP) for individual in their department.