Contributed 8/29/00 by Carolann Lazurus (Clazarus@business.buffalo.edu)

Internal Audit LAN Review  ICQ

LAN Server Reviewed
Respondee

Date _____________

MANAGEMENT & ADMINISTRATION

Organizational

1) Are standards and policies for general network control clearly established, current and operating?
Procedures to be followed in the selection, acquisition and installation of LANs?
Standards of network architecture to be supported?
Documentation of the actual LAN installation?
Data security and confidentiality?
Backup and recovery guidelines?
File naming conventions?
Hardware and software inventory controls?
Software licensing?
Personal use?
Problem reporting?
System Administrator responsibilities?

2) Are these policies and guidelines distributed to the appropriate levels of management?

3) Has the document "University	Policies Regarding Data Security, Access, and Acceptable Use of University Information" been put into use?

4) Has management developed a strategic plan for utilizing LAN technology?

5) Is there a formal job description for the LAN Administrator (obtain copy)

Operational

6) Is vendor reliability / support considered before purchasing LAN hardware and software?

7) Are there periodic reviews of the capacity of the LAN to ensure adequate response time and sufficient disk data storage space?

8) Are management reports (either manual or system) produced and reviewed -
capacity planning,
user summary,
problem logs,
acquisition justifications
other?

9) Is there a designated LAN administrator?

10)Are system administration and operations procedures documented?

11)Is the LAN administrator experienced in operating a LAN facility?

12)Does the LAN administrator have a backup person?

13 Are there LAN maintenance procedures?

14)Does the existing LAN maintenance procedures include periodic assessments of the networking performance including LAN utilization to prevent problems?

15)Is accounting data utilized to note:
	high connect time;
	high volume read and writes;
	excessive use of disk storage;
	excessive use of printer resources?

16)	Is there regular / scheduled preventive maintenance on the components?

17)	Are users informed of their rights and responsibilities including awareness of penalties for misuse of IS resources?

18)	Does a training program exist for the LAN Administrator and users of the LAN that provides required skills.


LAN Change Control

19)	Are LAN change controls in place and include:
	reason for change;
	cost justificatIon'
	affect on users;
	installation, test and conversion plan;
	timeframe and responsibilities by individual;
	budget provision;
	disaster preparedness consideration;
	appropriate management review and sign off;
	approval to acquire necessary components;
	post implementation review.

20)	Are any needed backup procedures considered before a change to a LAN is implemented?

21)	Is adequate notice given to LAN users before a network change is made?

22)	Are changes scheduled for low volume - off hours?

23)	Are changes tracked such that a current status of all maintenance projects is available?


Logical Security

24) Is a standard form used to document requests for the addition, change or deletion of LAN access capabilities?

25) If so, does this form include a review and approval process

26) Does security management include:
	Use of unique userlDs and passwords;
	required password changes
	Data and/or passwords encrypted;
	Audit trail of log-in and log-out;
	Diskless workstations;
	Workstation disabled after 3-6 unauthorized logon attempts;
	Off-site log-on capability restricted;
	Automatic logoff after a short period of inactivity;
	Monitoring access I use of LAN resource;
	Personnel Practices?

27)	Are any group or shared userlDs allowed?

28)	Are access privileges granted on a LAN user's need to know?

29)	Are there procedures to restrict users to valid sessions (operating hours, workstation assignment, resource usage, other?

30)	Is there an automated method in use for restricting, identifying and reporting authorized / unauthorized users of the LAN?

31)	Are user profiles reviewed and updated periodically?

32)	Are use of "visitor" and "guest" limited. (Either removed or assigned a unique password at time of signon, and it is limited to a one time use)

33)	Are procedures in place to control the LAN Administrators access capabilities:
	set up new users;
	change addresses;
	propagate functions;
	provide access capability;
	queue management;
	expiry files;
	restrict files, directories and servers?


Physical Security

34)	Are output devices in a secure area that limits access to those authorized?

35)	Is the LAN server(s) secured from unauthorized individuals?

36)	Is the LAN server protected from damage resulting from electric power surges / spikes?

37)	Is the cabling secured to limit exposure to accidental disconnection, disturbance, or tampering?

38) Is other hardware, such as bridges, gateways, routers, secured to limit exposure to tampering or other damage?

39) Are the wiring closets secure from unauthorized access?

40)	Are fire controls in place for the wiring closets?

41)	Is critical equipment protected from theft through the use of anti-theft engraving, installation of locking devices, updated inventory records?


Contingency

42)	Is virus checking software in use?

43)	Are all the departmental computers and LANs regularly checked for the presence of viruses?

44)	Is the LAN administrator, or responsible individual, involved in groups which share virus prevention and detection information?

45)	Are users informed of virus potential and preventative measures?

46)	Is there a complete inventory of all files associated with the system?

Operating Systems?
Purchased Software?
Data files?
in-house Programs?

47)	Are:
backup and recovery procedures documented?
Identify backups of user, system and program files; offsite storage;
emergency equipment replacement; duplicated site;
inventory and schematic of network; personnel to contact.

48)	Are recovery procedures tested periodically in addition to when implemented and after significant system changes?

49)	Are critical files identified and backed-up?

50)	Are critical backups stored off-site?

51)	Is there alternate routing if cabling is corrupted, or the primary path is unavailable?

52)	Has the loss of the wiring closet been considered in the contingency plan?

53)	Are there sufficient spare parts on hand or readily available to back up connector hardware?

54)	Is there backup equipment for the server?

55)	Is a problem log maintained?

56)	If so, is it reviewed by management? and does it include:
	problem identifiers;
	corrective action;
	sign-off by LAN supervisor or manager.

Are network restarts logged with the date, time, and reason? Are there procedures for restarts?
57)

58)
Software

59)
Are users prohibited from using unlicensed software or software downloaded from unofficial sources?

60)	Is a list of licensed software maintained for each LAN?

61)	Is a copy of the software licenses readily available?

62)	Is a self-audit of installed software performed?

63)	Are there policies and procedures concerning software acquisition?

64)	Are software monitors installed on each server on the LAN?