Network Engineering & Operations Audit Program Contributed January 12, 2001 by Edward Ettorre Done W/P W/P Review W/P Obj By Date Ref. Review Date CommentReviewer Objectives A. The primary objectives of the Network Engineering and Operations Audit are to determine whether: - the networks and associated components are configured, tested and reliable prior to being placed into production; - the network's resources are appropriately monitored; and - adequate controls are in place to ensure the security and recoverability of the networks. Procedures: I. General A. Conduct meeting with Network Engineering & Operations (NE&O) management and staff. ______ ____ ____ ___________ _______ ________ B. Review all sources for important information on the Network Engineering & Operations Department. ______ ____ ____ ___________ _______ ________ C. Issue a Risk Management Questionnaire to NE&O management soliciting their concerns about networks. ______ ____ ____ ___________ _______ ________ D. From the meetings in step I.A and I.B above, document the current network configuration including, but not limited to, critical failure point within it. ______ ____ ____ ___________ _______ ________ II. WAN/LAN Planning and Design A. Based upon the above information gathered, judgmentally select three of the critical networks currently in production from the NT domains. ______ ____ ____ ___________ _______ ________ B. For the selected WAN/LAN, review the process used by NE&O to design and plan for it. ______ ____ ____ ___________ _______ ________ 1. Verify that adequate documentation is on file to demonstrate NE&O efforts. ______ ____ ____ ___________ _______ ________ 2. Determine if user needs were documented and included in the proposal. ______ ____ ____ ___________ _______ ________ 3. Verify that appropriate security was designed into the WAN/LAN. ______ ____ ____ ___________ _______ ________ C. Conclude on the adequacy of the controls over WAN/LAN Planning and Design. ______ ____ ____ ___________ _______ ________ III. WAN/LAN Performance and Control A. Review the network structure including hardware and software in place to ensure its compatibility with the the existing environment. ______ ____ ____ ___________ _______ ________ B. Verify if Ne&O management monitor the performance of the network. ______ ____ ____ ___________ _______ ________ 1. Document the reports generated on the Network's performance. ______ ____ ____ ___________ _______ ________ 2. Verify that reports include information on disk capacity, response times and other potential exposures. Also, verify that these reports are reviewed and monitored by NE&O management for exception conditions and potential problems. ______ ____ ____ ___________ _______ ________ 3. Verify that there network is being supported by the appropriate number of administrators and that there are not an excessive amount of administrative IDs on the network. ______ ____ ____ ___________ _______ ________ 4. Conclude on the adequacy of the controls over WAN/LAN Performance and Control. ______ ____ ____ ___________ _______ ________ C. WAN/LAN Management and Security 1. Verify that procedures are in place to grant and restrict access for the selected WAN/LAN. ______ ____ ____ ___________ _______ ________ 2. Obtain a listing of current users with access to the selected WAN/LAN and verify that those listed are all active associates or temporary vendors with a valid need for access. ______ ____ ____ ___________ _______ ________ 3. Review the process in place to ensure the security of the selected WAN/LAN. ______ ____ ____ ___________ _______ ________ 4. Verify that Virus Detection software is running on the selected WAN/LAN. ______ ____ ____ ___________ _______ ________ 5. Verify that access to the selected WAN/LAN from external connections is appropriately restricted. ______ ____ ____ ___________ _______ ________ 6. Verify if encryption or packet switching protocols are used to protect confidential data on the selected WAN/LAN. ______ ____ ____ ___________ _______ ________ 7. Working with the Data Security Department, run scans of the WAN/LAN environment checking for open security exposures that have not been identified and addressed. 8. Conclude on the adequacy of the controls over WAN/LAN Management and Security ______ ____ ____ ___________ _______ ________ D. WAN/LAN Disaster Recovery/Business Continuity 1. Verify that backups are created for the selected WAN/LAN. ______ ____ ____ ___________ _______ ________ 2. Document if backups are store in an adequate facility. ______ ____ ____ ___________ _______ ________ 3. Determine when the last time of the backup/restore capabilities were tested. ______ ____ ____ ___________ _______ ________ 4. Review if the selected WAN/LAN has unniterruptable power supply system and that the WANs/LAns have been considered as part of the Business Continuity Plan . ______ ____ ____ ___________ _______ ________ 5. Conclude on the adequacy of the controls over WAN/LAN Disaster Recovery/Business Continuity. ______ ____ ____ ___________ _______ ________ IV. Other A. Perform additional testing as deemed necessary. ______ ____ ____ ___________ _______ ________ B. Based upon the results of all the above testing, conclude on the overall adequacy of controls within the NE&O environment and prepare findings and recommendations as appropriate. ______ ____ ____ ___________ _______ ________ C. Conduct exit conference meeting with involved personnel. ______ ____ ____ ___________ _______ ________ D. Draft and issue report on results of audit. ______ ____ ____ ___________ _______ ________ The objectives, scope and approach for this audit have been approved. _________________________________ __________________ Approved by Date To be completed after all fieldwork has been performed. This audit program section has been completed in accordance with IAD standards. _________________________________ __________________ Done by Date _________________________________ __________________ Approved by Date