Date: Wed, 11 Aug 1999 09:47:16 -0600
From: Bob Grossberg robert.grossberg@DB.COM

Internet Security Audit Program

1.  Search Internet for historical background information
Purpose:  Provide historical background of Internet and World Wide Web
Details:  Use search engine(s) to find information

2.  Interview key personnel
Purpose:  Gain understanding of internal Internet capabilities for employees to access Internet
Details:  Meet with and interview those involved with Internet access and system

3.  Obtain documentation and descriptions
Purpose:  Document internal Internet access Policy & Procedures
Details:  Obtain Policy & Procedures

4.  Review Company Internet Policy
Purpose:  Review Company's Internet Policy
Details:  Obtain copy of policy and review.

5.  Interview key personnel
Purpose:  Meet with and interview those involved with Internet access and system
Details:  Meet with and interview those involved with Internet access and system

6.  Obtain documentation and descriptions
Purpose:  Document internal Internet access Policy & Procedures
Details:  Obtain Policy & Procedures

7.  Interview key personnel
Purpose:  Establish technical background
Details:  Meet with those involved with Internet access and maintenance


8.  Determine system specifications
Purpose:  Establish hardware and software used
Details:  Specifications for hardware used for web server and Internet access; software used for web server, firewalls, website

9.  Obtain system documentation, specifications, and descriptions
Purpose:  Document technical architecture of Internet system
Details:  Obtain documentation for:
          harware installation
          software installed
          firewall parameters
          usage statistics for internal access and exernal access

10.  Select a sample of policies
Purpose:  Select a sample of policies to verify values
Details:  Select a judgemental sample of 6 policies in conjunction with financial auditor's current work.

11.  Determine policy values from mainframe records
Purpose:  Establish actual policy values from mainframe records to compare with
website values
Details:  Use One Stop to determine actual policy values

12.  Agree to policy values from website
Purpose:  Determine whether policy values from website are accurate
Details:  Determine policy values from website and agree to values determined

13.  Determine security features
Purpose:  Determine security features utilized when accessing policy information from Website
Details:  Inspect web page used to access policy information
          Interview Director - Electronic Commerce

14.  Test access security features
Purpose:  Determine if website security features are active and prevent unauthorized access
Details:  Try to logon and gain access to policy information without proper authorization

15.  Determine how policy requests are passed to mainframe
Purpose:  Evaluate security access controls for website requests of policy data
Details:  Interview Electronic Commerce and Network Services to determine how policy information requests are passed from the website through to the mainframe

16.  Evaluate logical security over mainframe requests
Purpose:  Evaluate security access controls for website requests of policy data
Details:  Verify that current access security for policy information requests from the website is in place.

17.  Review Authorization Procedure
Purpose:  Determine procedures to gain authorized Internet access
Details:  Obtain and review Internet access procedures


18.  Obtain & Verify Authorization List
Purpose:  Determine employees who have properly authorized Internet access
Details:  Obtain list and verify that employees were properly authorized.

19.  Verifiy Authorization Process
Purpose:  Determine that only those properly authorized have Internet access
Details:  Determine if any non-authorized employees have Internet access

20.  Determine procedures used to monitor Internet activity
Purpose:  Establish methodologies for monitoring employee Internet activity
Details:  Evaluate methods used to ensure that employee access is for legitimate, authorized business purposes.

21.  Obtain and review access logs from firewall
Purpose:  Ensure that employee Internet access is for legitimate, authorized business purposes.
Details:  Review employee access.

22.  Evaluate any questionable entries from access log
Purpose:  Ensure that employee Internet access is for legitimate authorized business purposes.
Details:  Determine the website for any questionable entries.

23.  Determine if any unathorized access has occurred
Purpose:  Ensure that only properly authorized employees are accessing the Internet
Details:  Cross-reference Internet accesses from Firewall log to authorized employee list.

24.  Obtain alarm settings from firewall
Purpose:  Determine that questionable access and attempts are monitored and investigated.

25.  Verify that alarms are functioning properly
Purpose:  Determine that questionable access and attempts are monitored and investigated.
Details:  Attempt internet access that is not allowed; observe alarm function.

26.  Determine current Firewall settings
Purpose:  Determine that firewall is configured to adequately protect Internet access and company data.
Details:  Obtain current firewall settings from Information Systems representative.

27.  Evaluate current settings
Purpose:  Obtain current firewall settings from Information Systems representative.
Details:  Examine firewall settings and evaluate whether they are set appropriately.

28.  Verify current authorized administrator(s)
Purpose:  Ensure that only properly authorized personnel are firewall administrators.
Details:  Obtain administrator list from firewall and verify authorization.

29.  Verify process for authorizing and adding administrators
Purpose:  Determine that adequate procedures exist to allow only properly authorized personnel to be added as firewall administrators
Details:  Evaluate procedures used to authorize and add firewall administrators.

30.  Obtain equipment inventory
Purpose:  Determine that Internet servers are physically secured and protected.
Details:  Obtain inventory of Internet equipment.

31.  Verify location of equipment
Purpose:  Determine that Internet servers are physically secured and protected.
Details:  Inspect equipment to verify that equipment is accounted for and is in a secured and protected environment.

32.  Determine physical connections to servers
Purpose:  Determine that Internet servers are physically secured and protected.
Details:  Ensure that all communication lines into the servers are proper and secured.