Originally prepared (Date please provide)
Contributed 8/98 by Enrique Leon (Organization Name)
Email - LEONENRI@MATTEL.COM


CORPORATE INTERNAL AUDIT

Audit Programme 

   Title:Lotus Notes Audit - XXX

  Audit Number: xx-xx-xx
       
  Location:     xxxxxxxxxx
                                          
Start Date:                  xxxxx

  Auditor:xxxx
     
      1PROCEDURES
     
       Determine that policies, standards and procedures exist
     
       Identify procedures for the following:-
     
    1.1User registration and certification, including servers, groups and users;
     
   1.2Access violation management including monitoring, reporting and resolution;
     
     
    1.3Maintenance of *.INI  files and databases including NAB;
     
    1.4Backup and archiving.
     
     
      2SECURITY MANAGEMENT & ADMINISTRATION
     
     Determine that policies, standards and procedures are current, complete and accurate
     
     
  2.1Determine that policies, standards and procedures have been identified and properly
    implemented.
  2.2Determine if recurring or otherwise time critical tasks are documented and accomplished.
     
     
  2.3Determine the propriety of any program of security awareness for users and
    administrators.
    2.4Determine roles and responsibilities of Lotus Notes Group members.
     
    2.5Determine if administrators are trained and certified.
     
 
       Determine if system activity and transactions are adequately monitored
     
    2.6Determine if audit trails are defined and implemented.
     
    2.7Determine if transaction and security reports are implemented.
     
    2.8Determine if access violations are logged, monitored and resolved.
     
       Determine if environment is properly and timely maintained
     
    2.9Determine if technical support is adequate.
     
 2.10Determine if access privileges are updated upon employee transfer/termination. 
  Ensure use of established procedures for deactivating employees.
     
 2.11Review replication schedules.  
Print out Server Document - Check schedule times, number of connections per server, staggered
  schedules, no overlapping schedules, no multiple connections over different ports. 
     
 2.12Review LOG.NSF for each server to ensure replication is functioning correctly, mail is
  routing properly and servers are not overloaded. 
     
 2.13Review access to NAB:
Printout ACL and check access levels;
 Note:- Only XXXXX should have modify access to NAB, ensure no local changes.
     
     
     
      3LOGICAL ACCESS
     
       Determine if access to information assets is properly authorised
     
  3.1Check NAB for attached files. 
Note:- ID files are not supposed to be attached to XXXXX NAB as anyone can detach them.
     
     
    3.2Determine if requests for access are recorded and approved.
     
    3.3Determine if licences are in place for all users.
     
 
       Determine if access to information assets is properly restricted
     
    3.4Determine if transactions are protected with point-to-point encryption.
     
    3.5Determine if standard access rules are defined.
     
    3.6Determine if access to MAIL.BOX is properly restricted.
     
  3.7Review use of ACLs;
Look for use of Groups rather than individuals;
Obtain justification for the use of individuals rather than groups;
  Obtain justification for privileged access
     
       Determine if external access is properly restricted
     
    3.8Determine if firewalls have been implemented.
     
    3.9Determine if antivirus software is installed on all platforms.
     
  3.10Determine to what degree executable programs are allowed to be uploaded.
     
     
     
      4PHYSICAL ACCESS
     
       Determine if access to computing resources is properly restricted
     
  4.1Determine if servers are properly secured. Evaluate the use of physical security over the
environment, i.e. use of locks, badge readers, special enclosures, alarms or other forms of access
  control.
     
    4.2Determine if administrator USER.ID file is properly secured.
     
    4.3Determine if communications equipment is adequately secured.
     
 
      5ENVIRONMENT
     
     Gather and analyse information pertinent to the definition of hardware platforms and to
  identify any inherent risks or exposures
     
  5.1Obtain network topology diagrams. Identify all platforms and communication links.
  Determine accuracy of documentation.
     
    5.2Determine if platforms meet standards set by the company.
     
    5.3Determine if hardware is adequate to meet needs of the users.
     
  5.4Determine if adequate fire, smoke and water detection devices are used with the necessary
means of extinguishing fires and removing smoke and water. Determine that devices are tested
  and certified regularly.
     
    5.5Determine if faults are recorded and reviewed.
     
  5.6Determine if software and hardware maintenance agreements are adequate to support the
  anticipated levels of business continuity.
     
    5.7Determine if current environment can support expansion.
     
    5.8Determine that hardware and software documentation is up to date.
     
    5.9Review housekeeping at server locations.
     
     
      6BACKUP AND RECOVERY
     
       Determine that service can be restored in the event of data loss or disaster.
     
  6.1Review the backup and recovery procedures.
  Ensure NAB is adequately backed up (ensure any shared mail is also backed up).
     
  6.2Review the system contingency / disaster recovery plans.
Determine that documentation describing system recovery in the event of data loss or disaster is
  sufficient.
     
    6.3Determine if disaster recovery plan has been tested.
     
    6.4Review retention of backups.
     
    6.5Determine use of remote site storage facilities.