Internal IT Security Audit Checklist?

Tinytony

Hi,

I was wondering if anybody knew of a good checklist/style thing of areas to check when doing an Internal IT security audit? I'm in a new role and I'm trying to do up a list of things that will need to be examined from a security point of view. Any help appriciated.

ondafly

I guess use ISO27001 as a checklist of sorts. Plenty of ideas/suggestions within that framework.

ntlbell

Start by applying for jobs you can do and let people who know the job your trying to do do it.

seamus

ntlbell wrote: »

Start by applying for jobs you can do and let people who know the job your trying to do do it.

Or perhaps he's just gotten the, "We need to do something about this I.T. security thing, and you seem to know how to log onto a server, so we want you to look after our security setup" line. No need to jump down the guy's throat.

At least he's attempting to find some sort of best practice rather than making up some fake numbers and stats to show his superiors.

Tinytony

ondafly wrote: »

I guess use ISO27001 as a checklist of sorts. Plenty of ideas/suggestions within that framework.

Cheers for that. Have a fairly broad list done up and while i'd familiar enough with network security it wouldn't be my specialist area so was looking to get a few pointers from the experts here. I'm the sole IT admin here and the guy who went before me seems to have been fairly lax about things so I want to try and tighten things up some degree.

ntlbell wrote: »

Start by applying for jobs you can do and let people who know the job your trying to do do it.

Thanks for your oh so helpful response. :rolleyes:

Tinytony

seamus wrote: »

Or perhaps he's just gotten the, "We need to do something about this I.T. security thing, and you seem to know how to log onto a server, so we want you to look after our security setup" line. No need to jump down the guy's throat.

At least he's attempting to find some sort of best practice rather than making up some fake numbers and stats to show his superiors.

Thanks Seamus. I put abit more info on where i was coming from in my post above.

Feelgood

Firstly try categorizing stuff, break things down into smaller manageable groups and then create general pointers on it.

For instance

Networks:
Port Security.
Router / Switch Passwords, console port and aux port password rules
Access Lists
Firewall Rules etc etc.

Windows Servers:
User ID Rights.
Group Memberships and Group Policies
Password Policies.
Rights to Drives etc etc.

Then you can tackle each one of these items individually.

Try getting your hands on a CISSP book which will highlight all the areas you need to be looking at and possible some security books such as Certified Ethical Hacker...that should give you a start.

ntlbell

seamus wrote: »

Or perhaps he's just gotten the, "We need to do something about this I.T. security thing, and you seem to know how to log onto a server, so we want you to look after our security setup" line. No need to jump down the guy's throat.

At least he's attempting to find some sort of best practice rather than making up some fake numbers and stats to show his superiors.

Then all he has to do is politley explain where he stands and his past exp.

If it's that important then they need to get him trained to do it on going OR pay someone who knows what they're doing.

This is not something one should be "googling" they're way around it's not like being an MCSE.

ntlbell

Tinytony wrote: »

C


Thanks for your oh so helpful response. :rolleyes:

Sorry, I'll wrap my next one in cotton wool for you.

Tinytony

Obviously security is important, but it's not something management here are particularly concerned about. This is more something I'm doing off my own bat to try and tighten things up as best I can.

Screaming Monkey

if your just looking to tighten up things, then there are some good guides at
http://www.cisecurity.org/ - Some nice tools there as well

This is one of the better IT auditing books and it has check-lists, for routers/switches/firewalls and the like.
http://www.amazon.com/Auditing-Controls-Protect-Information-Assets/dp/0072263431

...and if you want to be "hardcore, you know the score" then the STIG guides are fun http://iase.disa.mil/stigs/

someone mentioned, ISO 27001, the ISO-17799 might be a better start www.sans.org/score/checklists/ISO_17799_checklist.pdf

Also there is some good stuff up on the microsoft site, takes a bit of digging around http://www.microsoft.com/technet/security/default.mspx

Tinytony

Screaming Monkey wrote: »

if your just looking to tighten up things, then there are some good guides at
http://www.cisecurity.org/ - Some nice tools there as well

This is one of the better IT auditing books and it has check-lists, for routers/switches/firewalls and the like.
http://www.amazon.com/Auditing-Controls-Protect-Information-Assets/dp/0072263431

...and if you want to be "hardcore, you know the score" then the STIG guides are fun http://iase.disa.mil/stigs/

someone mentioned, ISO 27001, the ISO-17799 might be a better start www.sans.org/score/checklists/ISO_17799_checklist.pdf

Also there is some good stuff up on the microsoft site, takes a bit of digging around http://www.microsoft.com/technet/security/default.mspx

Cheers Monkey, thats exactly the type of stuff I was looking for.

bozman

Tinytony wrote: »

I was wondering if anybody knew of a good checklist/style thing of areas to check when doing an Internal IT security audit? I'm in a new role and I'm trying to do up a list of things that will need to be examined from a security point of view. Any help appriciated.

Lots of good advice here. Some of the areas I'd suggest you focus on are

- Policies/procedures/standards - are there formal documents in place and are they used
- Security patching - is it done regularly. Is anyone monitoring for new updates
- System Hardening/Health checking - are the systems locked down and is there a regular revalidation of the settings
- userid management - this is a critical area. Is access to systems controlled. Has there been an initial validation of someones business need and is it ever revalidated


One comment I would add is that you should ensure you know what you are trying to protect and who you are protecting it from. For example, if you have a server with personal information sitting on it (e.g. HR server), it needs a much higher level of protection than a test server and there is a legal requirement to secure the data. I would suggest that you start by ensuring that there is a full inventory of systems, including their function, importance to the organisation, links to other systems, any regulatory or legislative requirements, etc.... Then, when you start to assess the security, you can assign an appropriate risk rating to each issue that you find.

There are lots of tools, both free and commercial, available to help assess security. If you have any internet facing systems, there are a number of organisations that offer vulnerability scans on an evaluation basis. IBM is advertising one on Newstalk at the moment. You can access it at www.ibm.ie/security