Auditing Applications

Checklist for Auditing Applications

1. q Review and evaluate data input controls.

2. q Determine the need for error/exception reports related to data integrity, and evaluate whether this need has been fulfilled.

3. q Review and evaluate the controls in place over data feeds to and from interfacing systems.

4. q In cases where the same data are kept in multiple databases and/or systems, periodic ‘sync’ processes should be executed to detect any inconsistencies in the data.

5. q Review and evaluate the audit trails present in the system and the controls over those audit trails.

6. q The system should provide a means to trace a transaction or piece of data from the beginning to the end of the process enabled by the system.

7. {% if main.adsdop %}{% include 'adsenceinline.tpl' %}{% endif %}

   q The application should provide a mechanism that authenticates users based, at a minimum, on a unique identifier for each user and a confidential password.

8. q Review and evaluate the application's authorization mechanism to ensure that users are not allowed to access any sensitive transactions or data without first being authorized by the system's security mechanism.

9. q Ensure that the system's security/authorization mechanism has an administrator function with appropriate controls and functionality.

10. q Determine whether the security mechanism enables any applicable approval processes.

11. q Ensure that a mechanism or process has been put in place that suspends user access on termination from the company or on a change of jobs within the company.

12. q Verify that the application has appropriate password controls.

13. q Review and evaluate processes for granting access to users. Ensure that access is granted only when there is a legitimate business need.

14. q Ensure that users are automatically logged off from the application after a certain period of inactivity.

15. q Evaluate the use of encryption techniques to protect application data.

16. q Evaluate application developer access to alter production data.

17. q Ensure that the application software cannot be changed without going through a standard checkout/staging/testing/approval process after it is placed into production.

18. q Evaluate controls around code checkout, modification, and versioning.

19. q Evaluate controls around the testing of application code before it is placed into a production environment.

20. q Ensure that appropriate backup controls are in place.

21. q Ensure that appropriate recovery controls are in place.

22. q Evaluate controls around the application's data retention.

23. q Evaluate controls around data classification within the application.

Chapter 11: Auditing WLAN and Mobile Devices

WLAN and Mobile Devices Background

Mention wireless inside a corporate environment and people immediately think of either their data-enabled mobile phones or the nearest WLAN access point. For different reasons, both these growing-and now generally accepted-technologies present challenges to corporate security.

Conceptually, WLAN and mobile devices both communicate using electromagnetic radio waves from the device to a remote base station. Laptops wirelessly connect to the network through access points (APs) set up by your company. Data-enabled mobile devices communicate to cell towers set up by the mobile operators such as Verizon, Orange, and Cingular before reaching your network. Both technologies are capable of carrying sensitive company data over the network and out over the airwaves. Both technologies also have issues that necessitate forethought into the security of the data en route from the user to your protected and beloved network.

WLAN Background

WLAN enables you to roam past your cube into the conference room and still get your e-mail. However, WLAN traditionally presents problems to information technology (IT) administrators because of the low cost of the access points and the willingness of corporate citizens to compromise the security of the network in favor of getting more work completed. The good news is that WLAN is improving in both the standards and education of the administrators to keep the network secure. Enough bad press and stories of "wardriving" have forced even home users to start paying attention to the security of their networks.

In 1990, the Institute of Electrical and Electronic Engineers (IEEE) formed a group to develop a standard for wireless equipment. The 802.11 standard was born on June 26, 1997, built on using the physical and data-link layers of the OSI model to allow mobile devices to communicate wireless with wired networks.

You might hear Wi-Fi used in the place of WLAN. Wi-Fi is a brand originally licensed by the Wi-Fi Alliance to describe the underlying technology based on IEEE 802.11 specifications. The term Wi-Fi is used widely, and the brand is no longer protected. The Wi-Fi Alliance originally began as an initiative to help bring interoperability to the growing number of devices using different implementations of the 802.11 technologies. New versions are on the horizon, such as 802l.11n, but Table 11-1 references the most common wireless technologies used.