IT Audit Practices
- IT Audit should be conducted regularly (e.g. once per year).
- A audit checklist should be made for each security level/OS, for simplicity.
- The auditor should be independent of the administration and be objective.
- The audit should check: Guidelines, Policies, Users, Management, IT Security managers, Administrators, IT Resources.
- Comprised of those policies and procedures that are designed to allow usage of data processing assets.
- We protect these from both physical and logical perspective.
- We prevent and detect unauthorized accesses or use.
- We will review the different access groups’s limit and decide what is the best to protect the assets.
- We maintain written procedures relating to controls over the physical security of the computer equipment.
- We place the hardware such as servers/storage in an appropriate location to ensure security.
- We make policies for temporary access by employees, visitors, or outside vendors and use sign-in logs to keep track of their activities.
- We utilize monitoring software linked to the physical access device to electronically monitor computer room entrances.
Program change control
- We maintain written procedures for controlling program changes through IT management and programming personnel.
- We use control software to manage source programs and object programs, especially production programs.
- We provide procedures for emergency program changes.
Personal Computer and End-User Computing (EUC)
- We maintain written policies related to PC Security, Shareware, Maintaining PC software and Backup.
- We use access control software which is utilized for passwords, boot protection and restriction to install software.
- We provide documentation for critical applications.