Checklist for Information Technology

CHECKLIST FOR INFORMATION TECHNOLOGY

S.N Priorit Particulars Risk Associated Methodology
o. y
User
1 A To ensure that user list is updated on a Login IDs of ex employees can Matching the list of login ids provided by IT
regular basis and is reflective of the be used for unauthorised access with list of number of employees on roll from
actual number of the employees in the & performance of the system HR
unit. also detoriates
2 For Open VMS system ensure that the Login IDs in excess of Specific steps to as per Open VMS
System Administrator establish the requirment can be used for enviornment
usability of each UIC (Unique Identifying unauthorised access &
Code), deleting those not required and performance of the system also
updating the UIC to user groups (the detoriates
rights of the users are defined through a
UIC).
3 A To ensure the users in IT do not share In case of any unauthorised User ID should be as per the user name & be
their root login and the root login should changes accountability cannot given system administrator rights. In case
not be used to do any maintenance be fixed & root is guessable root login is essential then it should not be
activities. which may leave the system given rights of remote login
open to unauthorised access

4 B To ensure that individuals performing In case of any unauthorised Review the IDs given to all the system
database administration are separately changes accountability cannot be administrators
authenticated i.e. they should be given fixed
different user IDs.
5 A To ensure that default users, scripts & Authorised access of systems Check if the default ids, passwords & scripts
passwords are changed / deleted from the through default ids etc. given in the software / hardware manual are
system. deleted as per the latest security patches

Access Control
 CHECKLIST FOR INFORMATION TECHNOLOGY
S.N Priorit Particulars Risk Associated Methodology
o. y
6 Ensure that proper network zoning is done Unauthorised access to another Ensure that V LANs are created using
appropriately inside the network person's data which may result in appropriate switches
data theft, deletion or alteration
7 A Rights given to all the users should be The risk of unauthorised changes Verification of the "User Access Matrix"
reviewed periodically and ensured that increases if the rights of the users provided by IT
supervisory / administrator rights are not are not based on their job roles
given to general users.
8 B Ensure that a Password Management Policy Unauthorised access to another Checking the Password Policy configured in the
is in place and adhered to, wherein person's data which may result in server
minimum password length, locking of ID data theft, deletion or alteration
after a defined number of consecutive login
failures, password expiration period,
maintaining of password history for a
specific interval are specified.
9 A To ensure that the Security Access Manager Passwords stored without Auditing tool like Nessus, Real Secure etc.
(SAM-which stores passwords for domain encryption can be easily retrieved need to be used
and local computer account) database is in & used for gaining unauthorised
an encrypted form to prevent unauthorized access to the database
access.
10 C Ensure that the network database of other Unauthorised access to database Ensure that access control list is applied to
circles is not accessible to each other of other circles segregate these databases from other circles

11 A Internet access is totally restricted in the Unauthorised transfer of data to Access to proxy should be restricted & the
Call Center systems. outside sources users should be created on the proxy for
people accessing internet

12 B To ensure that internet access to employees Unauthorised transfer of data to Checking of the Internet access form given by
has been given on the approval of their outside sources the user & approved by his HOD
HOD/CIO.
 CHECKLIST FOR INFORMATION TECHNOLOGY
S.N Priorit Particulars Risk Associated Methodology
o. y
13 A To ensure that all the PCs should have a Security of data at a risk in case Check whether power on & screen saver
power on and screen saver passwords as a system is left unattended for a passwords are enabled on all the systems
measure of data security. period of time

14 A Internet leases line should be terminated on Any other network component Auditing tools & physical check of the router
an isolated router attached to the router would be
vulnerable to external intrusions
15 A All external parties connecting to the Network would be vulnerable to Physical check & configuration of the firewall to
network should be isolated from the intrusions through external check the zoning
internal network through a firewall network
16 B Hard disk sharing should be restricted & Data can be shared across the Use of auditing tools like Languard & check the
allowed only on a work group basis network in an unauthorised domain policy
manner

Asset Control
17 B To ensure that licenses have been obtained Legal proceeding can be initiated Software inventory list mapped with the
for all the software used in the unit in by the software vendor for illegal available licenses
sufficient numbers.Generate list of software use of their products
being used which are expired, demo license
copies.
18 B To ensure that the PC control sheet / Weak / inadequate control over Physical verification of the assets with the list
hardware inventory list is updated on a hardware
regular basis.
19 A To ensure that back up of data is taken on a Business Continuity at a risk Review of the back up files / logs
daily basis / as per the backup policy of the
unit.
20 B Ensure that the backup should be kept in a Safety of the backup of the data Review of back up procedures
fire proof safe in an offsite location - can be at risk without secure
preferably a bank locker offsite storage
21 C Process of management of the Locker Safety of the backup of the data Review of back up procedures
access should be well documented. can be at risk without secure
 CHECKLIST FOR INFORMATION TECHNOLOGY
S.N Priorit Particulars Risk Associated Methodology
o. y
offsite storage

22 A To ensure that the floppy drive and CDROM Unauthorised transfer of data to Check if the drives are physically not present in
drive is physically removed from the Call outside sources the machines
Center Desktops
23 A Floppy drive is disabled on all Desktops. Unauthorised transfer of data to Check if floppy drive is physically not present
outside sources in the machines
24 A Ensure that the operating system & Systems can have vulnerabilities Run update on the system to see of the latest
applications both on desktops & servers which can be exploited by a service pack has been installed
have the latest versions of service packs / hacker
patches installed
25 B Ensure that individuals do not store or use Copyright infringements & using Scanning of the user machines for files with the
illegal code such as - MP3 files, Unlicensed office equipments for following extensions mp3, ra, mpeg, dat, jpg,
Video clippings, Pornographic files and entertainment purposes jpeg, bmp, gif, avi, wav etc
images, Copyrighted images and
documents
26 C Ensure that personal documents and Use of using office equipments for Sample data 3 to 5% of the machines to be
information is not stored on the provided IT personal purposes checked documents like CVs, pictures, flash
infrastructure. applications etc.
Applications Development
27 A Ensure that the modifications etc. being Incorrect outputs of software / Review of Application Development process
made to the existing reports / software / reports / application can result in
applications are properly validated by system crashing / behaving
business owners before effecting the erratically, customer
changes. dissatisfaction & misreporting
28 A Review the Change control process to Incorrect outputs of software / Review of Application Development process
ensure that changes to programs after their reports / application can result in
implementation are properly reviewed, system crashing / behaving
approved, documented and tested. erratically, customer
dissatisfaction & misreporting
 CHECKLIST FOR INFORMATION TECHNOLOGY
S.N Priorit Particulars Risk Associated Methodology
o. y
29 A Ensure that testing of a patch / fix is done Incorrect outputs of software / Check for the existence of development / test
in test environment only and its results are reports / application can result in environment
properly documented. system crashing / behaving
erratically, customer
dissatisfaction & misreporting
30 A All development is done on the Incorrect outputs of software / Check for the existence of development / test
development servers only and not on reports / application can result in environment
production servers. system crashing / behaving
erratically, customer
dissatisfaction & misreporting
31 B Appropriate Version control mechanisms Previous history of any Review of the logs & processes
are put in place. development would not be
available for review
32 B Applications are released only after Unchecked software / application Review of Application Development process
appropriate Quality Control procedures can result in system crashing /
have been taken into considerations. behaving erratically, customer
dissatisfaction & misreporting
33 A Release of applications must be done by Unchecked software / application Review of Application Development process
superior officers through a formal process can result in system crashing /
only. behaving erratically, customer
dissatisfaction & misreporting
Application Management
34 A To ensure that the users are not able to Any body can modify the data in Check on the Firewall whether the SQL and
directly access and modify the database tables without adhering to Toad Port is restricted or not else there should
using tools like SQL & TOAD. Any relationships. On the other hand be command inserted in the database to kill
modifications should be done in the the application will ensure data any user trying to do so. This can be checked
application software and not the database. consistency is maintained and by attempting in such a manner. Audit tools
changes are made on all tables can also be used
simultaneously
 CHECKLIST FOR INFORMATION TECHNOLOGY
S.N Priorit Particulars Risk Associated Methodology
o. y
35 B Ensure that auditing feature & security This will enable to log every Review the options and logs on the database
auditing feature is enabled in Oracle activity on the database but server, if not there then check for the existence
database & routers respectively. generally not recommended due of "On demand" process
to performance and storage
issues. Therefore a "On demand"
basis is recommended
Personnel
36 A Ensure there is adequate segregation of There would be no accountability Review the KRA mechanisms, JDs and interview
duties and functions in the IT department in for daily job functions
respect of areas such as Application
programming, Systems programming,
Operations, Control and reconciliation of
processing input and output, Control of
master and data files, Maintenance and up-
gradation of IT infrastructure such as PCs,
Servers, Network and other peripheral
devices.
37 B Ensure that IT department reports to senior Independence of the function may Review HR policies and SLA
management allowing the department to be compromised
maintain objectivity and independence from
source or user departments.
 CHECKLIST FOR INFORMATION TECHNOLOGY
S.N Priorit Particulars Risk Associated Methodology
o. y
38 B Review Administrative and operational Leads to dependence on resources Review all IT processes related to shifts, JDs,
procedures established within the IT Documentation, Backup etc.
department to ensure that issues such as
comprehensive written job descriptions,
published policy and procedures manual,
rotation of duties of personnel, formal
activity logging and review procedures,
formal forms control and record retention
procedures, physical security of IT
department, formal disaster recovery plan
including backup facilities and testing
procedures, storage and up-gradation of
Users Manuals, all software licenses and
new system rollout processes etc. are
properly addressed.
Security Infrastructure
39 A Corporate Network Security Policy Any deviance would lead to Check IT processes with security policy
Compliance is met. intrusions

40 B Review the security policy of the unit and Accountability in case of Multiple login option is disabled
ensure that none of the users should be unauthorised access cannot be
allowed more than one login. To also ensure fixed, exceptions can be made
that group login is not allowed. only in case of call centers where
it is shared
41 A To ensure that the anti virus program is Corruption / loss of crucial data Anti virus program is loaded on all the
installed on all PCs and is updated machines and the updates are done through
automatically on a daily basis. Ensure that the server I.e. no user intervention required for
the anti virus program is also installed on updating
stand alone PCs and updated regularly with
newer versions.
 CHECKLIST FOR INFORMATION TECHNOLOGY
S.N Priorit Particulars Risk Associated Methodology
o. y
42 B To ensure that local TCP / IP filtering Unknown ports and services can Ensure that the unwanted ports are blocked
techniques are used for systems. be backdoors for Hackers either on the Firewall or individual system
level. This can be done through an network
auditing tool
43 A Ensure that the following features are The finger service lists usernames This should be disabled. Check router
disabled to increase router security – finger that are logged into a network configuration files
service, IP source routing & BOOTP server device and is therefore useful to
service. the attacker. The ip source routing
allow hackers to define their own
routes on the network. The BOOTP
server disables the hacker to
download a copy of router's IOS
software
44 A Ensure that access list filters are Unwanted services will leave the Checking router configuration files against the
implemented to filter traffic & restrict network vulnerable wanted and unwanted services
access to router services
45 A Ensure that testing of effectiveness of The firewall will be vulnerable to Process of testing firewall should be in place.
firewalls is done on a periodic basis new intrusions Latest Service Packs & versions are installed
both on operating systems & firewall package

46 A Ensure that intrusion detection systems are Hacking / intrusion into the Intrusion detection systems are installed and
installed at the firewall level to highlight network will go undetected their alerts are actioned upon
network hacking attempts.
47 A Ensure that SYNDefender parameters to A SYN attack works by This should be disabled. Check router
protect internal systems from denial of overwhelming the victim with configuration files
service attacks is activated. requests from a non existent IP
address. The victim responds but
does not receive reply, leading to
a flood of open connections.
These requests may slow down or
crash the OS
 CHECKLIST FOR INFORMATION TECHNOLOGY
S.N Priorit Particulars Risk Associated Methodology
o. y
48 B Ensure that the security configuration of Known vulnerabilities of the Systems are updated with the latest patches /
servers is updated to protect against known systems can be easily exploited service packs
vulnerabilities. by hackers
49 B Ensure that unsecured communication Unsecure FTP and Telnet are open Check the router configuration and ensure that
protocols like FTP & telnet are disabled on and vulnerable connections the communication is encrypted
servers
50 A Ensure that the value of TCP_STRONG_ISS This can cause IP spoofing and The value should be set to 2
in servers is changed from the default value make system vulnerable to
of “1” to a more secure value to prevent IP intrusion
Spoofing
51 A Ensure that redundant “aux” parameter is The aux parameter allow people This should be disabled. Check router
removed from the router configuration. to access through dial-ups configuration files
Physical Security
52 A Ensure that access to computer hardware, Unauthorised access to IT Server room / data centre should have access
programs, program documentation, data resources, which can result in control mechanism open to only relevant users
files and server is limited to authorized hardware & data theft
personnel only.
53 A Reprographics room is under a secured Unauthorised transfer of data to Check Physical access control mechanisms
environment and access to devices such as outside sources
printers, fax machines, photocopiers, dak
section have access control mechanisms.
B Ensure that the network diagrams are not Security of the network can be Network diagrams should not be displayed in
displayed in the organisation, where visitors compromised the areas where visitors have access
have access.