INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

1. General Configuration

• Device Documentation

o Firmware/Software Version: Check that the firewall and UTM devices

are running the latest firmware/software versions. Ensure there’s
documentation on the current version and patch levels, including
release notes on security updates.

o Vendor Support: Confirm that the devices are still under active support
from the vendor. Devices out of support may not receive critical
security updates, making them vulnerable to new threats.

o Configuration Backups: Verify that a regular schedule for automatic

backups is in place. These backups should be encrypted and stored
in secure locations, with multiple copies maintained offsite.

o System Time and NTP: Ensure the system time is synchronized with a
reliable Network Time Protocol (NTP) server. Accurate timestamps
are critical for incident response and forensic analysis.

• Access Control

o Unused Services: Review the device to ensure that unnecessary

services (e.g., Telnet, FTP) are disabled. Only essential services such as
SSH for secure remote access should be enabled.

o Interface Management: Unused interfaces (e.g., ports or VLANs)

should be disabled to minimize attack surfaces.

o Multi-Factor Authentication (MFA): Verify that MFA is enabled

for all administrative users to prevent unauthorized access.

o Administrative Protocols: Ensure remote management uses secure,

encrypted protocols (such as HTTPS for web management and SSH
for command-line access).

o Administrator Accounts: Review the list of admin users, ensuring

that the principle of least privilege is followed. Each admin
should only have the necessary permissions for their role.

o Timeout Settings: Check session timeout settings for administrators

to ensure that sessions automatically log out after a period of
inactivity to prevent unauthorized use.

2. Firewall Rules G Policies

• Rule Review
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Business Justification: Review each firewall rule and document its

business purpose. Ensure that each rule is still relevant and
necessary. Outdated or redundant rules should be removed.

o Default Deny Rule: Confirm that the default rule at the bottom of the
firewall policy set is “Deny All” to block any traffic that doesn’t
explicitly match an allow rule.

o Overly Permissive Rules: Evaluate rules that allow broad access

(such as “ANY” or large IP ranges). Restrict access to specific IP
addresses, protocols, or ports wherever possible.

o Internal Segregation: Ensure that the rules governing traffic between

different network zones (e.g., LAN to DMZ, LAN to WAN) are well-
defined, with clear restrictions between trust levels.

• Rule Ordering

o Performance Optimization: Ensure that frequently used rules are

placed at the top of the rule set. Misordered rules can lead to
unnecessary processing, impacting performance.

o Specific vs. General Rules: Confirm that more specific rules

(narrower IP ranges or port definitions) are prioritized above general
rules (broader ranges). This ensures that traffic is accurately filtered
and not unintentionally allowed through a generic rule.

• Application Layer Filtering

o Application Layer Filtering (ALF): Verify that ALF is enabled to inspect

traffic at the application level (e.g., HTTP, HTTPS) rather than just
network layers. This helps in detecting and blocking threats
embedded within legitimate-looking traffic.

o Deep Packet Inspection (DPI): Ensure DPI is enabled for detailed

examination of packet content, allowing the identification of
advanced threats that may bypass basic firewall inspection.

3. Intrusion Detection G Prevention (IDS/IPS)

• Signature-Based Detection

o Enabled IDS/IPS: Check that IDS/IPS functionality is enabled on

the UTM device. This feature analyzes traffic for known attack
signatures.

o Signature Updates: Verify that the device is set to receive automatic

updates for IDS/IPS signatures from the vendor. These signatures
should be current to protect against the latest threats.

• Anomaly-Based Detection

o Traffic Baseline: Establish a normal traffic baseline for the network

to allow anomaly-based detection systems to identify deviations
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

(e.g., unusual traffic spikes).

o Detection Policies: Fine-tune the detection policies to prevent false
positives while maintaining the ability to detect genuine threats.
Ensure regular review and adjustment based on network changes.

4. UTM Features

• Antivirus/Antimalware Protection

o Antivirus Scanning: Confirm that antivirus protection is enabled for

all traffic types (e.g., HTTP, FTP, and email). This ensures that files and
attachments are scanned for malware before entering the
network.

o Signature Updates: Ensure that virus definitions are updated

automatically and that these updates are frequent enough to cover
new threats.

• Content Filtering

o Category Filtering: Ensure that web content filtering is enabled to

block access to high-risk categories such as phishing, malware, and
adult content. Content filtering helps prevent users from accessing
malicious or inappropriate websites.

o Custom URL Blocking: Review the list of custom URLs that are
explicitly blocked or allowed. Ensure this list is updated regularly
and is aligned with company policies.

• Spam and Phishing Protection

o Email Filters: Confirm that spam and phishing filters are enabled for
email traffic. Ensure that these filters use real-time blacklists and
threat intelligence to detect and block phishing attempts.

o Customization: Customize filtering rules to better detect targeted

phishing campaigns or business email compromise (BEC)
attempts.

• SSL Decryption/Inspection

o SSL/TLS Inspection: Verify that SSL inspection is enabled for web

traffic. This allows the UTM to inspect encrypted traffic for threats.
Ensure that proper SSL certificates are in use.

o Privacy Considerations: For sensitive content such as banking or

healthcare data, ensure that exceptions are defined so the firewall
does not decrypt this traffic. Regularly review these exceptions to
avoid security blind spots.

5. Network Segmentation and Zones

• Network Segmentation
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Segmentation: Ensure that internal networks are segmented into

distinct zones (e.g., LAN, DMZ, guest network) and that these segments
are properly separated by the firewall. Segmentation limits the
spread of malware and controls access to sensitive areas of the
network.
o Firewall Policies Between ZonesTraffic Control: Review the firewall
rules that control traffic between these network zones. Ensure
that rules are in place to restrict access between critical zones,
like allowing specific internal servers to communicate with the
DMZ but blocking others.

• Virtual Private Network (VPN)

o Encryption Protocols: Verify that VPN connections are configured to

use strong encryption protocols, such as IPsec or SSL. Weak
encryption can lead to compromise.

o Split Tunneling: Ensure that split tunneling (where only certain traffic
goes through the VPN while the rest uses the user's local network) is
disabled unless there is a compelling business case. Split tunneling
can expose sensitive traffic to untrusted networks.

o Authentication: Review VPN user authentication methods. Ensure

that users authenticate with certificates or multi-factor
authentication for added security.

o VPN Access Controls: Verify that VPN users are assigned specific
policies that limit their access to only necessary network resources.
Access should be restricted to prevent lateral movement within the
network.

6. Logging and Monitoring

• Logging Configuration

o Logging Settings: Ensure that detailed logging is enabled for firewall

and UTM activities. Log critical events, such as security alerts, traffic
violations, and changes to device configuration.

o Centralized Logging: Verify that logs are forwarded to a secure,

centralized log server (such as a Security Information and Event
Management (SIEM) system). Centralized logging is essential for
correlation, analysis, and forensic investigations.

o Log Retention: Ensure that logs are retained for a period consistent
with legal and regulatory requirements. Check that logs are stored
securely and that access is restricted to authorized personnel.

• Monitoring and Alerts

o Real-Time Alerts: Confirm that real-time alerts are configured for

critical security incidents such as failed admin logins, rule
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

violations, and malware detections.

o Bandwidth Monitoring: Regularly monitor bandwidth usage to identify

unusual spikes that may indicate malicious activity, such as data
exfiltration or DDoS attacks.

• Event Correlation
o SIEM Integration: Ensure that the firewall and UTM device logs are
properly integrated with an SIEM system to correlate events and
identify multi-stage attacks that may not be visible from
individual devices.

7. Patch Management G Firmware Updates

• Patch Management

o Regular Updates: Confirm that the firewall/UTM devices are running

the latest patches. Vulnerabilities should be addressed as soon as
patches are released to prevent exploits.

o Automated Patch Application: Ensure that the device is configured to

receive patches automatically, or schedule regular manual updates
with minimal downtime.

o Firmware Upgrades: Review the process for firmware updates,

ensuring that they are tested in a controlled environment before
deployment to production systems. Document and regularly
schedule these upgrades.

8. Backup G Recovery

• Configuration Backup

o Regular Backups: Ensure that configuration backups are performed

regularly. Verify that these backups are encrypted and stored offsite
or in a secure, redundant location.

o Backup Testing: Test the restoration of backups periodically to ensure

they can be successfully applied in case of device failure or
compromise.

• Disaster Recovery

o Disaster Recovery Plan: Ensure that a disaster recovery plan is in place

for the firewall and UTM devices. This plan should include steps for
quickly restoring services in the event of a hardware failure, software
corruption, or cyber-attack.

G. Security Policy Review

• Security Policy

o Ensure the security policy is aligned with organizational goals

and legal requirements (GDPR, HIPAA, etc.).
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Verify that user policies regarding remote access, allowed

applications, and content filtering are documented and
followed.

• Regular Audits

o Schedule regular security audits and vulnerability assessments of

the firewall and UTM configuration.

• Additional Considerations

o Third-Party Integrations: Review and test third-party integrations (like

cloud monitoring, third-party apps, etc.) for compatibility and
security.
o Penetration Testing: Conduct regular penetration tests to identify
security gaps in the firewall and UTM configurations.

o Documentation: Maintain up-to-date documentation on firewall

and UTM configurations, network diagrams, and access control
policies.

10. Traffic Analysis G Bandwidth Management

• Traffic Monitoring

o Monitoring Tools: Ensure that comprehensive traffic monitoring tools

(e.g., NetFlow, sFlow, or the firewall's own monitoring module) are
active. These tools should help track both inbound and outbound
traffic.

o Historical Traffic Data: Regularly review historical traffic data to

spot anomalies, including unexpected traffic patterns or
excessive bandwidth consumption. Suspicious traffic may
indicate ongoing malware infections, exfiltration of data, or
DDoS attempts.

o Top Users G Applications: Identify and monitor top users and

applications consuming the most bandwidth. Ensure these are
business-critical and compliant with organizational policies.

• Bandwidth Management

o Traffic Shaping G ǪoS: Verify that traffic shaping policies are applied to
ensure critical business applications (like VoIP, ERP, or video
conferencing) are prioritized over less essential services (e.g.,
streaming, social media).

o Bandwidth Control for Non-Essential Traffic: Set bandwidth limits or

throttling for recreational traffic (such as streaming services, and social
media) to prevent these from impacting network performance
during critical business operations.

11. Advanced Threat Protection (ATP)

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Sandboxing

o Isolated Threat Analysis: Verify that the UTM device employs

sandboxing technologies to isolate suspicious files or traffic for
behavioral analysis. Sandboxing can detect unknown or zero-day
threats that standard antivirus systems may miss.

o File Analysis: Ensure that inbound files (especially email

attachments or downloads from the internet) are automatically
routed to the sandbox before being allowed through.

• Threat Intelligence Integration

o Real-Time Threat Feeds: Check if the firewall/UTM is integrated

with global threat intelligence feeds. This allows the device to
update in real-time about emerging threats, new attack vectors,
or malware signatures.

o Proactive Defense: Ensure threat intelligence is used not just for

detection but also for proactive blocking of IPs or domains known to
be involved in malicious activity.
12. Geolocation G Geo-blocking

• Geolocation-Based Access Control

o Geolocation Rules: Implement rules to block or restrict traffic from

high-risk regions or countries. These regions could be associated
with frequent cyber- attacks or have no legitimate business
requirement for access.

o Exceptions G Overrides: Where legitimate access is required from

blocked regions (for example, during travel or international
partnerships), ensure that exceptions are securely managed and
logged.

• Geo-blocking Activity Monitoring

o Log Review: Regularly review geo-blocking logs for access attempts

from blocked regions. These logs can reveal potential attack attempts
from malicious actors in restricted regions.

o Adjustments: Periodically update the list of blocked regions based on

the latest threat intelligence. Adjust access based on changes in your
organization’s geographic scope or risk assessment.

13. Anomalies in User Behavior

• User G Entity Behavior Analytics (UEBA)

o Behavioral Baselines: Ensure that the UTM system is equipped

with or integrates with UEBA tools to create a baseline of normal
user behavior. This helps identify anomalies such as users
accessing resources at odd times or attempting to access
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

unauthorized data.

o Abnormal Behavior Alerts: Ensure that alerts are set up for any
deviations from normal behavior, such as repeated failed login
attempts, unexpected data transfers, or attempts to access
restricted network segments.

14. Encrypted Traffic Management

• SSL/TLS Inspection

o Enable SSL Decryption: Ensure SSL/TLS inspection is enabled to

scan encrypted web traffic (HTTPS) for threats. Attackers frequently
hide malware within encrypted traffic, so this is critical for
effective threat detection.

o Certificate Management: Ensure proper SSL certificates are installed

on the firewall/UTM to prevent traffic decryption failures. Certificates
should be up-to- date and managed securely.

• Privacy Compliance

o Exemptions for Sensitive Traffic: Ensure that the UTM system exempts
certain traffic (such as healthcare or financial data) from SSL
decryption to comply with legal privacy requirements. Review these
exemptions regularly to ensure they don't introduce vulnerabilities.

15. Incident Response

• Automated Response Actions

o Auto-Blocking Rules: Configure automated response actions for

common threats, such as automatically blocking malicious IP
addresses, blacklisting malicious domains, or quarantining
compromised devices.

o Alerts for Critical Incidents: Set up notifications for high-severity

incidents (e.g., potential data breaches, malware outbreaks, intrusion
attempts). Ensure that these alerts are routed to the appropriate
personnel (security team, incident response team) for immediate
action.

• Incident Handling Procedures

o Incident Playbooks: Review incident response playbooks specific to

firewall and UTM incidents. These playbooks should outline the steps
for responding to breaches, malware detections, or policy
violations.

o Post-Incident Analysis: Ensure logs and incident data are

captured and preserved for forensic analysis after an incident.
This data is critical for understanding how the incident
occurred and preventing recurrence.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

16. Vulnerability Scanning G Penetration Testing

• Automated Vulnerability Scans

o Regular Scans: Ensure that the UTM device performs automated

vulnerability scans on network traffic and devices. These scans help
identify potential vulnerabilities within the network, including
weak configurations or outdated software.

o Vulnerability Mitigation: Review scan results regularly and verify that

any identified vulnerabilities are patched or mitigated in a timely
manner. High-risk vulnerabilities should be addressed
immediately.

• Penetration Testing

o External G Internal Tests: Conduct penetration tests from both

external (internet-facing) and internal perspectives to identify
weaknesses in firewall/UTM configurations. Pen tests can
simulate real-world attacks to identify vulnerabilities not
captured by automated scans.

o Remediation G Follow-Up: Ensure that all findings from penetration

tests are remediated promptly. Regular retesting should follow
remediation to verify that issues have been properly fixed.

17. BYOD (Bring Your Own Device) Policy Enforcement

• Device Access Controls

o NAC (Network Access Control): Confirm that the UTM or integrated

Network Access Control (NAC) solution enforces BYOD policies. Only
authorized devices should be allowed to connect to the network,
with unregistered or unknown devices redirected to guest or
quarantine networks.
o Device Posture Checks: Ensure that security posture checks (e.g., up-
to-date antivirus, operating system patches) are performed on
BYOD devices before granting them access to corporate resources.

• Network Segmentation

o BYOD Segmentation: Separate BYOD devices onto distinct VLANs or

network segments. This limits their access to sensitive resources and
minimizes the risk of spreading malware from less secure personal
devices.

18. Mobile Device Management (MDM) Integration

• MDM Enforcement

o MDM Policy Integration: Verify that the UTM integrates with Mobile
Device Management (MDM) solutions to enforce security policies
on mobile devices. This should include encryption, screen lock,
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

remote wipe, and app control.

o Non-MDM Devices: Ensure that devices not managed by the MDM

system (or failing MDM policy checks) are blocked or restricted
from accessing critical corporate networks.

1G. Data Loss Prevention (DLP)

• DLP Configuration

o Sensitive Data Monitoring: Ensure that Data Loss Prevention (DLP)

policies are enabled on the UTM to monitor traffic for sensitive
information (e.g., Personally Identifiable Information (PII), credit card
numbers, intellectual property). Configure DLP rules to block or alert
on the transmission of such data.

o Custom DLP Policies: Create custom DLP rules to reflect the specific
needs of your organization. For example, you may want to protect
proprietary product designs or client records.

• DLP Reporting G Response

o Incident Logging: Ensure that all DLP incidents are logged, including
the source, destination, and nature of the attempted data transfer.
Review logs for trends or potential breaches.

o Response Protocols: Set up automatic responses to certain DLP

violations, such as alerting the security team, blocking the
offending transmission, or quarantining the source device.

20. Compliance Checks

• Industry Compliance

o Regulatory Alignment: Ensure that the firewall/UTM device

configuration and policies align with relevant industry regulations
and standards (e.g., PCI-DSS, HIPAA, GDPR, SOX). Verify compliance
by conducting regular audits and assessments.
o Audit Logs: Ensure that audit logs meet the specific requirements
for your industry. These logs must capture all relevant security
events and changes for regulatory review.

• Data Retention

o Retention Policies: Ensure that logs, incident reports, and backup

data retention policies are aligned with regulatory and
compliance requirements. Sensitive data must be stored and
retained securely, for the legally mandated period, before safe
destruction.

21. Business Continuity G Redundancy

• High Availability (HA)

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Failover Systems: Ensure the firewall/UTM is configured in a high

availability (HA) mode, with a failover device ready to take over in
the event of primary device failure. Test failover mechanisms
regularly to confirm they work as expected.

o Load Balancing: Verify that load balancing is configured to

distribute traffic across multiple devices or interfaces, preventing
performance bottlenecks during heavy traffic periods.

• Disaster Recovery (DR)

o Recovery Procedures: Ensure that disaster recovery plans include

step-by-step instructions for recovering firewall and UTM services
after a catastrophic failure or cyber-attack. Test these plans
periodically.

22. Threat Hunting G Forensics

• Proactive Threat Hunting

o Regular Hunts: Establish a regular threat-hunting schedule where

security teams proactively search for hidden threats, such as
malware or lateral movement in the network, instead of waiting
for alerts.

o Hunting Tools: Leverage the advanced monitoring and traffic

analysis tools within the firewall/UTM to assist in threat hunting.
These tools can help detect patterns of advanced persistent threats
(APTs).

• Forensic Data Collection

o Data Retention for Forensics: Ensure that logs, alerts, and network
traffic data are retained for forensic investigations. This data should
be protected from tampering and easily accessible when
conducting incident reviews.

o Forensic Readiness: Maintain a state of forensic readiness by

ensuring that logging, alerting, and auditing systems are capturing
all critical data. This will allow for swift and detailed analysis in case
of a breach.

23. User Training G Awareness

• Administrator Training
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Ensure all administrators are trained on the latest features and

security practices for the firewall/UTM.

• End-User Awareness

o Confirm that end-user security awareness training covers safe

network usage practices, such as identifying phishing attempts
and using secure VPNs.

24. Integration with Other Security Tools

• SIEM Integration

o Ensure proper integration with SIEM (Security Information and

Event Management) tools for real-time log analysis, correlation,
and reporting.

• Endpoint Detection and Response (EDR)

o Validate that firewall/UTM works effectively with EDR

solutions for a comprehensive defense strategy.

Audit Checklist for IPS/IDS

1. Governance G Documentation

• Policies G Procedures

o Security Policy Documentation: Ensure policies are clearly defined

for managing IDS/IPS, including deployment, operations,
monitoring, and incident response.

o Roles G Responsibilities: Validate that the individuals responsible for

IDS/IPS management, such as security analysts, network engineers,
and system administrators, are clearly defined.

o Change Management Process: Review the process for requesting,

approving, and implementing changes to the IPS/IDS configuration.
Are change requests logged and reviewed to prevent unauthorized
modifications?

• System Architecture

o Network Topology Documentation: Verify that a current network

diagram exists that shows where the IPS/IDS is deployed, both in-line
and out-of-band.

o Logical G Physical Layout: Ensure that the system architecture is

fully documented, including the segmentation of network zones
monitored by the IPS/IDS.

o Integration with Other Security Tools: Confirm that the IPS/IDS is

integrated with other components, such as firewalls, SIEMs, and
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

endpoint protection systems.

2. Design G Deployment

• Positioning in the Network

o Strategic Placement: Assess the placement of the IPS/IDS within the
network. For example, is it deployed in the DMZ, at key points
between the internal network and the Internet, or at internal
network segments critical to business operations?

o Host-based vs. Network-based Deployment: Review whether host-

based IDS (HIDS) and network-based IDS (NIDS) are deployed where
appropriate. Are all critical hosts protected by HIDS if required?

• Traffic Visibility

o Full Packet Capture: Ensure the IDS/IPS is monitoring all relevant

traffic. For instance, is encrypted traffic inspected using SSL/TLS
decryption if necessary?

o Blind Spots: Are there areas in the network where traffic is not
visible to the IDS/IPS, such as east-west traffic between virtual
machines or traffic on encrypted tunnels (e.g., VPNs)?

3. Configuration Management

• Baseline Configuration

o Hardening of the System: Are default settings modified according to

security best practices? For example, have unused ports and
services been disabled? Are weak protocols and services disabled
(e.g., Telnet, SNMP v1)?

o Secure Access Control: Ensure that access to IPS/IDS systems is

restricted to authorized personnel only through multi-factor
authentication (MFA) and least- privilege access controls.

• Signature Updates

o Automated Updates: Verify if the system is configured for automated

signature updates or if manual updates are required. Are signatures
reviewed to ensure they are accurate and up-to-date?

o Custom Signatures: Confirm that custom signatures have been

implemented to detect threats specific to the organization's
environment (e.g., industry-specific attacks or insider threats).

• Threshold Settings

o Fine-Tuning Alerts: Check that alert thresholds are configured to

balance between detecting genuine threats and reducing false
positives. Is there a formal review process for tuning these thresholds
based on historical alerts and traffic patterns?
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Severity Levels: Are alerts categorized by severity (e.g., critical, high,

medium, low), and is there a process for prioritizing response actions
based on severity?

4. Monitoring G Detection

• Real-Time Monitoring
o 24/7 Monitoring: Are security analysts monitoring the IPS/IDS 24/7,
or is it integrated into an automated system that provides real-time
alerts? Are there any delays in responding to detected incidents?

o SOC or NOC Integration: Is the IPS/IDS part of the Security Operations

Center (SOC) or Network Operations Center (NOC)? Are logs and
alerts seamlessly integrated with other monitoring tools?

• Alerting Mechanisms

o Notification Mechanisms: Is there an established mechanism for

notifying security teams of critical alerts? Are alerts sent via
multiple channels (email, SMS, ticketing system)?

o Correlation with SIEM: Are IPS/IDS alerts integrated with SIEM tools for
correlation with other network and endpoint events? Are there
automated rules to suppress or escalate alerts?

• Anomaly Detection

o Behavioral Analytics: If the system includes anomaly detection

(behavior- based or heuristic), is it enabled? Are there defined
baselines for network behavior, and does the system learn and adapt
to changing network conditions?

o Zero-Day Protection: Does the IPS/IDS have the capability to detect

zero-day threats, either through machine learning algorithms,
behavioral heuristics, or sandboxing techniques?

5. Incident Response

• Response Plan

o Incident Handling Procedures: Review documented procedures for

handling alerts generated by the IPS/IDS. Are actions such as
containment, eradication, and recovery clearly defined for different
types of threats?

o Escalation Protocols: Are there clear protocols for escalating alerts to

higher- level security staff or management based on threat
severity?

• Containment

o Blocking and Ǫuarantine Capabilities: Assess whether the IPS can

block attacks in real-time by either blocking malicious traffic or
quarantining affected hosts. Are automated blocking rules in place
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

for critical threats?

o Integration with Firewalls: Verify that the IPS can communicate with
firewalls or other devices to block traffic or isolate hosts dynamically.

• Forensics

o Log Retention: Are logs from the IPS/IDS stored in a secure,

tamper-proof location for forensic analysis? Are logs retained for a
period compliant with regulatory requirements (e.g., 90 days, 1
year)
o Investigation Tools: Are there tools or processes in place for
extracting and analyzing log data to investigate incidents?

6. Performance G Availability

• System Performance

o Performance Monitoring: Review how the system’s performance is

monitored to prevent degradation of network traffic. Are there
performance benchmarks for normal operation?

o Latency Metrics: Measure the latency introduced by the IPS when

inspecting traffic. Is the added latency acceptable to the
organization’s needs, especially for critical applications (e.g., VoIP)?

• Redundancy G Failover

o High Availability: Is there a redundancy or failover solution for the

IPS/IDS Are primary and backup systems tested regularly to ensure
seamless operation during an outage or failure?

o Load Balancing: Are load balancing mechanisms in place to

distribute traffic across multiple IPS/IDS sensors, ensuring that no
single sensor is overwhelmed by traffic?

• Latency

o Minimal Disruption: Validate that the IPS/IDS does not introduce

significant latency or packet loss, particularly when deployed
inline. Are latency and throughput metrics regularly reviewed to
maintain optimal performance?

7. Logging G Reporting

• Log Management

o Centralized Log Collection: Are all IPS/IDS logs sent to a centralized

logging server or SIEM for aggregation and long-term storage? Is there
encryption for log data in transit and at rest?

o Log Integrity: Ensure logs are protected from tampering, deletion,

or unauthorized access. Is there a mechanism to audit the integrity
of the logs?
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Audit Logs

o Change Logs: Are all configuration changes, including rule

updates and signature modifications, logged? Are
unauthorized or suspicious changes flagged for review?

o Access Control Logs: Are access attempts to the IPS/IDS devices and
consoles logged? Are failed access attempts flagged for follow-up?

• Reporting

o Regular Reports: Are detailed reports on detected threats, system

health, and performance generated and distributed to key
stakeholders? Are these reports tailored to various audiences (e.g.,
technical, executive management)
o Compliance Reports: Does the reporting framework meet
regulatory requirements (e.g., PCI-DSS, HIPAA, GDPR) for
security monitoring?

8. Testing G Validation

• Penetration Testing

o Effectiveness Testing: Have external penetration testers or internal

red teams tested the effectiveness of the IPS/IDS? Are test results
used to update detection signatures, policies, or configurations?

o Periodic Testing: How frequently are penetration tests

conducted (e.g., annually, quarterly)? Are simulations of real-
world attacks (e.g., DDoS, ransomware) conducted?

• Vulnerability Scans

o Internal and External Scans: Are regular vulnerability scans performed

on the IPS/IDS to ensure it is not vulnerable to known threats? Are
scans also conducted on the broader network to verify the IPS/IDS's
ability to detect those vulnerabilities?

o Patch Management: Are patches applied in a timely manner to fix

vulnerabilities in the IPS/IDS software or firmware?

• False Positive/Negative Tuning

o Continuous Improvement: Are there ongoing efforts to reduce false

positives and false negatives? Is historical data on false alerts
reviewed and used to improve detection accuracy?

G. Compliance G Regulatory Requirements

• Regulatory Compliance

o Adherence to Standards: Verify that the IPS/IDS is configured and

operating in compliance with relevant regulations (e.g., PCI-DSS,
SOX, HIPAA). Are regular audits performed to validate compliance?
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Audit Trail: Is the IPS/IDS capable of producing audit trails

required for regulatory compliance (e.g., access logs, change
management records)?

• Data Protection

o Privacy and Encryption: Ensure that monitoring of encrypted

traffic (e.g., HTTPS) complies with data privacy laws. Are proper
encryption and key management practices followed during
data inspection and storage?

10. Training G Awareness

• Staff Training

o Training on IPS/IDS Management: Are security staff regularly trained

on the proper use, monitoring, and management of the IPS/IDS? Are
new employees trained promptly on system use?
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Scenario-based Training: Are staff trained using simulated attack

scenarios to enhance their incident response skills when dealing
with IPS/IDS alerts?

• Awareness of Threat Landscape

o Threat Intelligence Integration: Are security staff updated on new

attack vectors, advanced persistent threats (APTs), and zero-day
vulnerabilities? Are these threat intelligence feeds integrated into
the IPS/IDS configuration?

11. Integration with Other Security Tools

• SIEM Integration

o Centralized Monitoring: Confirm the integration of IPS/IDS logs with

the organization's SIEM. Are events correlated with other security
sources like firewalls and endpoint detection systems for
comprehensive threat detection?

o Automated Playbooks: Are automated responses triggered by SIEM

correlation (e.g., isolating a compromised host based on an IDS
alert)?

• Firewall Integration

o Automated Blocking: Review whether the IPS is integrated with

firewalls to dynamically block traffic based on detected threats. Are
there predefined rules to block critical threats immediately?

• Endpoint Security

o Coordination with EDR: Is the IPS/IDS integrated with endpoint

detection and response (EDR) solutions to coordinate actions
between network-based and host-based monitoring?

12. Vendor Management

• Support G Maintenance Contracts

o Vendor Support: Are vendor support contracts in place for the

IPS/IDS? Is support easily accessible for troubleshooting or
emergency situations?

o Firmware G Software Updates: Are service-level agreements (SLAs)

reviewed to ensure timely updates, patches, and support from
vendors?

• Third-Party Audits

o Independent Reviews: Has the IPS/IDS been reviewed by a third-party

auditor or security consultant? Are results from these audits used to
improve the system?

Audit Checklist for Web Application Firewall (WAF)

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

1. Policy G Governance

1.1 WAF Deployment Strategy

• Documentation:
o Ensure a formal policy is in place for WAF deployment, including
objectives, scope, and roles. Review the documentation for
comprehensiveness.

o Verify whether the WAF deployment strategy aligns with business

objectives, security policies, and compliance requirements (e.g., PCI
DSS, HIPAA, GDPR).

• Security Requirements:

o Confirm that the WAF addresses both business and security

requirements, especially regarding data protection, traffic
management, and regulatory compliance.

• Stakeholder Approval:

o Verify that security leadership and relevant business stakeholders

(e.g., application owners) have approved the WAF deployment and
usage strategy.

1.2 Change Management Process

• Process Validation:

o Review the process for WAF configuration and rule changes.

Ensure that any updates go through a documented change
management process.

o Verify that rule changes (addition, removal, or modification) undergo

proper risk assessment, authorization, and testing before being
deployed to production.

• Audit Trail:

o Ensure that all changes made to the WAF are logged and can be
traced back to the individual who made the change.

1.3 Access Control

• RBAC (Role-Based Access Control):

o Review how access to the WAF management interface is controlled.

Verify that different access levels (admin, read-only, etc.) are in place
depending on the user's role.

• User Access Review:

o Conduct periodic access reviews to ensure that only authorized

personnel have access to the WAF configuration.

• Privileged Access Management:

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Ensure that privileged access (e.g., administrators) follows strict

access control policies, including MFA (Multi-Factor Authentication).

2. WAF Configuration

2.1 Default Settings Review

• Removal of Defaults:
o Ensure that default settings such as admin credentials and default
rule sets have been modified.Review the WAF vendor's
recommendations for secure configuration, and verify compliance.

• Baseline Configuration:

o Validate that a baseline configuration for the WAF is documented.

This baseline should serve as a reference for comparing the current
state of the WAF.

2.2 SSL/TLS Support

• Certificate Management:

o Verify that all SSL/TLS certificates used by the WAF are up-to-date and
signed by trusted Certificate Authorities (CAs).

o Ensure that key lengths and algorithms used are secure (e.g., 2048-
bit RSA or better).

• SSL/TLS Encryption:

o Check whether strong encryption ciphers and protocols (e.g., TLS

1.2/1.3) are enforced for HTTPS traffic passing through the WAF.

o Confirm whether SSL inspection is enabled to inspect encrypted

traffic for malicious content.

2.3 WAF Modes

• Blocking vs. Monitoring:

o Ensure that the WAF is operating in the correct mode for each
environment (e.g., monitoring in test environments, blocking in
production).

• Switching Modes:

o Document the criteria and process for switching between modes,

including the approval process and testing before changes.

2.4 Custom Rules

• Rule Optimization:

o Review the custom rules to ensure they are optimized for

the specific application, balancing security and
performance.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Rule Testing:

o Ensure that custom rules undergo rigorous testing to reduce false

positives and false negatives. Document the test cases.

• Rule Review:

o Establish a regular review schedule for custom rules, making sure

they reflect current threats and traffic patterns.

3. Security Controls

3.1 Threat Detection G Protection

• Vulnerability Coverage:

o Ensure that the WAF is configured to protect against the

OWASP Top 10 vulnerabilities, such as:

▪ SǪL Injection

▪ Cross-Site Scripting (XSS)

▪ Cross-Site Request Forgery (CSRF)

▪ Security Misconfigurations

o Review the WAF rule sets that target these vulnerabilities and
ensure they are active and correctly configured.

• Threat Intelligence Feeds:

o Check if the WAF leverages threat intelligence feeds to dynamically

update its rules for emerging threats (e.g., zero-day vulnerabilities).

• False Positives/Negatives:

o Regularly review logs for false positives (legitimate traffic blocked)

and false negatives (malicious traffic allowed), and adjust rules
accordingly.

3.2 Bot Protection

• Bot Detection:

o Verify whether the WAF can detect and block malicious bots,
scraping, or automated attacks.

o Review CAPTCHAs or JavaScript challenges configured for suspicious

traffic.
• Behavioral Analysis:

o Ensure that advanced bot protection is enabled (if supported), which

leverages behavioral analysis to distinguish legitimate users from
bots.

3.3 Rate Limiting

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Thresholds:

o Verify that rate-limiting policies are in place to limit the number of

requests from specific IPs or users, protecting against abuse (e.g., API
abuse, brute force attacks).

• Rate-Limit Testing:

o Test the WAF’s ability to throttle traffic correctly, ensuring legitimate

traffic is not impacted.

4. Logging G Monitoring

4.1 Traffic Monitoring

• Comprehensive Logging:
o Ensure that the WAF logs all relevant HTTP/S traffic, including details
such as IP address, request type, headers, and body (if required).

• Sensitive Data Handling:

o Ensure that the logging mechanism avoids capturing sensitive

data (e.g., passwords, credit card information).

4.2 Log Retention

• Retention Policies:

o Review log retention policies and ensure they comply with internal
and external requirements (e.g., PCI DSS mandates a minimum of one
year of log retention).

• Log Backup:

o Verify that logs are backed up regularly and stored in a secure,

tamper-evident manner.

4.3 Integration with SIEM

• SIEM Integration:

o Ensure the WAF is integrated with the organization’s SIEM for

centralized log management, correlation, and alerting.

o Verify whether WAF events generate appropriate alerts based on

severity and pre-defined criteria.

4.4 Log Review Process

• Regular Reviews:

o Confirm that security analysts or administrators review WAF logs on a

scheduled basis (e.g., daily or weekly).

• Anomaly Detection:

o Ensure that anomalies or unusual traffic patterns are flagged for

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

immediate review.

5. Performance G Availability

5.1 Scalability

• Capacity Planning:

o Review the WAF's ability to handle peak loads. Verify that it can
scale to accommodate increased traffic without
performance degradation.

• Performance Benchmarks:

o Measure and document the latency introduced by the WAF in

normal and peak traffic scenarios. Ensure that it meets organizational
performance requirements.

5.2 High Availability

• Redundancy Setup:

o Confirm that the WAF is deployed with redundancy in mind (e.g., load
balancing, failover capabilities) to ensure minimal downtime.

• Health Checks:

o Ensure that automatic health checks are in place to detect WAF

failures and trigger failover mechanisms.

5.3 DDoS Protection

• Layer 7 DDoS Protection:

o Verify that the WAF is configured to mitigate Layer 7 DDoS

attacks, such as Slowloris or HTTP floods.

• Traffic Scrubbing:

o If applicable, ensure that traffic scrubbing services or upstream DDoS

protection mechanisms are integrated with the WAF.

6. Regular Maintenance G Updates

6.1 Firmware G Software Updates

• Update Schedule:

o Ensure that firmware and software updates are applied promptly

and follow a documented patch management schedule.

• Change Control for Updates:

o Review the process for testing and deploying updates in a non-

production environment before applying them to production.

6.2 Security Patches

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Patch Priority:

o Ensure that critical security patches are identified and applied

immediately based on their severity and potential impact on the
WAF and web applications.

• Patch Validation:

o Verify whether patches are tested in a staging environment before

deployment to production.

6.3 Rule Updates

• Automatic Rule Updates:

o Verify that the WAF is set to receive and apply vendor-provided rule
updates (if applicable) for new threats.

• Manual Rule Updates:

o Ensure that a process exists for administrators to review and
manually apply critical rule updates when necessary.

7. Testing G Validation

7.1 Penetration Testing

• Test Scope:

o Ensure that the WAF is included in the scope of regular

penetration tests. Validate that it can detect and mitigate the
attacks tested.

• Findings Review:

o Ensure that any findings from penetration tests are addressed,

with lessons learned used to improve WAF configurations.

7.2 Rule Validation

• Test Traffic Simulation:

o Simulate different types of attack traffic (e.g., SǪL injection, XSS) to

verify that the WAF rules are correctly identifying and blocking
threats.

• False Positive/Negative Review:

o Test for false positives (legitimate traffic blocked) and false negatives
(malicious traffic allowed) regularly to fine-tune rule sets.

8. Incident Response

8.1 Alerting

• Real-Time Alerts:

o Ensure the WAF is configured to generate real-time alerts for

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

critical security events such as attempted SǪL injections, XSS, or

DDoS attacks.

o Review alert thresholds to ensure appropriate prioritization.

Critical events should trigger immediate alerts, while less severe
issues might be batched or delayed.

• Alert Delivery:

o Verify that alerts are routed to appropriate channels, such as email,

SMS, or a centralized Security Information and Event Management
(SIEM) system.

o Ensure escalation processes are in place for critical alerts, including

automatic notifications to senior staff or incident response teams.

8.2 Incident Investigation

• Log and Alert Review:

o Ensure that WAF logs and alerts contain sufficient detail (e.g., time,
source IP, request details, rule triggered) to conduct thorough
incident investigations.
o Confirm that investigation workflows are in place for each type of
WAF event, including who is responsible for investigation,
escalation, and remediation.

• Investigation Tools:

o Ensure that tools or dashboards are in place to visualize traffic

patterns, correlate logs, and quickly investigate potential
threats.

8.3 Post-Incident Review

• Root Cause Analysis (RCA):

o Verify that a formal root cause analysis process is in place for security
incidents that involve the WAF. Document findings and lessons
learned.

• Improvement of Rules:

o Ensure that incidents result in improved WAF rules or

configurations. For example, a new attack vector should lead to
updated or new WAF rules.

• Documentation:

o Confirm that incidents, responses, and remediation actions are

documented and filed for future reference and compliance
audits.

G. Third-Party Integrations G Cloud Considerations

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

G.1 Cloud-Based WAF

• Cloud Provider Security:

o Ensure the cloud-based WAF provider complies with security

standards and offers transparency regarding its security practices
(e.g., encryption of data in transit and at rest, incident response
times).

• Service Level Agreements (SLAs):

o Review SLAs with cloud WAF providers to ensure guarantees

around uptime, incident response, and security measures (e.g.,
DDoS protection).

• Data Privacy:

o Confirm that the cloud-based WAF adheres to data privacy

regulations such as GDPR or HIPAA, ensuring data crossing borders
is compliant with local regulations.

G.2 CDN Integration

• Content Delivery Network (CDN) Alignment:

o Ensure that the WAF integrates smoothly with any CDNs being
used. This includes making sure caching policies do not interfere
with WAF rules and that security headers are properly applied to
cached content.

• Edge Protection:
o For cloud WAFs or those working with CDNs, verify that edge
protection mechanisms are aligned to block attacks at the nearest
point of presence (POP) rather than allowing traffic to reach the
application layer.

10. Documentation

10.1 Configuration Documentation

• Complete Configuration Records:

o Ensure that the WAF configuration is fully documented, including

settings for SSL/TLS, custom rules, IP whitelists/blacklists, rate
limits, etc.

o Verify that all changes to the WAF configuration are tracked,

with detailed descriptions of changes, who made them, and
why they were made.

• Version Control:

o Ensure that version control systems are used to track changes to

WAF configurations and rule sets, allowing rollback to previous
configurations when necessary.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

10.2 Security Documentation

• Security Procedures:

o Ensure that the security procedures related to the WAF, such as

rules for configuring access controls, making rule changes, and
monitoring traffic, are documented and regularly updated.

• Incident Response Plans:

o Ensure that there is an incident response plan specifically tailored

for WAF- related incidents (e.g., DDoS attack, WAF
misconfiguration). The plan should include escalation paths and
remediation procedures.

10.3 Compliance and Audits

• Regulatory Documentation:

o Ensure that documentation for compliance with relevant

regulations (e.g., PCI DSS, SOX, HIPAA, GDPR) is maintained and
reviewed regularly.

o Verify that audit trails, including configuration changes, access

logs, and rule changes, are stored securely and available for
periodic audits.

• WAF Usage Policy:

o Ensure that a formal policy regarding WAF usage,

management, and maintenance exists and is approved by the
organization’s security team.

10.4 Training and Awareness

• Admin Training:
o Confirm that administrators and security personnel responsible for
managing and configuring the WAF are trained on its proper use,
including rule creation, monitoring, and incident response.

• Ongoing Education:

o Verify that personnel receive ongoing training to stay updated on

new features, threats, and best practices related to the WAF and its
integration with other security tools.

11. Continuous Improvement G Feedback Loop

11.1 Rule Adjustment Process

• Dynamic Rule Updates:

o Ensure that a process is in place for dynamically adjusting rules

based on new threats, application changes, and false-
positive/negative rates.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• User Feedback:

o Establish feedback loops where users (e.g., application teams,

security engineers) can report issues related to the WAF, such as
blocked legitimate traffic or undetected attacks.

11.2 Performance and Security Metrics

• KPIs for WAF Effectiveness:

o Define and track key performance indicators (KPIs) to evaluate

WAF effectiveness, including metrics like the number of
blocked attacks, false- positive rates, response times to
incidents, and rule efficacy.

• Benchmarking:

o Regularly benchmark the WAF's performance against industry

standards or other WAF implementations within the
organization.

11.3 Compliance Review

• Regulatory Audits:

o Schedule periodic compliance reviews to ensure that the WAF

meets the organization's internal security policies as well as any
applicable external regulatory frameworks.

• Audit Trail Review:

o Confirm that all audit trails are regularly reviewed for discrepancies
or signs of tampering, ensuring full accountability for WAF
changes and actions.

12. Final Security Auditing and Testing

12.1 Third-Party Audits

• Independent Review:
o Engage third-party security auditors to assess the WAF's security
controls, configuration, and rule sets to identify weaknesses or
misconfigurations.

o Ensure audit findings are documented and incorporated into the

continuous improvement process.

12.2 Testing and Validation

• Regular Security Testing:

o Ensure the WAF undergoes regular security testing, including

vulnerability scanning and penetration testing, to identify
potential gaps in its defense.

• WAF Rule Effectiveness Testing:

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Simulate real-world attacks (e.g., SǪL injection, cross-site

scripting) in test environments to validate the WAF’s ability to
detect and block such threats.

• Performance Testing:

o Perform stress tests to evaluate how the WAF handles high traffic
volumes, both legitimate and malicious, and determine any
potential performance bottlenecks.

Audit Checklist for Load Balancer

1. Architecture and

Deployment Topology Review

• Network Placement

o Verify that the load balancer is placed in an appropriate network

segment (e.g., DMZ for public-facing services or internal network for
internal applications).

o Ensure proper network segmentation to isolate the load balancer

from other critical infrastructure.

• Integration with Firewalls and DMZ

o Confirm that firewall rules are configured to allow only necessary

traffic to and from the load balancer.

o Check that the load balancer's placement supports the

organization's security architecture and compliance requirements.

Redundancy and High Availability

• HA Configuration

o Ensure that the load balancer is deployed in an HA configuration, with

redundant instances or nodes.

o Verify the configuration of failover mechanisms (e.g., active-active

or active- passive) to ensure seamless transition in case of failure.

• Failover Testing
o Regularly test failover and failback procedures to confirm that they
function as expected without impacting service availability.

• Geographical Distribution

o For global load balancers, ensure proper configuration of geo-

distributed instances to handle traffic across different regions and
provide resilience against regional outages.

2. Configuration

Management Configuration
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

Backup

• Backup Automation

o Implement automated backup processes for the load balancer’s

configuration to ensure regular and consistent backups.

o Verify that backups are encrypted and stored securely to

protect against unauthorized access.

• Backup Testing

o Periodically test backup restoration to ensure that

configurations can be restored correctly and promptly in case
of a failure.

Change Control

• Change Management Process

o Ensure that changes to the load balancer’s configuration are

documented, reviewed, and approved according to the
organization's change management policies.

• Version Control

o Use version control for configuration files to track changes and

facilitate rollback if needed.

• Change Verification

o Verify that changes are applied correctly and do not introduce

vulnerabilities or misconfigurations.

3. Access

Controls

Authentication

• Multi-Factor Authentication (MFA)

o Enforce MFA for all administrative access to the load balancer to

add an extra layer of security.

• Centralized Authentication

o Integrate with centralized authentication systems (e.g., LDAP, Active

Directory) to manage and monitor access consistently.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

Role-Based Access Control (RBAC)

• Role Definition

o Define roles and permissions based on job functions, ensuring that

users only have access to the features and data necessary for their
roles.

• Access Reviews

o Conduct regular reviews of user roles and permissions to ensure

compliance with the principle of least privilege.

Session Management

• Timeout Settings

o Configure session timeout settings for administrative sessions to

minimize the risk of unauthorized access due to unattended
sessions.

• Session Logging

o Ensure that session activity, including login attempts and session

terminations, is logged and monitored.

4. Network

Security SSL/TLS

Configuration

• Protocol and Cipher Suite Configuration

o Configure strong SSL/TLS protocols and cipher suites to protect data

in transit. Disable weak protocols (e.g., SSLv3) and cipher suites.

• Certificate Management

o Regularly renew and manage SSL/TLS certificates to prevent

expiration and ensure trustworthiness.

• Certificate Validation

o Ensure that SSL/TLS certificates are validated and that certificate

chains are complete and trusted.

Virtual IP Configuration

• VIP Usage

o Verify that virtual IP addresses (VIPs) are configured correctly and

securely, with appropriate access controls in place.

• Service Exposure

o Ensure that only necessary services are exposed through VIPs and that
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

access is restricted to authorized users.

Firewall Rules

•Rule Configuration
Review and configure firewall rules to allow only the necessary traffic to and from the
load balancer.
• Traffic Filtering

o Implement traffic filtering to block malicious or unauthorized traffic,

and review rules regularly to adapt to changing threats.

5. Application
Security

Web Application Firewall (WAF) Integration

• WAF Configuration

o Ensure that the Web Application Firewall (WAF) is properly

integrated with the load balancer and configured to protect against
common web threats (e.g., SǪL injection, cross-site scripting).

• Rule Updates

o Regularly update WAF rules and signatures to address new

vulnerabilities and attack vectors.

Content Filtering

• Filtering Rules

o Configure content filtering rules to prevent the transmission of

malicious or inappropriate content through the load balancer.

• Regular Reviews

o Review and update filtering rules based on emerging threats and

changes in application requirements.

Secure Cookies

• Cookie Flags

o Ensure that cookies are configured with security flags (e.g., HttpOnly,
Secure) to protect against cross-site scripting (XSS) and other
attacks.

• Cookie Management

o Review cookie policies and settings to ensure they align with best
practices for security and privacy.

6. Load Balancing and Health

Checks Session Persistence

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Configuration Review

o Verify that session persistence (also known as session affinity) is

configured based on application requirements to ensure that
users are consistently directed to the same backend server.

• Performance Impact
o Assess the performance impact of session persistence on load
balancing efficiency and server resource usage.

Load Balancing Algorithms

• Algorithm Selection

o Review and select appropriate load balancing algorithms (e.g.,

round-robin, least connections, IP hash) based on the
application’s traffic patterns and requirements.

• Algorithm Configuration

o Ensure that the chosen algorithm is configured correctly and

optimized for performance.

Health Checks

• Configuration

o Configure health checks to monitor the status of backend servers

and ensure that traffic is only directed to healthy servers.

• Thresholds and Intervals

o Set appropriate thresholds and intervals for health checks to

balance responsiveness and resource utilization.

7. Logging and

Monitoring Centralized

Logging

• Log Aggregation

o Ensure that logs from the load balancer are aggregated into a
centralized logging system for easier analysis and correlation.

• Log Formats

o Verify that logs are formatted consistently and include relevant

information for security analysis (e.g., timestamps, source IPs,
request details).

Log Retention

• Retention Policies

o Implement log retention policies that comply with regulatory

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

requirements and organizational needs, ensuring logs are stored

securely for the required duration.

• Archiving

o Archive logs securely and ensure they are accessible for forensic
analysis if needed.

Monitoring and Alerting

• Monitoring Tools
o Deploy monitoring tools to track load balancer performance metrics
(e.g., traffic volume, response times) and security events.

• Alert Configurations

o Configure alerts for critical events (e.g., high traffic spikes, failed health
checks) and establish thresholds for timely notifications.

Intrusion Detection

• IDS/IPS Integration

o Integrate intrusion detection/prevention systems (IDS/IPS) to

monitor and respond to suspicious traffic patterns and
potential attacks.

• Anomaly Detection

o Implement anomaly detection mechanisms to identify unusual or

potentially harmful behavior.

8. DDoS Protection

Traffic Throttling and Rate Limiting

• Configuration

o Implement traffic throttling and rate limiting to mitigate the

impact of DDoS attacks by controlling the rate of incoming
traffic.

• Policy Review

o Review and adjust throttling and rate limiting policies based on

current threat levels and traffic patterns.

DDoS Protection Mechanism

• Protection Services

o Utilize DDoS protection services (e.g., Cloudflare, AWS Shield) to

provide additional layers of defense against large-scale
attacks.

• Configuration Verification
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Ensure that DDoS protection mechanisms are correctly

configured and integrated with the load balancer.

Layer 7 DDoS Mitigation

• Application Layer Protection

o Implement application layer protections to defend against more

sophisticated DDoS attacks targeting application logic and
functionality.

• Mitigation Strategies

o Develop and test mitigation strategies for Layer 7 DDoS attacks,

such as rate limiting, challenge-response tests, and CAPTCHA.
G. Security Patching

Firmware and Software

Updates

• Patch Management

o Establish a patch management process to ensure timely application

of firmware and software updates for the load balancer.

• Patch Testing

o Test patches in a staging environment before deployment to ensure

they do not introduce new issues.

Vulnerability Management

• Vulnerability Scanning

o Conduct regular vulnerability scans to identify and address security

weaknesses in the load balancer and its components.

• Remediation

o Develop and implement remediation plans for identified

vulnerabilities, prioritizing based on risk and impact.

10. Compliance and

Documentation Compliance

Standards

• Regulatory Requirements

o Ensure that the load balancer is configured to meet relevant

compliance standards (e.g., PCI DSS for payment systems, HIPAA
for healthcare data).

• Audit Readiness
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Prepare for compliance audits by maintaining documentation and

evidence of adherence to regulatory requirements.

Audit Logs

• Log Review

o Regularly review audit logs to ensure they provide a complete

record of load balancer activities and compliance with security
policies.

• Evidence Collection

o Collect and retain evidence of security controls and compliance

measures for audit purposes.

Documentation

• Configuration Documentation
o Maintain detailed documentation of the load balancer’s
configuration, including network settings, security policies, and
operational procedures. Ensure it is regularly updated.

• Process and Procedure Documentation

o Document processes and procedures related to load balancer

management, including deployment, maintenance, and incident
response.

• Version History

o Keep a version history of documentation to track changes and

updates over time.

11. Failover and Disaster

Recovery Disaster Recovery Plan

• Plan Documentation

o Develop a comprehensive disaster recovery plan that includes

detailed steps for recovering the load balancer and associated
infrastructure in the event of a major failure.

• Recovery Objectives

o Define recovery time objectives (RTO) and recovery point objectives

(RPO) for the load balancer to ensure acceptable downtime and
data loss in disaster scenarios.

Failover Testing

• Test Scenarios

o Regularly test failover scenarios to ensure that the load balancer can
switch to a backup instance or configuration seamlessly in case of
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

failure.

• Test Documentation

o Document test results, including any issues encountered and

actions taken, to improve the failover process and disaster recovery
plan.

Backup Configurations

• Backup Procedures

o Ensure that backup procedures include regular snapshots of

load balancer configurations and any related data.

• Secure Storage

o Store backups securely, preferably in a different geographic location,

to protect against data loss due to localized disasters.

12. Performance and Capacity

Planning Performance Tuning

• Optimization

o Fine-tune load balancer settings (e.g., connection timeouts,

maximum connections) to optimize performance based on traffic
patterns and application requirements.

• Performance Monitoring

o Continuously monitor performance metrics such as latency,

throughput, and resource utilization to identify and address
performance bottlenecks.

Capacity Planning

• Traffic Analysis

o Analyze historical traffic patterns and growth trends to forecast

future capacity needs and plan for scaling.

• Resource Allocation

o Allocate resources (e.g., CPU, memory) based on anticipated

traffic and performance requirements to ensure that the load
balancer can handle peak loads.

Traffic Analysis

• Historical Data

o Review historical traffic data to identify trends and potential future

demands. Use this information to adjust load balancer
configurations and scaling plans.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Usage Patterns

o Analyze usage patterns to understand peak times and adjust load

balancing algorithms and configurations accordingly.

13. Third-Party Integration and API

Security API Security

• Authentication and Authorization

o Ensure that APIs used to manage the load balancer are secured
with strong authentication (e.g., API keys, OAuth) and proper
authorization mechanisms.

• Rate Limiting

o Implement rate limiting on APIs to prevent abuse and ensure that

legitimate requests are processed efficiently.

Third-Party Services

• Security Assessments

o Conduct security assessments of third-party services integrated

with the load balancer to ensure they meet security standards and
do not introduce vulnerabilities.
• Contractual Security Clauses

o Review and ensure that third-party contracts include

appropriate security clauses and compliance requirements.

14. Operational

Procedures Incident

Response Plan

• Plan Development

o Develop a detailed incident response plan specifically for load

balancer issues, outlining steps for detection, containment,
eradication, and recovery.

• Roles and Responsibilities

o Clearly define roles and responsibilities for each team member

involved in incident response, including communication
protocols and escalation procedures.

• Incident Simulation

o Conduct regular incident simulation exercises to test and refine

the incident response plan, ensuring that team members are
familiar with their roles and procedures.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

Operational Support

• Support Procedures

o Establish clear procedures for operational support, including

troubleshooting, maintenance, and escalation processes.

• Documentation

o Document common issues and resolutions to facilitate quicker

problem-solving and knowledge sharing.

15. Security Policies and

Procedures Policy Review

• Policy Creation

o Develop comprehensive security policies specific to the load

balancer, covering areas such as access control, data protection, and
configuration management.

• Review Schedule

o Schedule regular reviews of security policies to ensure they remain

relevant and effective in addressing emerging threats and
compliance requirements.

• Policy Enforcement

o Implement mechanisms to enforce security policies, including

automated tools and manual checks.

Training and Awareness

• Training Programs

o Develop and deliver training programs for staff involved in managing

or using the load balancer, covering topics such as security best
practices, incident response, and policy compliance.

• Awareness Campaigns

o Conduct regular security awareness campaigns to keep staff

informed about current threats and best practices for load
balancer security.

16. Data

Protection Data

Encryption

• Encryption Standards

o Use industry-standard encryption algorithms (e.g., AES-256) for

protecting data at rest and in transit. Ensure encryption
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

configurations are correctly applied.

• Key Management

o Implement a secure key management process, including key

generation, storage, rotation, and destruction.

Data Privacy

• Privacy Impact Assessments

o Conduct privacy impact assessments to identify and mitigate risks

associated with the collection and processing of personal data
through the load balancer.

• Data Access Controls

o Implement access controls to ensure that personal data is only

accessible to authorized users and systems.

17. Scalability and Performance

Testing Load Testing

• Test Planning

o Develop a comprehensive load testing plan that includes

different traffic scenarios and stress levels to evaluate the load
balancer’s performance.

• Result Analysis

o Analyze load testing results to identify potential bottlenecks and

performance issues. Use the findings to optimize the load
balancer’s configuration and capacity.

Scalability Testing

• Scaling Scenarios

o Test both vertical and horizontal scaling scenarios to ensure that

the load balancer can handle increased traffic and resource
demands.
• Auto-Scaling Validation

o Verify that auto-scaling mechanisms are configured correctly

and respond appropriately to changes in traffic.

18. Backup and

Recovery Backup

Verification

• Testing Procedures

o Regularly test backup procedures to ensure that configurations and

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

data can be restored successfully. Document and address any issues

discovered during testing.

• Backup Frequency

o Ensure that backup frequency aligns with the criticality of the load
balancer and its data, balancing between data protection and
storage costs.

Disaster Recovery Drills

• Drill Scenarios

o Conduct disaster recovery drills using various failure scenarios

to test the effectiveness and readiness of the disaster recovery
plan.

• Plan Refinement

o Refine the disaster recovery plan based on drill outcomes and

feedback, addressing any gaps or weaknesses identified.

1G. Advanced Threat

Detection Behavioral Analysis

• Anomaly Detection

o Implement anomaly detection systems to identify unusual traffic

patterns or behaviors that may indicate a security threat.

• Baseline Establishment

o Establish baseline metrics for normal behavior to enhance the

accuracy of anomaly detection and reduce false positives.

Threat Intelligence

• Integration

o Integrate threat intelligence feeds with monitoring systems to stay

informed about new and emerging threats relevant to the load
balancer.

• Threat Analysis

o Regularly analyze threat intelligence reports to update security

measures and defenses based on current threat landscapes.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

20. Documentation and

Reporting Detailed

Documentation

• Configuration Records

o Maintain detailed records of all load balancer configurations,

including network settings, security controls, and operational
procedures.

• Change Logs

o Keep comprehensive change logs to track modifications to

configurations, policies, and procedures.

Audit Reports

• Audit Planning

o Plan and conduct regular security audits to assess the load

balancer’s compliance with security policies and standards.

• Reporting Findings

o Document audit findings, including any identified

vulnerabilities or non- compliance issues, and develop action
plans to address them.

Compliance Reporting

• Regulatory Reporting

o Generate reports to demonstrate compliance with relevant

regulations and standards, including detailed evidence of
security controls and practices.

• Internal Reporting

o Provide regular internal reports on the load balancer’s security

posture and compliance status to stakeholders and
management.

21. Vendor and Third-Party Risk

Management Vendor Assessments

• Security Reviews

o Conduct security assessments of vendors providing load balancer

hardware or software to ensure they meet your security
requirements.

• Third-Party Audits

o Review third-party audit reports and certifications to verify the

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

security posture of external vendors and service providers.

Third-Party Contracts

• Contractual Clauses

o Ensure that third-party contracts include security clauses that

address data protection, access control, and incident response.
• Compliance Clauses

o Include compliance requirements in third-party contracts to ensure

adherence to relevant regulations and standards.

22. Configuration

Hardening Minimize Attack

Surface

• Service Minimization

o Disable unnecessary services, ports, and features to reduce the

attack surface of the load balancer.

• Default Settings

o Review and change default settings to more secure configurations,

following best practices and organizational policies.

Secure Configuration

• Hardening Guidelines

o Apply security hardening guidelines specific to the load

balancer, such as disabling debug modes and enforcing strong
authentication.

• Regular Reviews

o Regularly review and update configurations to address emerging

threats and vulnerabilities

Audit Checklist for Active Directory

1. Accounts G Permissions

User Accounts

• Verify no inactive accounts (disable or remove inactive user accounts).

• Ensure no duplicate user accounts.

• Ensure unique usernames are used.

• Confirm password policies (length, complexity, expiration) align with

security standards.

• Review last logon dates and ensure they are recent for active accounts.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Ensure service accounts have strong passwords and minimal

privileges. Group Policies C Membership

• Review privileged groups (Administrators, Domain Admins, Enterprise

Admins, etc.) for unnecessary memberships.

• Ensure least privilege principle is applied across group memberships.

• Check for nested groups and ensure correct permissions are inherited.
• Verify that group policies are applied based on role and security

needs. Administrative Access

• Limit membership of Domain Admins and Enterprise Admins to a minimum.

• Ensure there is a separation of duties between standard and privileged

accounts.

• Review access for remote administration tools and ensure only trusted
systems have this capability.

2. Policies G Settings

Password Policies

• Verify minimum password length (at least 8-12 characters).

• Confirm password complexity requirements (uppercase, lowercase,

numbers, symbols).

• Enforce password expiration (recommend 60-90 days).

• Check account lockout policy (e.g., lockout after 3-5 failed login attempts).

• Ensure password history is enabled to prevent reuse of old

passwords. Audit Policies

• Ensure that audit policies are enabled for user login attempts (successful and
failed).

• Verify that group policy changes, and privilege use are logged.

• Ensure PowerShell logging and script execution auditing is

enabled. User Rights Assignment

• Review user rights (via Local Security Policies or Group Policy) for sensitive
operations like:

o Backup/Restore
o Debug Programs
o Log on as a service
o Log on locally
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Access from the network

3. Group Policy Objects (GPOs)

Group Policy Hardening

• Review GPOs for enforcing security baselines.

• Confirm that administrative template policies are configured to secure

workstations and servers.

• Ensure GPOs are applied appropriately to Organizational Units (OUs).

• Check for loopback policy processing where needed.

• Ensure password policies are properly applied at the

domain level. GPO Permissions

• Review GPO permissions to ensure only authorized users can create, edit,
or delete GPOs.

• Ensure GPO delegation is restricted to trusted administrators.

4. AD Security Configurations

DNS C AD Replication

• Ensure DNS settings are correctly configured for redundancy and security.

• Verify replication is working across all domain controllers.

• Ensure replication schedules are efficient and

secure. Domain Controllers

• Ensure all domain controllers are up-to-date with patches.

• Verify NTLM usage is minimized and not used for sensitive systems
(enforce use of Kerberos).

• Ensure time synchronization is configured correctly

via NTP. AD Schema C Structure

• Review the AD schema to ensure no unnecessary extensions or modifications.

• Confirm OUs and containers are organized logically (users, devices, etc.).

• Ensure AD sites and services are configured for proper replication.

5. Security G Monitoring

Logging C Monitoring

• Ensure security event logging is enabled on all domain controllers.

• Review event logs for suspicious activity (e.g., multiple login failures, changes
to group memberships).
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Ensure SIEM integration for real-time log analysis.

• Enable logging of AD changes (via tools like AD Audit or native AD

auditing). Backup C Disaster Recovery

• Ensure regular backups of the AD database and system state.

• Test restoration of backups periodically.

• Ensure domain controller redundancy (geographically

distributed). Security Tools

• Implement tools like LAPS (Local Administrator Password Solution) to

manage local admin passwords.

• Utilize Microsoft Advanced Threat Analytics (ATA) or Azure AD Identity

Protection for proactive threat detection.

6. Patch Management G Updates

• Verify that all domain controllers, servers, and connected devices are updated
with the latest security patches.

• Ensure critical updates are applied automatically or as soon as possible.

• Monitor for any vulnerabilities in Microsoft advisories related to Active

Directory components.

7. Additional Security Controls

Multi-Factor Authentication (MFA)

• Enforce MFA for all administrative accounts.

• Enable MFA for sensitive user accounts, especially those with access to

critical data. Privileged Access Management (PAM)

• Implement PAM solutions to control and audit access to privileged accounts.

• Ensure privileged accounts are only used for administrative purposes and
not for daily tasks.

Service Accounts Management

• Use managed service accounts to simplify password management

for service accounts.

• Restrict service accounts to only necessary systems and remove

unnecessary privileges.

8. Compliance G Documentation

• Ensure compliance with regulatory standards (e.g., GDPR, HIPAA, SOX).

• Document and review all changes made during the audit process.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Provide a final report summarizing the audit findings and recommendations.

Audit Checklist for Linux

1. System Configuration

• Verify User Accounts:

o List Users:
▪ Use commands like cat /etc/passwd to list all user accounts.

▪ Identify and review system accounts (UIDs below 1000) to

ensure they are necessary and configured correctly.
o Check for Dormant Accounts:
▪ Identify accounts that haven't been used in a while using
last and lastlog.

▪ Disable or remove unnecessary dormant accounts.

o Password Policies:
▪ Review /etc/login.defs for password aging and complexity
settings.

▪ Check /etc/security/pwquality.conf or /etc/pam.d/common-

password for password complexity requirements.

• Check User Privileges:

o Sudo Configuration:
▪ Examine /etc/sudoers using visudo to ensure that users have
only the required privileges.

▪ Check for any unnecessary or overly permissive sudo rules.

o User Group Memberships:

▪ Verify users’ group memberships in /etc/group and ensure
they have appropriate permissions.

• Review Authentication Methods:

o PAM Configuration:
▪ Review /etc/pam.d/* for correct PAM modules and settings.

▪ Ensure modules like pam_tally2 for account locking and

pam_pwquality for password policies are configured.

o Multi-Factor Authentication:
▪ Verify MFA configurations if using tools like Google Authenticator
or Duo.

2. System Security Settings

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Patch Management:

o Check for Updates:

▪ Use apt list --upgradable (Debian/Ubuntu) or yum
check-update (RHEL/CentOS) to list available updates.

▪ Apply patches using apt-get upgrade or yum update and

verify the update status.

o Check for EOL Software:

▪ Ensure that no software or distributions nearing end-of-life are in
use.

• Firewall Configuration:
o Review Firewall Rules:
▪ For iptables, use iptables -L to list current rules.

▪ For firewalld, use firewall-cmd --list-all to view active rules.

o Check Default Policies:

▪ Ensure default policies are set to deny and only necessary
services are allowed.

• SELinux/AppArmor:

o SELinux:
▪ Check SELinux status with sestatus.

▪ Ensure SELinux is in Enforcing mode, not Permissive.

▪ Review SELinux policies and logs (/var/log/audit/audit.log) for any

issues.

o AppArmor:
▪ Check status with aa-status.

▪ Ensure profiles are in enforce mode and review

/etc/apparmor/ for configurations.

• System Services:

o List Active Services:

▪ Use systemctl list-units --type=service or service --status-
all to list running services.

o Disable Unnecessary Services:

▪ Use systemctl disable [service] or chkconfig [service] off to
disable unneeded services.

3. File System and Permissions

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• File Permissions:

o Check Sensitive Files:

▪ Verify permissions for files like /etc/passwd, /etc/shadow,
/etc/sudoers, etc.

▪ Ensure correct ownership and permissions using ls -l and

chmod/chown.

o Detect World-Writable Files:

▪ Use find / -xdev -type f -perm -0002 to locate world-writable files.

• File Integrity:

o Use Integrity Tools:

▪ Install and configure tools like AIDE or Tripwire.
▪ Regularly check for unauthorized changes.

• Access Control Lists (ACLs):

o Review ACLs:
▪ Use getfacl to view ACLs on files and directories.

▪ Ensure only necessary users/groups have extended permissions.

4. Logging and Monitoring

• System Logs:

o Check Log Files:

▪ Review logs in /var/log including auth.log, syslog, messages,
kern.log, etc.

o Look for Anomalies:

▪ Identify unusual login attempts, errors, or failed services.

• Log Rotation:

o Check Configuration:
▪ Review /etc/logrotate.conf and /etc/logrotate.d/ for proper log
rotation settings.

o Ensure Proper Rotation:

▪ Verify logs are rotated regularly and archived securely.

• Intrusion Detection Systems:

o Configure IDS/IPS:
▪ Ensure tools like Snort, OSSEC, or Suricata are active and
properly configured.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Review Alerts:
▪ Regularly check for and investigate alerts or suspicious activities.

5. Network Security

• Network Configuration:

o Review Network Interfaces:

▪ Check interfaces with ip a or ifconfig for proper configuration.

▪ Ensure no unnecessary interfaces are active.

o Check Network Files:

▪ Review /etc/hosts, /etc/resolv.conf, and /etc/network/interfaces or
/etc/netplan/.
• Secure Communication:

o SSH Configuration:
▪ Review /etc/ssh/sshd_config for settings like
PermitRootLogin, PasswordAuthentication, and
AllowUsers.

▪ Ensure SSH is configured to use key-based authentication

and disable root login.

• Remote Access:

o Review Remote Access:

▪ Check configurations for tools like VNC, RDP, or other
remote access services.

▪ Ensure remote access is restricted and encrypted.

6. Backup and Recovery

• Backup Procedures:

o Verify Backup Jobs:

▪ Ensure backups are scheduled and verify completion status.

▪ Use tools like rsync, tar, or backup software.

o Check Storage:
▪ Ensure backup data is stored securely and protected
against unauthorized access.

• Recovery Plan:

o Document Recovery Steps:

▪ Ensure there is a clear recovery plan and document procedures.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Test Recovery:
▪ Perform regular recovery tests to ensure backups can be
restored.

7. System Hardening

• Kernel Parameters:

o Review Sysctl Settings:

▪ Use sysctl -a to list kernel parameters.

▪ Ensure settings like net.ipv4.ip_forward=0,

net.ipv4.conf.all.rp_filter=1, and kernel.randomize_va_space=2
are configured.

• Security Policies:

o Review Policies:
▪ Ensure policies for password strength, account lockout, and
session timeouts are in place.

o Check /etc/security/limits.conf:
▪ Ensure proper limits are set for user resources.

• Security Tools:

o Use Security Scanners:

▪ Regularly scan with tools like Lynis or OpenVAS to identify
vulnerabilities.

o Apply Recommendations:
▪ Follow recommendations from security tools and perform
remediation.

8. Application
Security

• Installed Software:

o Review Installed Packages:

▪ List installed packages and check for unnecessary or
unauthorized software.

▪ Use dpkg --list (Debian/Ubuntu) or rpm -qa (RHEL/CentOS).

• Configuration Files:

o Review Configurations:
▪ Check configuration files for applications and ensure sensitive
data (e.g., passwords) is not exposed.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

▪ Ensure configurations are secure and follow best practices.

• Updates and Patches:

o Check for Application Updates:

▪ Ensure applications are up-to-date and apply patches regularly.

G. Physical Security

• Hardware Access:

o Physical Controls:
▪ Ensure server rooms or data centers are locked and access is
restricted.

o Server Security:
▪ Verify that servers are physically secured against tampering.

10. Compliance and Documentation

• Compliance:

o Verify Requirements:
▪ Ensure compliance with relevant standards or regulations (e.g.,
PCI-DSS, ISO 27001).

o Conduct Audits:
▪ Perform regular compliance audits to ensure adherence.

• Documentation:

o Maintain Records:
▪ Document system configurations, changes, and audit findings.

o Update Procedures:

▪ Keep documentation updated with current

procedures and configurations.

Hardening of Linux OS

1. System Updates and Patch Management

• Regular Updates:

o Use package managers (apt, yum, dnf, etc.) to regularly update the
system.
o Configure automatic updates where feasible to ensure timely
application of security patches.

• Security Patches:

o Prioritize security updates for the kernel and critical software.

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Use tools like unattended-upgrades on Debian-based systems or dnf-

automatic on RHEL-based systems for automatic updates.

2. User and Group Management

• User Accounts:

o Disable or remove unused user accounts.

o Use strong, unique passwords for all accounts.
o Implement account expiration policies for temporary accounts.
• Privilege Management:

o Review /etc/sudoers with visudo to ensure users have only necessary

privileges. Avoid using ALL unless absolutely necessary.

o Limit sudo access to specific commands and ensure logs are

enabled for all sudo activities.

o Regularly audit user and group memberships to ensure they are

appropriate.
• Password Policies:
o Enforce strong password policies using tools like
pam_pwquality or pam_cracklib.

o Implement password aging and expiration policies in /etc/login.defs or

/etc/security/pam_env.conf.

o Require password complexity and minimum length.

3. File System and Permissions

• File Permissions:

o Set correct permissions for critical files and directories. For example,
/etc/shadow should have permissions 600, and /etc/passwd should be
644.

o Regularly check for world-writable files and directories using find / -

xdev -type f - perm -0002.

• File Integrity:

o Use file integrity monitoring tools like AIDE or Tripwire to detect

unauthorized changes to critical system files.

o Schedule regular checks and review alerts.

• Access Control Lists (ACLs):

o Configure and review ACLs using setfacl and getfacl to manage

permissions beyond traditional file modes.

o Ensure that ACLs are used only where necessary and are properly
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

configured.

4. Network Security

• Firewall Configuration:

o Configure a host-based firewall using iptables, nftables, or firewalld

to control inbound and outbound traffic.

o Define rules to only allow necessary traffic and block all others by
default.
o Regularly review and update firewall rules.
• Network Services:

o Disable unnecessary network services to reduce the attack

surface. Use systemctl or chkconfig to stop and disable
services.

o Review open ports using netstat -tuln or ss -tuln and close any
that are not needed.

• Secure Communication:

o Configure SSH securely by editing /etc/ssh/sshd_config. Disable root

login with PermitRootLogin no, use key-based authentication, and
disable password- based login.
o Use encryption protocols like TLS/SSL for data in transit, and ensure
certificates are up-to-date and from trusted authorities.

5. System Hardening

• Kernel Parameters:

o Configure secure kernel parameters in /etc/sysctl.conf. For example:

▪ net.ipv4.ip_forward = 0 (disable IP forwarding)

▪ net.ipv4.conf.all.rp_filter = 1 (enable reverse path filtering)

▪ kernel.randomize_va_space = 2 (enable full address

space randomization)

o Apply changes with sysctl -p.

• Security Modules:

o SELinux: Ensure SELinux is enabled and in enforcing mode. Check

status with sestatus and configure policies as needed.

o AppArmor: Ensure AppArmor is enabled and profiles are enforced.

Use aa- status to review active profiles and their modes.

• System Services:

o Review and Harden Services:

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

▪ Review running services and their configurations. Disable

unnecessary services.

▪ Configure services to run with the least privileges and in a

confined environment if possible.

o Service Security:
▪ Ensure services are up-to-date and have minimal exposure.

6. Logging and Monitoring

• System Logs:

o Ensure logging is enabled and properly configured in /etc/rsyslog.conf or

/etc/syslog-ng/.

o Regularly review logs for unusual activities, such as /var/log/auth.log,

/var/log/syslog, and /var/log/messages.

• Log Rotation:

o Configure log rotation in /etc/logrotate.conf and /etc/logrotate.d/ to

manage log file sizes and retention.

• Intrusion Detection:
o Implement an Intrusion Detection System (IDS) like OSSEC, Snort, or
Suricata to monitor for suspicious activities.

o Regularly review IDS alerts and logs.

7. Backup and Recovery

• Backup Strategy:

o Implement a comprehensive backup strategy that includes regular

backups of critical files and system states.

o Use tools like rsync, tar, or dedicated backup solutions.

• Backup Security:

o Encrypt backup data to protect it from unauthorized access.

o Store backups securely and test them regularly for integrity and
restoration capability.

• Disaster Recovery Plan:

o Develop and document a disaster recovery plan, including

procedures for data restoration and system recovery.

o Test recovery procedures to ensure they work as expected.

8. Application Security

• Application Hardening:
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Review and configure applications to follow security best practices.

o Ensure applications are updated with the latest security patches.
• Configuration Management:

o Secure configuration files and sensitive data within applications.

o Regularly review and audit application configurations.
G. Physical Security

• Physical Access Controls:

o Restrict physical access to servers and data centers to authorized

personnel only.

o Use physical security measures such as locked cabinets,

surveillance, and access controls.

• Secure Boot:

o Ensure secure boot options are enabled if supported by the hardware

to protect against unauthorized modifications during boot.

10. Compliance and Documentation

• Compliance:

o Ensure the system complies with relevant standards and

regulations, such as GDPR, HIPAA, or PCI-DSS.

o Regularly review compliance requirements and adjust

configurations accordingly.

• Documentation:

o Maintain up-to-date documentation of security configurations,

policies, and procedures.

o Document any changes or updates to the system and configurations.

Audit Checklist for Routers

1. Router Configuration and

Hardening Default Settings:

• Change Default Passwords: Ensure that default administrative usernames

and passwords are changed to strong, unique credentials. Default settings
are well-known and can be exploited.

• Disable Unused Services: Turn off any services or features not in use to
minimize attack vectors. For example, if SSH is not used, disable it.

Access Control:

• Restrict Management Access: Configure the router so that only specific IP

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

addresses or subnets can access the management interface. Implement

multi-factor authentication (MFA) if supported.

• Administrative Roles: Use role-based access controls (RBAC) if available

to limit administrative access to necessary functions only.

Firmware Updates:

• Regular Updates: Check vendor websites or use automated update tools to

ensure the firmware is current. New firmware versions often include
security patches.

• Verify Integrity: Before applying updates, verify their integrity and

authenticity to avoid installing compromised firmware.

2. Network Security

Network

Segmentation:

• VLANs: Use Virtual LANs (VLANs) to segment different types of

traffic (e.g., administrative, guest, and internal network traffic) to
reduce exposure.

• DMZ: Implement a Demilitarized Zone (DMZ) for public-facing services to

isolate them from the internal network.

Firewall Rules:
• Inbound/Outbound Rules: Define rules that control both inbound and
outbound traffic. Ensure that rules are restrictive by default and only allow
necessary traffic.

• Rule Review: Periodically review and update firewall rules to adapt to

changes in the network environment and security posture.

Intrusion Detection/Prevention:

• IDS/IPS Integration: If the router supports IDS/IPS, ensure it is properly

configured to detect and block malicious activities. Regularly update
signature databases.

3. Access Controls

Remote

Management:

• Disable Remote Management: If remote management is not required, disable

it. If it is needed, use secure methods like SSH with strong encryption, and
ensure it is restricted to known IP addresses.

• Secure Access: Use VPNs with strong encryption and authentication

for remote management. Ensure VPN configurations are up-to-date
and tested.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

SNMP:

• Configuration: If SNMP is enabled, ensure it uses secure versions (e.g.,

SNMPv3) with proper authentication and encryption. Disable SNMP if not
required.

4. Logging and

Monitoring Syslog

Configuration:

• Centralized Logging: Configure the router to send logs to a centralized syslog

server for easier management and analysis. Ensure the log server is secure
and protected from tampering.

• Log Retention: Define and enforce policies for log retention and disposal in
accordance with organizational and regulatory requirements.

Event Logging:

• Key Events: Ensure logging includes critical events such as successful and
failed login attempts, configuration changes, and system errors. Review
logs regularly for suspicious activity.

Regular Reviews:

• Automated Alerts: Configure automated alerts for critical events and

anomalies to enable quick response to potential issues.

• Periodic Audits: Schedule periodic audits of logs to identify trends or

potential security incidents.

5. Security Features

Network Address Translation (NAT):

• NAT Configuration: Ensure NAT is enabled to hide internal IP addresses from
external networks. Verify NAT rules are correctly implemented and not
exposing internal resources.

Virtual Private Network (VPN):

• Encryption Standards: Use strong encryption protocols (e.g., AES-256) and

robust authentication methods (e.g., multi-factor authentication) for
VPN connections.

• VPN Policies: Define and enforce policies for VPN usage, including who
can connect and from where.

Access Control Lists (ACLs):

• ACL Implementation: Implement ACLs to restrict traffic based on source

and destination IP addresses, ports, and protocols. Regularly review and
update ACLs as network requirements change.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

6. Physical

Security Physical

Access:

• Secure Location: Place the router in a secure, access-controlled

environment. Ensure that only authorized personnel can physically access
the device.

• Lock and Secure: Use physical locks or enclosures to prevent unauthorized

tampering or removal.

Device Integrity:

• Tamper Evidence: Check for signs of physical tampering or unauthorized

modifications. Implement tamper-evident seals if feasible.

7. Backup and

Recovery

Configuration

Backups:

• Regular Backups: Schedule regular backups of the router’s

configuration. Store backups securely, preferably in an encrypted
format.

• Backup Verification: Regularly test backup files to ensure they are

complete and can be restored successfully.

Recovery Procedures:

• Documentation: Maintain up-to-date documentation on recovery

procedures, including step-by-step instructions for restoring
configurations and services.

• Testing: Periodically test recovery procedures to ensure they work

effectively in the event of a failure or breach.

8. Security Policies and

Documentation Security Policies:

• Policy Development: Develop and maintain security policies covering

router configuration, management, and incident response. Ensure policies
are communicated to relevant personnel.

• Policy Review: Regularly review and update policies to address new

threats and changes in the network environment.

Documentation:

• Configuration Documentation: Document all router configurations,

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

changes, and security measures. Maintain a version history of changes

for auditing purposes.

• Change Management: Implement a formal change management process to

track and approve configuration changes.

G. Testing and Vulnerability Scanning

Penetration Testing:

• Regular Testing: Conduct regular penetration tests to identify potential

vulnerabilities and weaknesses in the router configuration and network
setup.

• Test Coverage: Ensure that penetration tests cover all aspects of the router’s
security, including management interfaces and network exposure.

Vulnerability Scanning:

• Automated Scanning: Use automated vulnerability scanners to

identify known vulnerabilities in the router’s firmware and
configurations.

• Remediation: Address identified vulnerabilities promptly and verify that

remediation measures are effective.

10. User Training and

Awareness Staff Training:

• Security Training: Provide regular security training for staff responsible for
managing the router. Topics should include security best practices, threat
awareness, and incident response.

• Updates and Refreshers: Offer periodic refresher courses to keep staff

updated on the latest security developments and techniques.

Awareness Programs:

• Security Awareness: Implement programs to raise awareness about

security threats and best practices among all users who interact with the
router.

• Incident Reporting: Educate users on how to report security incidents and

suspicious activities effectively.

Audit Checklist for Switches

1. Physical Security
• Access Control: Ensure that only authorized personnel have physical
access to the switch.

• Environment: Verify that the switch is placed in a secure, climate-controlled

room.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Cable Management: Check that cables are properly organized to prevent

accidental disconnections or tampering.

• Locking Mechanism: Ensure that physical ports not in use are disabled or
protected with port blockers.

2. Firmware and Software Security

• Firmware Version: Confirm the switch is running the latest stable firmware
version.

• Security Patches: Ensure all security patches are applied promptly.

• Automatic Updates: If applicable, configure the switch for automatic

updates or implement a regular patching schedule.

• Backup Firmware: Ensure backup firmware images are available in case of

corruption or rollback.

3. Access Control

• Password Policies:

o Ensure strong password policies are enforced (minimum length,

complexity).
o Default credentials should be changed immediately after setup.
• SSH/HTTPS Access:

o Ensure that only encrypted protocols (SSH for CLI, HTTPS for GUI) are
used to manage the switch.

• Disable Telnet: Disable insecure management protocols such as Telnet.

• Role-Based Access Control (RBAC): Implement role-based access control

to limit administrative access.

• Two-Factor Authentication (2FA): Where possible, implement 2FA for

administrative access.

4. Port Security

• Disable Unused Ports: All unused physical ports should be disabled to

prevent unauthorized access.

• MAC Address Filtering: Implement MAC address filtering to limit which

devices can connect to specific ports.

• Port Security Features: Enable port security features, such as limiting the
number of MAC addresses per port and setting actions (like shutting down
the port) if the limit is exceeded.

• VLAN Segmentation: Use VLANs to segment the network and isolate sensitive
systems.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

5. Network Security

• Access Control Lists (ACLs):

o Apply ACLs to control and filter traffic between different parts of the
network.
o Ensure ACLs are up to date and follow the principle of least privilege.
• DHCP Snooping: Enable DHCP snooping to prevent rogue DHCP servers from
operating on the network.

• Dynamic ARP Inspection (DAI): Enable DAI to protect against ARP spoofing attacks.

• Spanning Tree Protocol (STP):

o Ensure STP is enabled to prevent Layer 2 loops.

o Consider enabling features like Root Guard and BPDU Guard to
further secure the network.

• Storm Control: Enable storm control to prevent broadcast, multicast, or

unicast traffic storms from overwhelming the network.

• Network Address Translation (NAT): Ensure proper NAT configurations, if required.

6. Logging and Monitoring

• Syslog Configuration: Ensure that the switch is configured to send logs to

a central syslog server.

• SNMPv3: Ensure SNMPv3 is configured for secure monitoring (use

encryption and authentication).

• Audit Logs: Review switch audit logs for unauthorized access or configuration
changes.

• Real-time Monitoring: Implement real-time monitoring for anomalous

traffic or port activity.

• Time Synchronization: Ensure the switch’s time is synchronized with an NTP

server to ensure accurate logging.

7. Vulnerability Scanning and Penetration Testing

• Regular Scanning: Perform vulnerability scanning on the switch to identify

potential weaknesses.

• Penetration Testing: Regularly perform penetration testing to identify

and address vulnerabilities.

• Patch Vulnerabilities: Ensure that identified vulnerabilities are patched

promptly.

8. Redundancy and Backup

• Configuration Backup: Ensure that switch configurations are backed up

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

regularly and securely.

• Failover Mechanism: Test and verify failover mechanisms (HSRP, VRRP, etc.) to
ensure network redundancy.
• Rollback Configuration: Keep historical configurations to roll back in case of
failure or misconfiguration.

G. Secure Communication and Encryption

• Management VLAN: Use a dedicated management VLAN for

administrative traffic to separate it from regular user traffic.

• Encryption: Ensure management traffic is encrypted (e.g., use SSH instead

of Telnet, HTTPS instead of HTTP).

• VPN: For remote management, ensure that VPN access is used to securely
connect to the switch.

10. Switch Features and Additional Hardening

• 802.1X Port-based Network Access Control: Enable 802.1X to enforce

authentication on network ports.

• Rate Limiting: Implement rate limiting on switch interfaces to mitigate the

effects of denial-of-service (DoS) attacks.

• Network Device Hardening: Disable unnecessary services (e.g., unused

network protocols, CDP/LLDP, etc.).

• Loopback Address: Use a loopback interface for management purposes,

enhancing reliability.

11. Redundant Power and Cooling

• Dual Power Supply: Ensure that the switch is connected to redundant

power supplies or UPS.

• Cooling Systems: Check that the switch’s environment has proper cooling
to prevent overheating.

12. Incident Response

• Security Event Alerts: Ensure that alerts for critical events are set up
(e.g., port violations, login failures).

• Incident Response Plan: Verify that a documented incident response plan is

in place and that personnel know how to respond to a security breach
involving the switch.

• Change Management: Use a change management process to track and

approve all configuration changes on the switch.

13. Compliance and Documentation

• Compliance Check: Ensure that the switch configuration and security

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

measures comply with organizational security policies and any relevant

regulations (e.g., PCI-DSS, HIPAA).

• Documentation: Maintain up-to-date documentation of switch

configurations, VLANs, and access control policies.

Audit Checklist for Switches

1. Physical Security

• Access Control: Ensure that only authorized personnel have physical

access to the switch.

• Environment: Verify that the switch is placed in a secure, climate-controlled

room.

• Cable Management: Check that cables are properly organized to prevent

accidental disconnections or tampering.

• Locking Mechanism: Ensure that physical ports not in use are disabled or
protected with port blockers.

2. Firmware and Software Security

• Firmware Version: Confirm the switch is running the latest stable firmware
version.

• Security Patches: Ensure all security patches are applied promptly.

• Automatic Updates: If applicable, configure the switch for automatic

updates or implement a regular patching schedule.

• Backup Firmware: Ensure backup firmware images are available in case of

corruption or rollback.

3. Access Control

• Password Policies:

o Ensure strong password policies are enforced (minimum length,

complexity).
o Default credentials should be changed immediately after setup.
• SSH/HTTPS Access:

o Ensure that only encrypted protocols (SSH for CLI, HTTPS for GUI) are
used to manage the switch.

• Disable Telnet: Disable insecure management protocols such as Telnet.

• Role-Based Access Control (RBAC): Implement role-based access control

to limit administrative access.

• Two-Factor Authentication (2FA): Where possible, implement 2FA for

administrative access.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

4. Port Security

• Disable Unused Ports: All unused physical ports should be disabled to

prevent unauthorized access.

• MAC Address Filtering: Implement MAC address filtering to limit which

devices can connect to specific ports.

• Port Security Features: Enable port security features, such as limiting the
number of MAC addresses per port and setting actions (like shutting down
the port) if the limit is exceeded.
• VLAN Segmentation: Use VLANs to segment the network and isolate sensitive
systems.

5. Network Security

• Access Control Lists (ACLs):

o Apply ACLs to control and filter traffic between different parts of the
network.
o Ensure ACLs are up to date and follow the principle of least privilege.
• DHCP Snooping: Enable DHCP snooping to prevent rogue DHCP servers from
operating on the network.

• Dynamic ARP Inspection (DAI): Enable DAI to protect against ARP spoofing attacks.

• Spanning Tree Protocol (STP):

o Ensure STP is enabled to prevent Layer 2 loops.

o Consider enabling features like Root Guard and BPDU Guard to

further secure the network.

• Storm Control: Enable storm control to prevent broadcast, multicast, or

unicast traffic storms from overwhelming the network.

• Network Address Translation (NAT): Ensure proper NAT configurations, if required.

6. Logging and Monitoring

• Syslog Configuration: Ensure that the switch is configured to send logs to

a central syslog server.

• SNMPv3: Ensure SNMPv3 is configured for secure monitoring (use

encryption and authentication).

• Audit Logs: Review switch audit logs for unauthorized access or configuration
changes.

• Real-time Monitoring: Implement real-time monitoring for anomalous

traffic or port activity.

• Time Synchronization: Ensure the switch’s time is synchronized with an NTP

server to ensure accurate logging.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

7. Vulnerability Scanning and Penetration Testing

• Regular Scanning: Perform vulnerability scanning on the switch to identify

potential weaknesses.

• Penetration Testing: Regularly perform penetration testing to identify

and address vulnerabilities.

• Patch Vulnerabilities: Ensure that identified vulnerabilities are patched

promptly.

8. Redundancy and Backup

• Configuration Backup: Ensure that switch configurations are backed up

regularly and securely.
• Failover Mechanism: Test and verify failover mechanisms (HSRP, VRRP, etc.) to
ensure network redundancy.

• Rollback Configuration: Keep historical configurations to roll back in case of

failure or misconfiguration.

G. Secure Communication and Encryption

• Management VLAN: Use a dedicated management VLAN for

administrative traffic to separate it from regular user traffic.

• Encryption: Ensure management traffic is encrypted (e.g., use SSH instead

of Telnet, HTTPS instead of HTTP).

• VPN: For remote management, ensure that VPN access is used to securely
connect to the switch.

10. Switch Features and Additional Hardening

• 802.1X Port-based Network Access Control: Enable 802.1X to enforce

authentication on network ports.

• Rate Limiting: Implement rate limiting on switch interfaces to mitigate the

effects of denial-of-service (DoS) attacks.

• Network Device Hardening: Disable unnecessary services (e.g., unused

network protocols, CDP/LLDP, etc.).

• Loopback Address: Use a loopback interface for management purposes,

enhancing reliability.

11. Redundant Power and Cooling

• Dual Power Supply: Ensure that the switch is connected to redundant

power supplies or UPS.

• Cooling Systems: Check that the switch’s environment has proper cooling
to prevent overheating.

12. Incident Response

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Security Event Alerts: Ensure that alerts for critical events are set up
(e.g., port violations, login failures).

• Incident Response Plan: Verify that a documented incident response plan is

in place and that personnel know how to respond to a security breach
involving the switch.

• Change Management: Use a change management process to track and

approve all configuration changes on the switch.

13. Compliance and Documentation

• Compliance Check: Ensure that the switch configuration and security

measures comply with organizational security policies and any relevant
regulations (e.g., PCI-DSS, HIPAA).
• Documentation: Maintain up-to-date documentation of switch
configurations, VLANs, and access control policies.

Audit Checklist for Databases

1. Database Configuration G Hardening

• Database Version: Check for the latest stable version of the database.
Ensure that no outdated versions are in use.

• Patches G Updates: Verify that all relevant security patches and updates
are applied regularly.

• Default Accounts G Passwords: Ensure default accounts are disabled or

removed and default passwords have been changed.

• Configuration Files: Secure the database configuration files by restricting

access and encrypting sensitive parameters (e.g., passwords).

• Unnecessary Features/Services: Disable any unused database features or

services (e.g., unused plugins, remote access).

• Encryption: Confirm encryption at rest (data files, backups) and in transit

(SSL/TLS).

2. Authentication and Access Controls

• User Authentication: Ensure all users authenticate with strong methods, such
as multi- factor authentication (MFA) where possible.

• Role-Based Access Control (RBAC): Review the database role and

permission assignments. Ensure users only have the minimum necessary
privileges (principle of least privilege).

• Admin Accounts: Verify that administrative (privileged) accounts are limited

and used sparingly.

• Third-party Access: Ensure that third-party access is limited and

monitored. Verify vendor access and credentials.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Account Expiry: Ensure that old and unused accounts are disabled or
removed, especially if contractors or ex-employees have left.

3. Logging and Monitoring

• Audit Logging: Confirm that database activity logging is enabled (e.g., SELECT,
INSERT, UPDATE, DELETE).

• Error Logging: Check that error logs are properly configured to capture all
necessary events.

• Log Retention Policy: Review log retention policy to ensure that logs are stored
securely for the necessary amount of time.

• Real-Time Monitoring: Verify that real-time monitoring is in place to detect

suspicious activity (e.g., unusual queries, brute-force login attempts).

• Log Protection: Ensure logs are securely stored, rotated, and protected from
tampering.
4. Database Backup G Recovery

• Backup Encryption: Confirm that all database backups are encrypted.

• Backup Storage: Ensure that backups are stored securely, offsite, or in

a highly available and fault-tolerant location.

• Backup Access Control: Review who has access to backups and ensure strict
controls over their use.

• Backup Frequency: Ensure that database backups are performed regularly

as per the recovery point objectives (RPO).

• Disaster Recovery Testing: Validate that disaster recovery plans are in place
and are regularly tested.

5. Data Protection

• Sensitive Data Identification: Ensure all sensitive data (PII, financial,

healthcare) is identified and properly categorized.

• Data Masking/Tokenization: Validate the use of data masking or

tokenization for sensitive data during non-production processes.

• Encryption of Sensitive Data: Confirm that sensitive data is encrypted both

in transit and at rest.

• Data Integrity Controls: Check mechanisms for ensuring the integrity of

critical data (e.g., checksums, hashing).

• Data Retention Policy: Ensure data retention policies are in place for sensitive
data and are strictly followed.

6. Network Security

• Firewall Rules: Review database firewall rules to ensure only necessary

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

traffic is allowed (e.g., IP whitelisting).

• Database Segmentation: Ensure databases are on isolated segments of the

network and not exposed to the public internet.

• VPN/SSH for Remote Access: Verify that remote database access is done only
through secure channels such as VPN or SSH.

• Connection Encryption: Ensure all database connections are encrypted

(SSL/TLS).

• Access Over Private Networks: Validate that database access from

application servers happens over private networks or internal segments.

7. Vulnerability Management

• Regular Vulnerability Scans: Ensure regular vulnerability scans of the

database are performed.

• Penetration Testing: Verify that the database undergoes

penetration testing periodically.
• Risk Assessments: Perform a risk assessment for critical assets in the database.

• Patch Management: Ensure there’s a patch management process to

quickly address discovered vulnerabilities.

• Security Baselines: Check against a security baseline for configuration

and ensure continuous monitoring for deviations.

8. Auditing Compliance

• Regulatory Compliance: Ensure the database meets necessary regulatory

compliance requirements (GDPR, HIPAA, PCI DSS, etc.).

• Audit Trails: Confirm that all user activities and transactions are tracked and
auditable for compliance purposes.

• Data Access Auditing: Ensure that records are maintained for who accessed
sensitive data, when, and for what purpose.

• Segregation of Duties: Check for compliance with segregation of duties,

ensuring no single user has too much control over critical functions.

G. Incident Response

• Database Incident Response Plan: Verify that there is a documented

incident response plan for database-related breaches or attacks.

• Security Alerts: Ensure alerts are configured for anomalous behavior (e.g.,
repeated login failures, unexpected privilege escalations).

• Response Team Contacts: Ensure the appropriate security team contacts

are up-to- date and reachable in case of an incident.

• Incident Logging: Confirm that all incidents are logged, and responses are
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

documented for future learning.

10. Physical Security

• Server Room Access: Review who has physical access to database servers
and ensure appropriate access controls are in place.

• Database Backups Physical Security: Ensure that physical backups are

stored securely (e.g., in off-site vaults with strict access control).

• Environmental Controls: Confirm environmental controls (e.g.,

cooling, fire suppression, power backup) are in place for database
servers.

11. Database Performance G Security Impact

• Load Testing Impact on Security: Ensure load testing is periodically

conducted to ensure performance under peak loads without
sacrificing security.

• Resource Exhaustion Protections: Confirm protections are in place to

guard against resource exhaustion attacks (e.g., database denial-of-
service).

• Security vs. Performance Trade-offs: Verify that any database tuning for
performance does not compromise security controls (e.g., disabling
SSL/TLS for speed).
12. Third-Party Integrations

• Third-Party App Vulnerabilities: Assess any third-party applications integrated

with the database for security vulnerabilities.

• API Security: Review and audit security for APIs accessing the database,
ensuring secure authentication and encryption.

• Data Sharing Agreements: Verify that there are data sharing agreements in
place with third parties, detailing security responsibilities.

13. User Education G Policies

• User Training: Ensure that all users with database access have undergone
security awareness training related to database threats.

• Security Policies: Verify that security policies related to database

usage, access control, and incident reporting are well-documented
and enforced.

Audit Checklist for General Information Security

1. Administrative Controls

These refer to organizational policies, procedures, and planning processes that

ensure data protection.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

1.1. Security Policies and Procedures

• Security Policy Framework: Verify that the framework covers

acceptable use, password policies, incident response, data
protection, etc.

• Policy Distribution: Ensure employees and third parties are informed and
sign off on understanding security policies.

• Policy Version Control: Track changes in security policies, with dates of

amendments and approvals documented.

1.2. Compliance and Governance

• Industry Standards Adherence: Evaluate adherence to standards like ISO/IEC

27001, NIST Cybersecurity Framework, and PCI-DSS.

• Data Protection Impact Assessment (DPIA): Regular DPIA should be

conducted, particularly when new projects or systems involving
sensitive data are launched.

• Internal Audit Programs: Validate the frequency, scope, and findings of internal
audits.

1.3. Risk Management

• Threat Identification and Risk Assessment: Review the risk register and
confirm identified risks (e.g., insider threats, phishing attacks).

• Risk Prioritization: Ensure risks are prioritized based on potential business

impact and likelihood of occurrence.

• Risk Acceptance: For any risks not mitigated, ensure there’s documented
acceptance from senior management.
1.4. Security Awareness Training

• Specialized Training for Key Roles: Roles like IT administrators or C-level execs
should receive additional security training specific to their responsibilities.

• Measuring Awareness Effectiveness: Use metrics from phishing tests or

quizzes to measure the effectiveness of awareness programs.

2. Technical Controls

These involve the technical tools and configuration mechanisms designed to protect
against security breaches.

2.1. Access Control

• Privileged Access Management (PAM): Ensure privileged accounts (e.g.,

admin accounts) are monitored, with session recordings, MFA, and regular
audits of access.

• Segregation of Duties (SoD): Confirm that critical tasks require two or more
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

individuals to prevent misuse of access (e.g., one person can't both initiate and
approve payments).

• Account Expiry and Review: Ensure automatic expiry of temporary

accounts (contractors or interns) and periodic review of active user
lists.

2.2. Network Security

• Advanced Threat Protection: Use of AI-powered tools for real-time

identification of network anomalies.

• Segmentation of Sensitive Data: Implement Virtual LAN (VLAN) or

microsegmentation to isolate sensitive data and critical systems from the
rest of the network.

• Network Configuration Reviews: Ensure regular reviews of network

device configurations (firewalls, routers, switches) and document
all changes.

2.3. Data Encryption

• Disk Encryption: Validate that full disk encryption is used on all devices
containing sensitive data (e.g., laptops, mobile devices).

• Email Encryption: Ensure that emails containing sensitive information are

encrypted using standards like PGP or S/MIME.

• Encryption Strength: Verify encryption algorithms meet industry standards

(e.g., AES- 256 for data at rest and TLS 1.2 or higher for data in transit).

2.4. System Configuration

• Secure Baseline Configurations: Ensure systems (servers, workstations)

adhere to secure baseline configurations (e.g., CIS Benchmarks).

• Automated Configuration Management Tools: Use automated tools to

enforce and monitor configurations across systems (e.g., Ansible, Chef).

• Unused Services and Ports: Ensure that unnecessary services, ports, and
protocols are disabled.
2.5. Logging and Monitoring

• Security Information and Event Management (SIEM): Ensure integration of a

SIEM solution that correlates and analyzes logs in real-time.

• Log Integrity: Implement mechanisms to ensure log integrity (e.g., digital

signatures) to prevent tampering.

• Behavioral Analytics: Use behavior-based monitoring to detect deviations

from normal activity that could signal an insider threat.

3. Physical Controls
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

These involve measures to prevent unauthorized physical access to critical assets.

3.1. Data Center Security

• Mantraps and Biometrics: Validate that physical access to data centers

includes multi- layered protection like mantraps and biometric
authentication.

• Visitor Logs: Ensure physical visitor logs are maintained, and verify that
unauthorized personnel are not accessing critical areas.

• Environmental Controls Monitoring: Regularly review environmental

metrics (temperature, humidity, power stability) in server rooms to avoid
physical damage.

3.2. Device Security

• Laptop and Mobile Device Security: Ensure all devices have encryption,
remote wipe capabilities, and endpoint detection systems installed.

• Mobile Device Management (MDM): Verify that corporate devices are

managed through an MDM platform, enforcing security policies like
password strength and app permissions.

4. Disaster Recovery and Business Continuity

These controls focus on ensuring the organization can quickly recover from a disaster.

4.1. Backup and Recovery

• Backup Schedule and Automation: Ensure backups occur at defined intervals

and that critical systems are backed up more frequently.

• Offsite and Immutable Backups: Ensure backups are stored offsite and,
where possible, use immutable storage for additional protection
against ransomware.

• Backup Testing Frequency: Document and verify the frequency and results
of backup restore tests (e.g., quarterly restore tests).

4.2. Disaster Recovery Plan (DRP)

• Hot/Cold/Warm Sites: Validate the availability and configuration of recovery

sites (e.g., hot sites that mirror the production environment in real time).

• Data Replication: Ensure critical systems use real-time or near-real-

time data replication to minimize data loss during a disaster.
4.3. Business Continuity Plan (BCP)

• Crisis Communication Channels: Ensure that alternative communication

methods are available in case the primary communication systems fail.

• Key Personnel Identification: Ensure the BCP clearly identifies key

personnel responsible for business continuity during an outage.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

5. Incident Response

A well-defined process for handling security incidents is essential to minimize

damage.

5.1. Incident Response Plan

• Chain of Custody for Evidence: Ensure that the chain of custody for digital
evidence is documented and maintained in the event of an investigation.

• Incident Escalation Protocols: Ensure there are clear escalation protocols

based on incident severity (e.g., low-level alert vs. critical system breach).

5.2. Incident Handling

• Containment Strategy: Ensure rapid containment strategies for

incidents, such as isolating infected systems to prevent malware
spread.

• Threat Intelligence Integration: Verify integration with external threat

intelligence feeds to gain real-time awareness of emerging threats.

5.3. Post-Incident Review

• Root Cause Analysis (RCA): Perform a root cause analysis after every
significant incident and ensure lessons learned are implemented.

• KPIs for Incident Management: Track key performance indicators (KPIs), such
as mean time to detection (MTTD) and mean time to recovery (MTTR).

6. Vendor and Third-Party Security

These controls ensure that third-party vendors do not introduce vulnerabilities.

6.1. Vendor Risk Management

• Third-Party Risk Assessments: Conduct thorough risk assessments of

vendors before onboarding and regularly thereafter.

• Vendor Security SLAs: Ensure service-level agreements (SLAs) include

specific security expectations and penalties for breaches.

6.2. Third-Party Access

• Vendor Access Controls: Ensure vendors only access the systems they require
and use separate accounts for each user (not shared credentials).

• Monitoring and Logging Vendor Activities: Implement real-time monitoring of

vendor activities and maintain a log of all access.

7. Data Privacy and Classification

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

These are specific controls to ensure data is managed securely and in line with privacy
regulations.

7.1. Data Classification

• Automated Data Classification Tools: Ensure the use of automated tools to

detect and classify sensitive data (e.g., PII, PHI, etc.).

• Access to Sensitive Data: Ensure that sensitive data is accessible only by

authorized individuals and that access is logged.

7.2. Data Retention and Disposal

• Retention Policy for Legal Requirements: Ensure that the organization

follows legal and regulatory requirements for data retention (e.g., tax,
legal).

• Data Masking and Anonymization: Implement data masking or

anonymization techniques to reduce the risk of exposure during
retention.

8. Vulnerability Management and Testing

These controls ensure systems are continuously monitored for security gaps.

8.1. Vulnerability Scanning

• Zero-Day Vulnerability Management: Ensure that mechanisms are in place

to handle zero-day vulnerabilities, including patch prioritization and
containment strategies.

8.2. Penetration Testing

• Red Team Exercises: Conduct red team exercises where simulated

attacks test the organization’s defenses, incident response, and
detection capabilities.

8.3. Patch Management

• Third-Party Software Patch Management: Ensure that not just OS-level but third-
party applications (e.g., Adobe, Java) are included in patch management
procedures.

G. Cloud Security

As organizations increasingly migrate to the cloud, specific cloud security controls

become crucial.

G.1. Cloud Configuration and Access

• Cloud Security Posture Management (CSPM): Ensure the use of tools to

continuously monitor and improve the security posture of cloud
environments (e.g., AWS, Azure, GCP).

• Least Privilege Access in Cloud Environments: Ensure least privilege

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

principles are applied, including the use of Identity and Access

Management (IAM) roles instead of broad-based user permissions.

• Cloud Encryption: Confirm that cloud services support and implement

encryption for both data at rest and in transit. Use customer-managed
encryption keys (CMEK) where possible.
G.2. Cloud Data Protection

• Data Loss Prevention (DLP): Ensure DLP solutions are applied to cloud
environments to prevent sensitive data leaks.

• Shadow IT Monitoring: Monitor and manage unauthorized cloud services

(Shadow IT) that may be used by employees without IT’s approval.

G.3. Multi-Cloud Security

• Cross-Cloud Security Standards: Ensure consistent security policies are

applied across different cloud platforms (multi-cloud environments).

• Container and Serverless Security: For cloud-native applications, implement

security for containers (e.g., Docker) and serverless environments (e.g., AWS
Lambda).

10. DevSecOps and Application Security

Security should be integrated into the development lifecycle (DevSecOps), not just an
afterthought.

10.1. Secure Software Development Lifecycle (SDLC)

• Security in DevOps Pipelines: Ensure that security checks (e.g., static code
analysis, dependency checks) are automated into CI/CD pipelines.

• Secure Coding Practices: Validate that developers are trained on

secure coding techniques (e.g., OWASP Top 10 vulnerabilities).

10.2. Application Security Testing

• Static Application Security Testing (SAST): Ensure that automated code

reviews are conducted to detect vulnerabilities in the code.

• Dynamic Application Security Testing (DAST): Perform automated tests on

running applications to detect vulnerabilities in the execution
environment.

• Software Composition Analysis (SCA): Ensure that third-party

libraries and dependencies are regularly scanned for
vulnerabilities.

10.3. API Security

• Authentication and Authorization: Ensure APIs are protected by strong

authentication (e.g., OAuth, API keys) and fine-grained access controls.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Rate Limiting and Throttling: Implement rate limiting and throttling on APIs
to prevent abuse or Distributed Denial of Service (DDoS) attacks.

11. Internet of Things (IoT) Security

With the rise of connected devices, securing IoT infrastructure is vital.

11.1. Device Security

• IoT Device Configuration Management: Ensure default credentials on IoT
devices are changed and all devices are securely configured.

• Firmware Updates: Ensure that IoT devices are regularly patched and that
firmware updates are managed centrally.

11.2. Network Segmentation for IoT

• Isolated IoT Networks: Ensure that IoT devices are segmented into their own
network to limit their exposure to the main corporate network.

• Monitoring IoT Traffic: Use specialized tools to monitor network traffic

between IoT devices for abnormal behaviors or potential threats.

12. Artificial Intelligence and Machine Learning Security

As AI and ML models are increasingly being used in business operations, securing

these models becomes critical.

12.1. Model Integrity

• Model Tampering Prevention: Ensure that AI/ML models are protected

against adversarial attacks, such as tampering or poisoning (input
data manipulation).

• Model Access Control: Implement strong access controls to ensure only

authorized users can modify or deploy machine learning models.

12.2. Data Privacy in AI/ML Models

• Sensitive Data Handling: Ensure that AI/ML models are not inadvertently
exposed to sensitive or personal data, particularly if using production
datasets for training.

• Fairness and Bias Checks: Implement checks to ensure AI models do not

inherit biases, especially when dealing with critical decision-making
processes (e.g., hiring, lending).

13. Identity and Access Management (IAM) Enhancements

IAM is crucial to ensure that users have the correct levels of access.

13.1. Identity Governance and Administration (IGA)

• Periodic Access Reviews: Ensure automated processes exist to regularly

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

review access rights, including user certifications and recertifications.

• Access Request Automation: Ensure automation of access requests,

approvals, and provisioning to reduce the likelihood of human error.

13.2. Single Sign-On (SSO) and Federation

• SSO Implementation: Ensure that Single Sign-On is in place to simplify user

access to multiple systems while improving security.

• Federated Identity Management: Ensure that federated identity solutions

(e.g., SAML, OpenID) are in place for securely sharing identity information
across systems or organizations.
13.3. Adaptive Authentication

• Risk-Based Authentication: Implement adaptive authentication, where

login processes require additional verification based on risk factors (e.g.,
unusual location or device).

14. Advanced Threat Detection and Response

As cyberattacks become more sophisticated, advanced detection and response

mechanisms are crucial.

14.1. Endpoint Detection and Response (EDR)

• Behavior-Based Detection: Ensure that EDR solutions are deployed to

identify suspicious behavior across endpoints, not just based on
signatures but also on heuristics.

• Automated Containment: Ensure that EDR solutions are capable of

automatically isolating or quarantining compromised devices based on
detected threats.

14.2. Threat Intelligence Integration

• External Threat Intelligence Feeds: Ensure integration with external threat

intelligence feeds (e.g., FireEye, AlienVault) to stay updated on emerging
threats.

• Threat Hunting: Implement proactive threat hunting practices to identify

potential compromises before they result in incidents.

14.3. Security Orchestration, Automation, and Response (SOAR)

• Automated Incident Response: Ensure the use of SOAR platforms to

automate incident response processes, reducing the time from
detection to containment.

• Playbook Development: Develop and continuously update playbooks

that define automatic response actions for common threats.

15. Data Governance and Data Leakage Prevention (DLP)

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

Data governance ensures that data is managed securely and in compliance with laws
and regulations.

15.1. Data Classification and Labeling

• Automated Data Labeling: Ensure the use of tools to automatically classify

and label data based on sensitivity (e.g., public, confidential, highly
confidential).

15.2. Data Leakage Prevention

• Endpoint DLP: Implement endpoint-based DLP solutions to monitor and

control the transfer of sensitive data (e.g., preventing unauthorized USB
use).

• Network DLP: Ensure network-based DLP solutions monitor sensitive data

in transit to prevent unauthorized sharing or transmission.

• Cloud DLP: For cloud environments, ensure that cloud-native DLP solutions
are in place to monitor and restrict sensitive data movement.
16. Cryptography and Key Management

Cryptography is essential for protecting data confidentiality and integrity.

16.1. Key Management Practices

• Key Rotation and Expiry: Ensure that encryption keys are regularly rotated,
and key expiration policies are enforced.

• Hardware Security Modules (HSMs): Use HSMs for secure generation,

storage, and management of cryptographic keys.

16.2. Secure Protocols

• Deprecation of Weak Protocols: Ensure that weak encryption protocols

(e.g., SSL, older versions of TLS) are deprecated and replaced with stronger
protocols (e.g., TLS 1.3).

• End-to-End Encryption: Ensure that end-to-end encryption is used where

sensitive information is transmitted (e.g., messaging platforms, VoIP).

17. Social Engineering Protection

Social engineering remains one of the most effective forms of attack.

17.1. Employee Training and Simulation

• Phishing Simulations: Regularly conduct phishing simulations to test

employee awareness and response to social engineering attempts.

• Real-Time Awareness Tools: Use tools that notify users in real-time of

potential phishing emails or suspicious communications.

17.2. Multi-Layered Communication Verification

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Verification of High-Risk Communications: Ensure multi-step verification for

high-risk actions, such as financial transactions or sensitive data requests
(e.g., callback verification).

18. Insider Threat Detection

Insider threats, whether malicious or accidental, are a major security concern.

18.1. Insider Threat Monitoring

• User and Entity Behavior Analytics (UEBA): Deploy UEBA solutions to

monitor and detect unusual user behavior that may indicate an insider
threat.

18.2. Data Access and Exfiltration Alerts

• Data Exfiltration Monitoring: Implement real-time alerts for any unusual

large data transfers, especially from privileged accounts.

Audit Checklist for Information System

1. Audit Planning G Pre-Audit Preparations

• Audit Scope G Objectives:

o Identify the specific systems, applications, and processes that will
be audited (e.g., ERP, HR systems, cloud services).

o Define clear objectives, such as assessing compliance, system

performance, security risks, or internal control adequacy.

• Legal G Regulatory Requirements:

o Ensure that all applicable legal standards (e.g., GDPR, HIPAA, PCI-
DSS) are identified early and form part of the audit.

o Investigate any new or upcoming regulations that could affect the

audit (e.g., new privacy laws or industry standards).

• Resources G Stakeholders:

o Identify all necessary audit resources (human, technical, and

financial) and key stakeholders (e.g., IT, HR, legal).

o Develop a clear schedule and audit timeline.

• Previous Audit Findings:

o Review previous audit findings to ensure past issues have been

addressed and to guide the scope of the current audit.

2. IT Governance

• IT Policy Review:

o Ensure policies around IT management, security, access control,

and data handling are up to date and consistently applied.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Roles G Responsibilities:

o Verify that roles within the IT department and across business units
are clearly defined, with responsibilities for systems, security, and
data management formally assigned.

• IT Strategy Alignment:

o Confirm that IT strategies support broader organizational goals (e.g.,

growth, cost reduction, security).

• Risk Management:

o Evaluate the risk management framework, ensuring all IT-

related risks are documented, monitored, and mitigated
through control measures.

3. Access Control G User Management

• Authentication G Authorization:

o Ensure users are authenticated through secure methods, such as

multi-factor authentication (MFA) and strong password policies.

o Verify the use of role-based access control (RBAC) to limit access to

sensitive data or functionality based on job roles.
• User Account Management:

o Evaluate the processes for creating, modifying, and deleting user

accounts, especially how access is granted and reviewed.

• Privileged Access:

o Review how privileged access accounts (e.g., admin accounts) are

managed and whether their actions are logged and monitored.

• Segregation of Duties:

o Ensure that duties are segregated to avoid conflicts of

interest, such as separating system administration duties
from auditing duties.

4. Network G Infrastructure Security

• Firewall G Router Configurations:

o Confirm that firewalls and routers are configured according to

security best practices (e.g., least-privilege rules, network
segmentation).

• Intrusion Detection G Prevention:

o Verify the existence and functionality of Intrusion Detection Systems

(IDS) and Intrusion Prevention Systems (IPS) to monitor for unusual
activity.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• VPN G Remote Access:

o Ensure that remote access solutions, like VPNs, are secure, and that
encryption protocols (e.g., SSL, TLS) are used to protect
communication.

• Network Segmentation:

o Confirm that critical systems, such as servers storing sensitive

data, are segmented from the general network to reduce
attack surfaces.

5. Data Security G Privacy

• Data Classification:

o Review data classification policies that categorize data based on

sensitivity (e.g., confidential, public) and ensure controls are in place
based on classification.

• Encryption:

o Verify that encryption is used to protect sensitive data both at rest and
in transit (e.g., SSL/TLS for data transmission, AES for stored data).

• Backup G Recovery:

o Ensure backups are performed regularly and stored securely, with

recovery processes tested to ensure they meet recovery time and
point objectives (RTOs and RPOs).

• Data Retention G Disposal:

o Confirm that the organization follows defined data retention
schedules and that secure deletion methods (e.g., shredding, wiping)
are used for data disposal.

• Privacy Regulations:

o Assess compliance with privacy regulations like GDPR, CCPA, HIPAA,

ensuring the organization handles personal data properly (e.g.,
consent, data subject rights).

6. System Development G Change Management

• SDLC Review:

o Review the organization's System Development Life Cycle (SDLC)

for rigor, particularly for security testing in each phase
(requirements, development, testing, deployment).

• Change Management:

o Ensure there is a formal process for requesting, reviewing,

approving, and implementing changes, including security
testing of changes.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Patch Management:

o Confirm that the organization maintains a regular patch

management cycle, applying critical updates promptly to fix
vulnerabilities.

• Software Licensing:

o Review software licensing compliance to ensure all software is

properly licensed and that unauthorized software is not installed.

7. Incident Response G Monitoring

• Incident Response Plan:

o Ensure there is a documented incident response plan that

includes roles, escalation procedures, communication
protocols, and recovery steps.

• Security Event Monitoring:

o Verify that security logs are monitored in real-time, using tools such
as SIEM (Security Information and Event Management), to detect
suspicious behavior.

• Incident Logging:

o Confirm that all incidents are logged, categorized, and tracked from
detection to resolution.

• Forensics G Root Cause Analysis:

o Ensure that the organization has forensic capabilities to analyze

incidents, discover root causes, and implement preventive
measures.

8. Business Continuity G Disaster Recovery

• Business Continuity Plan (BCP):

o Review the organization’s BCP to ensure it outlines critical business
functions, key personnel, dependencies, and recovery strategies for
major disruptions.

• Disaster Recovery Plan (DRP):

o Evaluate the DRP for IT systems, ensuring it includes detailed

recovery procedures, backup strategies, and alternate site
activation.

• Backup Testing:

o Confirm that backups are regularly tested to verify their integrity and
ensure that they can be successfully restored.

• Alternate Sites:
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Ensure that alternate recovery sites (hot, warm, or cold) are ready for
activation in the event of a disaster, and that connectivity and
hardware configurations have been tested.

G. Application Security

• Input Validation:

o Verify that applications validate all user inputs to prevent security

vulnerabilities like SǪL Injection, Cross-Site Scripting (XSS), and
buffer overflows.

• Access Control within Applications:

o Review how access controls are implemented within applications,

ensuring that users have only the minimum necessary access (e.g.,
through RBAC or ABAC).

• Secure Coding Practices:

o Assess whether developers follow secure coding guidelines (e.g.,

OWASP Top 10) and that they receive regular security training.

• Application Testing:

o Confirm that all new applications or updates undergo security

testing, such as static and dynamic code analysis, penetration
testing, and vulnerability scanning.

10. Physical Security

• Data Center Security:

o Ensure that access to the data center is restricted through

physical security measures like biometric scanning, security
guards, and surveillance.

• Environmental Controls:

o Review environmental controls, such as fire suppression systems,

temperature monitoring, and uninterruptible power supplies (UPS),
to prevent damage to physical infrastructure.

• Hardware Security:
o Confirm that all servers, workstations, and portable devices (e.g.,
laptops, USB drives) are physically secured and encrypted where
necessary.

• Asset Inventory:

o Ensure there is an up-to-date inventory of all IT assets (hardware,

software), and that these assets are tracked and regularly audited.

11. Third-Party G Vendor Management

• Third-Party Risk Management:

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Review the process for assessing the IT security posture of third-party

vendors, especially those handling sensitive data or providing
critical services.

• Service Level Agreements (SLAs):

o Ensure that SLAs with vendors define clear security expectations,

performance metrics, and penalties for non-compliance.

• Vendor Access Controls:

o Verify that vendors with access to the organization’s systems or data

are subject to the same access control policies as internal staff.

• Data Sharing Agreements:

o Ensure there are legally binding agreements with third-party vendors

that outline the terms for data sharing, data protection
responsibilities, and breach notification.

12. Compliance G Regulatory Requirements

• Industry Standards:

o Ensure that the organization complies with relevant industry

standards such as ISO 27001 (for Information Security Management),
NIST, COBIT, or ITIL.

• Regulatory Compliance:

o Assess the organization’s adherence to sector-specific regulations

such as GDPR, HIPAA, SOX, and PCI-DSS. Verify audit trails, data
handling practices, and incident reporting mechanisms.

• Audit Logs:

o Confirm that audit logs are collected, stored securely, and

retained for the required duration per regulatory guidelines
(e.g., financial logs for SOX compliance).

• Internal G External Audits:

o Review findings from previous internal and external audits to

ensure that corrective actions have been implemented for
identified issues.

13. Audit Reporting G Follow-up

• Audit Findings:
o Document audit findings and categorize them based on severity
(e.g., critical, high, medium, low), ensuring prioritization of critical
vulnerabilities.

• Recommendations:

o Provide clear, actionable recommendations for remediating

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

identified issues, with ownership assigned to relevant personnel.

• Management Review:

o Ensure that the audit report is reviewed by senior management

and that management responses are documented and
tracked.

• Post-Audit Follow-Up:

o Confirm that there is a process for following up on audit

recommendations to ensure that corrective actions have been
completed and are effective.

14. Cloud Computing G Virtualization Security

• Cloud Service Provider (CSP) Review:

o Security Certifications: Check whether the CSP has certifications such as

ISO 27001, SOC 2 Type II, or CSA STAR, which demonstrate a high level of
information security management.

o Compliance Audits: Ensure CSPs are subject to regular compliance audits

(e.g., PCI- DSS, HIPAA, GDPR) and that audit reports are shared with the
organization.

o Data Residency and Jurisdiction: Understand where data is physically

stored, especially if it crosses borders, and ensure compliance with local
regulations (e.g., GDPR for European Union citizens).

o Service Availability G Uptime: Review the CSP's Service Level Agreements

(SLAs) for uptime guarantees, and validate redundancy mechanisms,
disaster recovery policies, and high availability features.

• Shared Responsibility Model:

o Defined Roles: Clearly define the division of security responsibilities

between the CSP and your organization. For example, the CSP may
manage the physical security of the cloud infrastructure, while the
organization is responsible for securing the applications and data.

o Continuous Monitoring: Ensure that both parties have implemented

continuous monitoring of cloud environments for security threats,
vulnerabilities, and incidents.

o Cloud-Specific Controls: Validate the deployment of security tools that are

specific to cloud environments (e.g., CASBs—Cloud Access Security
Brokers, cloud-specific firewalls).

• Data Migration:

o Migration Process Review: Ensure that data is encrypted during migration

from on- premises to the cloud, and that proper change management
processes are followed.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Data Integrity Verification: Implement procedures for verifying the

integrity and completeness of data after migration (e.g., hashing,
validation checks).

o Rollback Plans: Ensure that rollback plans are in place in case migration
fails or data corruption occurs during the process.

• Multi-Tenancy Risks:

o Isolation Mechanisms: Ensure that the cloud provider offers robust

mechanisms for ensuring the logical isolation of data and resources
between tenants in a multi-tenant cloud environment.

o Hypervisor Security: Review the hypervisor security mechanisms in place for

managing virtual machines (VMs), ensuring that cross-VM data leaks are
impossible.

• Virtualization Controls:

o Virtual Machine (VM) Security: Confirm that VMs are securely configured,
including up- to-date OS patches, strong access controls, and network
isolation.

o Hypervisor Security: Ensure that hypervisors are patched regularly and

monitored for vulnerabilities, as they control the operation of VMs.

o VM Snapshots: Evaluate how VM snapshots are managed, ensuring they are

encrypted and stored securely.

• Cloud Backup G Redundancy:

o Backup Policies: Verify that backups of cloud-based systems and data are
regularly taken, encrypted, and stored in geographically separate
locations.

o Failover Mechanisms: Review failover and disaster recovery plans to ensure

minimal downtime and data loss in case of a cloud service disruption.

15. Mobile Device Management (MDM) G Bring Your Own Device (BYOD)

• MDM Policy Review:

o MDM Policy Enforcement: Ensure that the organization enforces MDM

policies that cover device registration, configuration, and security
enforcement.

o Device Enrollment: Review the process for enrolling devices into the MDM
system, ensuring that only approved and authenticated devices gain
access to corporate networks.

• Mobile Data Encryption:

o Encryption Protocols: Confirm that data on mobile devices, including emails,

files, and other sensitive information, is encrypted using industry standards
(e.g., AES-256).
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Full-Disk Encryption: Verify that mobile devices used to access

corporate data implement full-disk encryption to protect data at
rest.

• Remote Wipe Capabilities:

o Lost Device Protocols: Ensure the MDM solution can remotely wipe lost
or stolen devices to prevent unauthorized access to sensitive
information.
o Selective Wiping: Review the ability to perform selective wipes, which only
remove corporate data, leaving personal data intact for BYOD devices.

• BYOD Security Controls:

o Network Segregation: Ensure that employee-owned devices (BYOD) can

only access specific segments of the network, limiting exposure to critical
systems.

o App Restrictions: Review restrictions on the use of third-party apps that

are not authorized by the organization or that may pose security
risks.

• Mobile Application Security:

o App Whitelisting: Ensure that the organization has implemented app

whitelisting policies that only allow secure and approved apps on
mobile devices.

o Mobile App Penetration Testing: Regularly conduct penetration tests on

internally developed or externally acquired mobile apps to identify
vulnerabilities.

16. Emerging Threats G Advanced Persistent Threat (APT) Detection

• Threat Intelligence Integration:

o Threat Intelligence Feeds: Ensure that the organization subscribes to threat

intelligence feeds from trusted sources to stay informed of emerging
vulnerabilities and attack patterns.

o Proactive Threat Hunting: Implement proactive threat-hunting strategies

that continuously search for potential signs of advanced threats before they
materialize into incidents.

• APT Detection:

o Anomaly Detection Systems: Deploy behavioral analytics and anomaly

detection systems capable of identifying unusual patterns that may
indicate APTs or malicious insiders.

o Threat Simulation Exercises: Regularly conduct red-team exercises to

simulate advanced persistent threats and test the effectiveness of
security defenses.

• Zero-Day Exploit Readiness:

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Vulnerability Management: Review processes in place to identify and manage

zero-day vulnerabilities, such as quickly applying patches or mitigating their
impact through configuration changes.

o Threat Containment: Ensure strategies are in place for containing zero-day

exploits, such as network segmentation, isolating infected machines,
and using honeypots.

• Incident Analysis G Response Automation:

o SIEM (Security Information G Event Management): Confirm the use of SIEM

tools to automate the analysis of security events, alerting security teams to
possible incidents.
o SOAR (Security Orchestration, Automation, and Response): Review whether
SOAR platforms are deployed to automatically respond to incidents and
contain threats, reducing response times.

17. DevOps G DevSecOps Integration

• Continuous Integration/Continuous Delivery (CI/CD) Pipeline Security:

o Security in CI/CD Pipelines: Ensure security checks are embedded within

the CI/CD pipeline, including automated vulnerability scanning, secure
code review, and static analysis.

o Deployment Automation: Review the automation of security tests and

patches during the CI/CD pipeline to minimize the risk of deploying
insecure code.

• Automated Security Testing:

o SAST/DAST: Implement Static Application Security Testing (SAST) and

Dynamic Application Security Testing (DAST) tools to catch security
vulnerabilities during the development cycle.

o Security Gates: Ensure that code can’t be promoted to production unless

it passes security gates at each stage of the pipeline.

• Infrastructure as Code (IaC):

o IaC Security: Validate that infrastructure defined through code (e.g., AWS
CloudFormation, Terraform) is properly configured with security in mind,
such as using secure default configurations.

o Automated Testing for IaC: Ensure that infrastructure as code scripts

undergo automated security testing to prevent the introduction of
vulnerabilities into production environments.

• Access to Development Environments:

o Environment Segregation: Ensure development, staging, and production

environments are properly segregated, with strong access controls limiting
who can deploy changes to production.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Secret Management:

o Secure Storage: Verify that secrets (e.g., API keys, passwords) are securely
stored using secret management tools like HashiCorp Vault or AWS Secrets
Manager.

o Secret Rotation: Ensure that secrets are regularly rotated and that access
to them is monitored and logged.

18. Data Loss Prevention (DLP)

• DLP Tools G Policies:

o DLP Software Deployment: Ensure the deployment of DLP software to

monitor and control the movement of sensitive data across networks,
endpoints, and the cloud.
o DLP Policies: Review DLP policies for protecting sensitive data, such as
personally identifiable information (PII), financial records, and
intellectual property.

• Sensitive Data Monitoring:

o Data In Transit: Confirm that DLP solutions monitor data in transit, especially
outbound communications like emails, file transfers, and uploads to cloud
services.

o Endpoint Monitoring: Ensure that endpoints (desktops, laptops, and mobile

devices) are monitored for the unauthorized transfer of data (e.g., via USB
drives).

• Exfiltration Protections:

o Outbound Traffic Restrictions: Verify that outbound traffic is restricted and

monitored for signs of data exfiltration, especially large data transfers or
encrypted traffic.

o File Type Controls: Ensure that DLP systems enforce controls on the types
of files allowed to leave the organization, such as blocking sensitive
document formats or data fields.

• Data Masking G Tokenization:

o Sensitive Data Masking: Review the use of data masking or tokenization

techniques to protect sensitive data in test environments or non-
production systems.

1G. IoT (Internet of Things) G Operational Technology (OT) Security

• IoT Device Inventory G Management:

o IoT Asset Tracking**: Maintain an updated inventory of all IoT devices

connected to the network, including their configuration and security
status.

o Device Authentication: Ensure that IoT devices are authenticated and

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

authorized before being granted network access.

• Network Segmentation for IoT/OT:

o Segregation Strategies: Implement network segmentation strategies to

isolate IoT and OT devices from critical IT infrastructure to limit potential
attack vectors.

o Firewalls G Access Control: Use firewalls and access control lists (ACLs) to
restrict communication between IoT/OT devices and other network
segments.

• IoT/OT Security Controls:

o Patch Management: Ensure that IoT and OT devices receive timely security
patches and updates, with a process in place to monitor and apply them.

o Vulnerability Scanning: Regularly scan IoT and OT devices for

vulnerabilities and misconfigurations.

• Incident Response for IoT/OT:

o Specific Procedures: Develop incident response procedures tailored to IoT

and OT environments, including how to handle breaches or attacks
specific to these devices.
o Vendor Coordination: Ensure that response plans include coordination
with device vendors for support and guidance during incidents.

20. Artificial Intelligence (AI) G Machine Learning (ML) Security

• AI/ML Model Security:

o Model Integrity: Ensure the integrity of AI/ML models by protecting

them against tampering or unauthorized changes, and verifying the
authenticity of training data.

o Bias and Fairness: Evaluate AI/ML models for biases and fairness to ensure that
they do not unintentionally discriminate or produce unfair outcomes.

• Data Privacy in AI/ML:

o Data Handling: Ensure that data used for training AI/ML models is handled
according to privacy regulations, including data anonymization and
minimization practices.

o Model Outputs: Review how the outputs of AI/ML models are used and
ensure they do not reveal sensitive or personal information inadvertently.

• Adversarial Attacks:

o Defense Mechanisms: Implement defenses against adversarial attacks

that could manipulate AI/ML models, such as input perturbations designed
to deceive the model.

o Robustness Testing: Regularly test AI/ML models for robustness against

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

attacks and ensure they can handle unexpected or malicious inputs

without failing.

• AI/ML System Monitoring:

o Performance Monitoring: Continuously monitor the performance of AI/ML

systems to detect anomalies that could indicate security issues or
degradation in model accuracy.

o Model Drift: Watch for model drift, where the performance of AI/ML models
degrades over time due to changes in data patterns or operational
conditions.

21. Security Awareness G Training

• Training Programs:

o Regular Training: Ensure that all employees undergo regular security

awareness training to stay informed about current threats, best practices,
and organizational policies.

o Tailored Training: Provide specialized training for roles with access to

sensitive information or systems (e.g., IT staff, executives).

• Phishing Simulations:

o Simulated Attacks: Conduct regular phishing simulations to test employees’

responses and raise awareness about phishing threats.

o Response Evaluation: Evaluate the effectiveness of training programs

based on the results of phishing simulations and adjust training content
accordingly.

• Policy Acknowledgment:
o Acknowledgment Forms: Require employees to formally acknowledge
understanding and acceptance of security policies and procedures.

o Policy Updates: Communicate updates to security policies and ensure

employees are aware of changes.

• Security Culture:

o Encouragement G Recognition: Foster a security-conscious culture by

recognizing and rewarding employees who demonstrate good security
practices and report potential issues.

22. Legal G Regulatory Compliance

• Compliance Audits:

o Regular Audits: Schedule regular compliance audits to ensure adherence

to relevant laws and regulations, such as GDPR, HIPAA, or PCI-DSS.

o Audit Findings: Address findings from compliance audits promptly,

implementing corrective actions to address any identified
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

deficiencies.

• Regulatory Updates:

o Ongoing Monitoring: Stay informed about changes in regulatory

requirements and ensure that organizational policies and practices are
updated to maintain compliance.

o Legal Consultation: Consult with legal experts to interpret new or updated

regulations and determine their impact on the organization’s information
systems.

• Documentation G Reporting:

o Compliance Documentation: Maintain detailed documentation of

compliance efforts, including policies, procedures, and evidence of
adherence.

o Regulatory Reporting: Ensure that required reports are submitted to

regulatory bodies in a timely manner, including any required disclosures or
notifications.

• Data Subject Rights:

o Rights Management: Implement processes for managing data subject rights,

including access requests, data rectification, and data deletion in
compliance with privacy regulations.

23. System G Data Integrity

• Integrity Checks:

o Checksums G Hashes: Use checksums and hashes to verify the integrity

of system files, applications, and data to detect unauthorized changes
or corruption.

o Data Validation: Implement data validation techniques to ensure the

accuracy and consistency of data throughout its lifecycle.

• Change Management:
o Change Control: Ensure that all changes to systems and data are
controlled through formal change management processes, including
documentation and approval.

o Configuration Management: Maintain an accurate configuration

management database (CMDB) to track changes to hardware and
software configurations.

• Audit Trails:

o Logging G Monitoring: Ensure comprehensive logging of system and data

changes, with logs monitored and analyzed for signs of tampering or
unauthorized access.

o Log Retention: Implement policies for the secure storage and retention
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

of logs to support forensic investigations and compliance

requirements.

• Data Accuracy:

o Data Ǫuality: Regularly review data for accuracy and completeness,

implementing processes to correct any errors or inconsistencies.

24. Physical G Environmental Controls

• Access Controls:

o Physical Access: Ensure that physical access to critical infrastructure, such

as data centers and server rooms, is restricted to authorized personnel
through access control systems (e.g., key cards, biometrics).

o Visitor Management: Implement visitor management procedures,

including registration, escorting, and monitoring to ensure that visitors do
not have unauthorized access.

• Environmental Controls:

o Temperature G Humidity: Monitor and control temperature and humidity

levels in data centers and server rooms to prevent equipment failure and
data loss.

o Fire Protection: Install and regularly test fire suppression systems (e.g.,
sprinklers, gas- based systems) to protect against fire damage.

• Power G Backup Systems:

o Uninterruptible Power Supplies (UPS): Ensure that UPS systems are in

place to provide backup power in the event of a power outage, with
regular maintenance and testing.

o Generator Testing: Regularly test backup generators to ensure they are

operational and capable of providing power during extended outages.

• Physical Security Policies:

o Security Policies: Develop and enforce physical security policies and

procedures to protect against unauthorized access, theft, and
vandalism.

o Incident Response: Ensure that physical security incidents are promptly

reported, investigated, and addressed according to established
procedures.

Audit Checklist for Cloud Computing

1. Governance and Compliance

• Regulatory Compliance: Verify adherence to relevant regulations (e.g., GDPR

for data protection in the EU, HIPAA for healthcare data in the U.S.). Ensure
that data handling and processing practices align with these regulations.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Service Level Agreements (SLAs): Review the SLA to understand uptime

guarantees, support response times, and performance benchmarks.
Ensure that SLAs align with your business needs and expectations.

• Data Residency: Check where your data is physically stored and processed.
Ensure it complies with regional data residency requirements and legal
regulations.

2. Security Management

• Access Controls: Assess the effectiveness of role-based access control

(RBAC), multi- factor authentication (MFA), and other mechanisms to
restrict access to sensitive data and systems.

• Identity and Access Management (IAM): Review IAM policies to ensure that
users and services have appropriate permissions. Regularly audit and
update IAM configurations to prevent privilege creep.

• Encryption: Ensure data is encrypted using strong encryption standards

both in transit (e.g., TLS/SSL) and at rest (e.g., AES-256). Verify encryption keys
are managed securely.

• Incident Response: Confirm that an incident response plan is in place,

including procedures for identifying, managing, and mitigating security
incidents. Conduct regular drills to test response effectiveness.

3. Data Management

• Backup and Recovery: Ensure that backup processes are automated,

regular, and reliable. Test backup restores periodically to verify data
integrity and recovery procedures.

• Data Integrity: Implement mechanisms to verify data integrity, such as

checksums or hashes, to detect unauthorized changes or corruption.

• Data Retention: Review data retention policies to ensure that data is

retained only as long as necessary and disposed of securely when no
longer needed.

4. Infrastructure and Configuration

• Network Security: Assess network security controls, including firewalls,

intrusion detection/prevention systems (IDS/IPS), and virtual private
networks (VPNs). Ensure that network traffic is monitored and analyzed.

• Configuration Management: Verify that cloud resources are configured

according to security best practices and standards (e.g., CIS benchmarks).
Use configuration management tools to maintain consistency.

• Patching and Updates: Ensure that all systems and applications are regularly
updated with security patches. Implement a process for timely application
of patches and updates.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

5. Monitoring and Logging

• Logging: Confirm that logging is enabled for critical systems and activities.
Logs should capture sufficient detail to support security investigations and
audits.

• Monitoring: Implement continuous monitoring tools to track system

performance, availability, and security. Ensure that monitoring is
configured to detect and alert on anomalies.

• Alerts: Set up alerting mechanisms to notify relevant personnel of

suspicious activities or system issues. Review and refine alert thresholds to
minimize false positives and ensure timely response.

6. Vendor Management

• Vendor Security: Assess the security posture of cloud service providers,

including their security certifications and practices. Review their security
policies and procedures.

• Third-Party Assessments: Obtain and review third-party audit reports, such

as SOC 2 Type II reports, to gain insights into the provider’s security controls
and compliance status.

7. Risk Management

• Risk Assessment: Perform regular risk assessments to identify and evaluate

potential security and operational risks. Use the results to prioritize risk
mitigation efforts.

• Mitigation Strategies: Develop and implement strategies to mitigate

identified risks. Regularly review and update these strategies based on new
threats and changes in the environment.

8. Documentation and Training

• Documentation: Maintain comprehensive documentation of security

policies, procedures, configurations, and changes. Ensure that
documentation is up-to-date and accessible.

• Training: Provide regular training to staff on cloud security practices,

policies, and incident response procedures. Ensure that training is
tailored to different roles and responsibilities.

G. Disaster Recovery and Business Continuity

• Disaster Recovery Plan: Review and test the disaster recovery plan to
ensure it addresses potential disaster scenarios and outlines recovery
procedures. Regularly update the plan based on changes in the
environment.

• Business Continuity: Ensure that business continuity plans are

comprehensive and include procedures for maintaining critical
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

operations during disruptions. Test these plans regularly to validate their

effectiveness.

10. Cost Management

• Cost Tracking: Implement tools and processes to monitor and track cloud
usage and expenses. Review billing statements regularly to identify
unexpected charges.
• Cost Optimization: Evaluate and implement cost optimization
strategies, such as rightsizing instances, using reserved instances, and
leveraging cost-saving features provided by the cloud provider.

11. Service Integration

• Integration Testing: Test integrations between cloud services and on-premises

systems to ensure they function as expected and do not introduce
vulnerabilities or performance issues.

• API Security: Review the security of APIs used for integrating with cloud
services. Implement secure coding practices and validate that APIs
are protected against common threats (e.g., injection attacks, data
breaches).

12. Performance Management

• Performance Metrics: Define KPIs for cloud services and monitor them to
ensure that performance meets expectations. Metrics may include response
times, throughput, and availability.

• Capacity Planning: Review capacity planning processes to ensure they

align with current and anticipated workloads. Implement scalable
solutions to accommodate growth and avoid resource bottlenecks.

13. User Awareness and Management

• User Training: Conduct regular training sessions for users to raise

awareness about cloud security risks and best practices. Update training
materials based on new threats and technologies.

• Privilege Management: Regularly review and adjust user privileges to ensure

they are aligned with job roles and responsibilities. Implement least
privilege principles to minimize access to sensitive data.

14. Change Management

• Change Control Process: Verify that a formal change control process is in

place for managing changes to cloud environments. This should include
change requests, impact assessments, and approval workflows.

• Impact Assessment: Assess the potential impact of changes on security,

performance, and compliance. Ensure that changes are thoroughly tested in
a staging environment before being applied to production.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

15. End-of-Life (EOL) Management

• EOL Policies: Review and enforce policies for managing end-of-life cloud
services and components. Ensure that outdated or unsupported services
are phased out in a controlled manner.

• Data Migration: Develop procedures for migrating data from EOL services to
new platforms or services. Ensure data integrity and minimal disruption
during the migration process.

16. Cloud Architecture Review

• Design Principles: Evaluate cloud architecture against established design
principles such as scalability, redundancy, and fault tolerance. Ensure
that the architecture supports business needs and resilience.

• Scalability and Redundancy: Assess scalability and redundancy measures

to ensure they can handle current and future demands. Implement
solutions to ensure high availability and fault tolerance.

17. Legal and Contractual Obligations

• Legal Review: Conduct a thorough review of legal obligations related to

cloud services, including data protection laws, intellectual property rights,
and contractual terms.

• Contractual Terms: Review and understand the terms of contracts

with cloud providers. Ensure that the terms align with your
requirements and that there are mechanisms for addressing
disputes or breaches.

18. Business Impact Analysis

• Impact Analysis: Perform a business impact analysis to understand the

potential effects of disruptions on business operations. Identify critical
systems and processes that need to be prioritized for recovery.

1G. Audit Trail

• Audit Trail Verification: Ensure that audit trails are maintained for all critical
activities and transactions. Verify that logs are secure, tamper-proof, and
accessible for audits.

• Audit Frequency: Establish and adhere to a schedule for regular audits.

Ensure that audits cover all relevant aspects of the cloud environment
and are conducted by qualified personnel.

20. Emerging Threats and Trends

• Threat Intelligence: Stay informed about emerging threats and trends in

cloud security. Subscribe to threat intelligence feeds and participate in
industry forums to stay updated.

• Adaptive Measures: Regularly review and update security measures to

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

address new threats and vulnerabilities. Implement adaptive strategies to

mitigate risks associated with evolving attack vectors.

Audit Checklist for Web Application

1. Information Gathering

• Architecture Review:

o Understand the application's architecture, including frontend,

backend, APIs, and databases.

o Document the tech stack used (e.g., programming languages,

frameworks, libraries).

• Threat Modeling:
o Identify potential threats and vulnerabilities specific to the application.
o Review attack vectors such as data flow, user inputs, and integration
points.

2. Authentication G Authorization

• Authentication Mechanisms:

o Verify the implementation of strong authentication mechanisms

(e.g., multi- factor authentication).

o Check for secure password policies and storage (e.g., hashing with
bcrypt).
• Session Management:

o Review session management practices (e.g., session timeouts, secure

cookies).
o Ensure proper implementation of session fixation protections.
• Access Controls:

o Validate role-based access controls (RBAC) and other

authorization mechanisms.

o Ensure least privilege principle is applied throughout the application.

3. Input Validation

• Sanitization G Validation:

o Check for proper input validation and sanitization to prevent

injection attacks (e.g., SǪL, XSS).

o Review client-side and server-side validation mechanisms.

• Error Handling:

o Ensure that error messages do not reveal sensitive information.

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Review handling of exceptions and error reporting.

4. Data Protection

• Encryption:

o Verify the use of strong encryption for data at rest and in transit.
o Review encryption key management practices.
• Data Privacy:

o Ensure compliance with relevant data protection regulations

(e.g., GDPR, CCPA).

o Assess the handling of sensitive data, including storage and

transmission practices.

5. Secure Communication

• SSL/TLS:
o Check for proper implementation of SSL/TLS certificates and
configurations.
o Ensure use of strong cipher suites and protocols.
• API Security:

o Review API security practices, including authentication,

authorization, and rate limiting.

o Verify that API endpoints do not expose sensitive data.

6. Application Security

• Code Review:

o Conduct a thorough code review to identify security flaws.

o Look for common vulnerabilities such as hardcoded credentials
or insecure coding practices.

• Dependencies:

o Assess third-party libraries and dependencies for known vulnerabilities.

o Review dependency management and update practices.

7. Security Testing

• Penetration Testing:

o Perform penetration testing to identify exploitable vulnerabilities.

o Review findings and ensure remediation of identified issues.
• Static G Dynamic Analysis:

o Use static analysis tools to detect code-level vulnerabilities.

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Perform dynamic analysis to test the application during runtime.

8. Logging G Monitoring

• Logging:

o Verify that adequate logging is implemented for security-related events.

o Ensure logs are protected and stored securely.
• Monitoring:

o Review monitoring mechanisms to detect and respond to suspicious

activities.
o Check for integration with Security Information and Event
Management (SIEM) systems.

G. Configuration Management

• Server G Application Configurations:

o Review server and application configurations for security best practices.

o Ensure secure defaults and minimal exposure of services.
• Patch Management:

o Check for regular updates and patching of the application and its
components.
o Review the process for handling security advisories and updates.

10. Backup G Recovery

• Backup Practices:

o Verify that regular backups are performed and stored securely.

o Ensure backup data is encrypted and tested for recovery.
• Incident Response:

o Review the incident response plan and its effectiveness.

o Ensure the plan includes procedures for data breaches and security
incidents.

11. Compliance

• Regulatory Requirements:

o Ensure compliance with relevant regulations and industry standards.

o Document any specific compliance requirements relevant to the
application.

12. Documentation G Training

• Documentation:
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Review and update security documentation, including policies and

procedures.
o Ensure documentation is accessible and up-to-date.
• Training:

o Assess training programs for developers and staff on security best

practices.
o Ensure regular security awareness training is provided.

13. Advanced Threat Detection

• Intrusion Detection Systems (IDS) / Intrusion Prevention Systems (IPS):

o IDS/IPS Configuration:
▪ Ensure IDS/IPS is configured to monitor and analyze traffic for
suspicious activities.

▪ Verify that IDS/IPS rules are up-to-date with the latest threat
signatures and anomaly detection capabilities.

o Alert Management:
▪ Check that alerts from IDS/IPS are monitored in real-
time and appropriate actions are taken based on
severity.
▪ Assess integration with incident management systems for
automated response.

• Anomaly Detection:

o Behavioral Analysis:
▪ Implement tools that use machine learning to analyze
patterns and detect deviations from normal behavior.

▪ Ensure the system learns and adapts to legitimate changes

in usage patterns to reduce false positives.

o Baseline Establishment:
▪ Establish a baseline for normal application behavior to
better identify anomalies.

▪ Regularly update the baseline to reflect changes in user

behavior and application functionality.

• Threat Intelligence:

o Integration:
▪ Integrate threat intelligence feeds that provide information on
emerging threats, vulnerabilities, and attack trends.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

▪ Ensure feeds are relevant to your specific technology stack

and threat landscape.

o Actionable Insights:
▪ Use threat intelligence to inform defensive strategies, update
security policies, and improve detection capabilities.

▪ Regularly review and adapt security measures based on the

latest threat intelligence.

14. Database Security

• Database Configuration:

o Hardening:
▪ Disable unnecessary features and services in the database (e.g.,
remote access, unused ports).

▪ Implement least privilege access controls for database users.

o Secure Accounts:
▪ Use strong, unique passwords for database accounts.

▪ Regularly rotate credentials and monitor account activity.

• SǪL Injection Protections:

o Parameterized Ǫueries:
▪ Ensure all database queries are parameterized to prevent
injection attacks.

▪ Review code for any instances of dynamic query

construction without proper sanitization.

o ORM Tools:
▪ Use ORM tools that abstract direct database access and
mitigate the risk of SǪL injection.

▪ Validate that ORM configurations do not introduce

vulnerabilities.

• Database Activity Monitoring:

o Logging:
▪ Enable detailed logging of database activities, including query
execution and user actions.

▪ Ensure logs are securely stored and protected from tampering.

o Alerting:
▪ Set up alerts for suspicious database activities, such as
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

unusual query patterns or unauthorized access attempts.

▪ Review and respond to alerts in a timely manner.

15. Content Delivery Network (CDN) Security

• CDN Configuration:

o Assess the configuration of any CDNs used for content distribution.

o Ensure proper caching policies, SSL enforcement, and DDoS protection
settings.
• Edge Security:

o Verify that edge rules are in place to prevent attacks such as

cross-origin resource sharing (CORS) misuse or cache
poisoning.

16. Cloud Security (If Applicable)

• Cloud Configuration:

o Review the security configuration of cloud infrastructure (e.g.,

AWS, Azure, GCP).

o Ensure secure use of cloud services, including Identity and Access

Management (IAM), virtual private networks, and encryption.

• Cloud-specific Vulnerabilities:
o Assess cloud resources for misconfigurations such as open storage
buckets, unsecured databases, or excessive permissions.

o Review cloud audit logs and cloud-specific security services (e.g., AWS
Security Hub).

17. Third-party Integrations G External Services

• Third-party API Integrations:

o Review the security of third-party APIs and services integrated

with the web application.

o Ensure proper authentication (e.g., OAuth, API keys) and data

validation when interacting with external systems.

• External Libraries G Packages:

o Conduct a thorough inventory of all external libraries, packages, and

plugins.
o Use tools like Snyk or OWASP Dependency-Check to scan
for known vulnerabilities in dependencies.

18. Business Logic G Application Workflow

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Business Logic Abuse:

o Review application logic for vulnerabilities that may allow users

to bypass workflows or gain unauthorized privileges.

o Check for improper implementation of logic that handles financial

transactions, promotions, or data modifications.

• Race Conditions:

o Test for race condition vulnerabilities that could allow attackers

to exploit concurrency issues (e.g., making multiple requests
simultaneously to gain unintended benefits).

• Anti-Automation G Anti-Scraping Mechanisms:

o Ensure CAPTCHA, rate limiting, and anti-bot mechanisms are

implemented to protect against brute force, scraping, and
automated attacks.

1G. Mobile Application Interface (If Applicable)

• Mobile App Communication:

o Ensure secure communication between the mobile application

and backend APIs.

o Check for proper certificate pinning and encryption of data sent from
the mobile app.

• Mobile App Security Review:

o Perform security testing on any mobile apps that interact with
the web application, including reverse engineering, traffic analysis,
and local storage checks.

o Validate that sensitive information is not stored insecurely on

mobile devices (e.g., in plaintext or accessible logs).

20. Red Team/Blue Team Exercises

• Red Team Testing:

o Engage a Red Team (simulated attack group) to test the

application’s defense mechanisms.

o Evaluate how the system responds to real-world attack scenarios,

including social engineering, privilege escalation, and lateral
movement.

• Blue Team (Defense):

o Ensure the Blue Team (defensive team) is monitoring for attacks

and has an effective incident response plan.

o Review how quickly and effectively the Blue Team can detect,
contain, and mitigate attacks.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

21. User Experience (UX) Security

• User Behavior Testing:

o Ensure user interfaces prevent phishing and social engineering attacks.

o Check that users are informed of security-relevant events (e.g., login
from a new device, password changes).

• Security Awareness in UX:

o Assess the clarity of security warnings and prompts (e.g.,

clarity of 2FA instructions, password strength meters).

o Validate that user experience does not encourage insecure

behavior (e.g., providing overly complex password requirements
that lead to poor choices).

22. Supply Chain Security

• Supply Chain Risk Assessment:

o Identify potential risks from third-party vendors and suppliers in the

software supply chain.

o Ensure contracts with vendors include security requirements and

compliance checks.

• Code Signing G Integrity:

o Ensure code signing mechanisms are in place to verify the

integrity of the software.
o Review build pipelines for proper security practices (e.g., use of
secure CI/CD tools, verification of source integrity).

23. Continuous Integration/Continuous Deployment (CI/CD) Pipeline Security

• Build Environment Security:

o Secure the CI/CD pipeline by limiting access to build servers and

repositories.
o Verify that security scans (e.g., static code analysis, dependency
checks) are integrated into the CI/CD pipeline.

• Pipeline Secrets Management:

o Ensure proper secrets management for tokens, keys, and sensitive

information in build environments.

o Use dedicated secret management services (e.g., HashiCorp Vault,

AWS Secrets Manager) to securely handle secrets in the pipeline.

24. Zero Trust Architecture (ZTA)

• Zero Trust Principles:

INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Assess if Zero Trust principles are implemented (e.g., micro-

segmentation, continuous authentication).

o Ensure strict verification of every request, assuming no implicit

trust inside or outside the network.

• Microservices Security (If Applicable):

o Review security between microservices, ensuring each

has proper authentication and encryption.

o Ensure that no microservice trusts another by default, and

communication is secured.

25. Decommissioning G Data Disposal

• Data Deletion Policy:

o Review policies for secure data deletion when no longer needed

(e.g., after account closure or subscription expiration).

o Ensure that all backups, logs, and remnants of sensitive data are
securely deleted in line with data retention policies.

• Decommissioning of Resources:

o Assess the decommissioning process for old servers, databases, or

application components.

o Ensure that old infrastructure is properly wiped, or data is

securely deleted before decommissioning.

26. Business Logic Vulnerabilities

• Business Logic Review:

o Assess whether the application’s workflow and logic have

weaknesses that could be exploited (e.g., bypassing payments,
improper workflow validation).

o Review areas where user actions might manipulate

business rules unintentionally or maliciously.

• Edge Case Testing:

o Test the application for unexpected behavior under unusual

circumstances (e.g., large payloads, unexpected input sequences).

o Validate that all business processes perform as intended under

high load, concurrency, or unusual conditions.

27. Third-Party Integrations

• Third-Party Services:

o Review security practices of any third-party services or APIs

integrated into the application.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Verify proper use of OAuth, API tokens, and secure communication

channels.
• Supply Chain Risks:

o Ensure that dependencies from external vendors, libraries, and

services are secure and up-to-date.

o Review the process for evaluating and monitoring third-party risks.

28. Security Misconfigurations

• Application Configuration:

o Check for unnecessary features (e.g., default accounts, debug

modes, overly verbose error messages).

o Verify that sensitive configuration files (e.g., .env files, database

credentials) are not exposed.

• Infrastructure Configuration:

o Review the server configuration for secure settings (e.g., directory

listings, CORS policies, HTTP headers).

o Ensure firewalls, intrusion detection systems (IDS), and intrusion

prevention systems (IPS) are properly configured.

2G. Rate Limiting and DoS Protection

• Rate Limiting:

o Check for mechanisms to prevent abuse of resources through

excessive requests (e.g., login attempts, API requests).
o Validate that the application can handle Denial of Service (DoS)
attacks and throttles requests appropriately.

• Bot and CAPTCHA Protection:

o Review the effectiveness of CAPTCHA and other mechanisms

to prevent automated attacks like credential stuffing or
scraping.

30. Content Security Policy (CSP)

• CSP Implementation:

o Verify that a robust Content Security Policy (CSP) is in place to

mitigate Cross- Site Scripting (XSS) and other code injection
attacks.

o Ensure CSP settings restrict loading of resources to trusted domains.

31. Cross-Site Request Forgery (CSRF) Protection

• CSRF Tokens:
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

o Verify that the application implements anti-CSRF tokens in sensitive

operations (e.g., form submissions, state-changing actions).

o Check that tokens are validated and rotated appropriately to

prevent session hijacking.

32. File Upload and Download Security

• File Upload Validation:

o Ensure uploaded files are validated for size, type, and

content before processing.

o Verify that uploaded files are scanned for malware and stored
securely (e.g., outside the webroot).

• File Download:

o Review file download functionalities to ensure files are served

securely and prevent unauthorized access.

33. Security Headers

• HTTP Security Headers:

o Review the use of security-related HTTP headers such as Strict-

Transport- Security, X-Content-Type-Options, X-Frame-Options,
and Referrer-Policy.

o Ensure headers are properly configured to mitigate common web

vulnerabilities like clickjacking and MIME sniffing.

o Strict-Transport-Security (HSTS): Implement HSTS to enforce HTTPS

and prevent downgrade attacks. Set appropriate max-age and include
subdomains if applicable.

o X-Content-Type-Options: Use the X-Content-Type-Options header to

prevent MIME type sniffing.
o X-Frame-Options: Implement X-Frame-Options to prevent clickjacking
attacks.
o Referrer-Policy: Configure the Referrer-Policy header to control the
amount of referrer information shared with other sites.

34. Mobile Compatibility (if applicable)

• Mobile App Security:

o Secure Storage: Ensure sensitive data is stored securely on mobile

devices, using encrypted storage mechanisms provided by the
platform.

o Secure Communication: Use HTTPS for all communications

between the mobile app and the backend server. Validate SSL/TLS
certificates and protect against certificate pinning bypasses.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK

• Authentication and Authorization:

o Mobile Authentication: Implement secure authentication methods

for mobile apps, such as biometric authentication or token-based
authentication.

o Access Controls: Apply robust access controls to protect sensitive

functionality and data within the mobile app.

35. Cloud Security (if applicable)

• Cloud Infrastructure Review:

o If the application is hosted in the cloud, assess the security of cloud

services (e.g., storage, network configurations, security groups).

o Verify the implementation of identity and access management

(IAM) best practices for cloud environments.

• Container Security:

o If using containers (e.g., Docker, Kubernetes), review security

practices for container images, orchestration, and network
isolation.
INFORMATIONAL TECHNOLOGY AUDIT CHECKLIST: INFRASTRUCTURE & NETWORK