It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]

Application Best Practices

Checklist for Best Practices

• qApply defense-in-depth.

• qUse a positive security model.

• qFail safely.

• qRun with least privilege.

• qAvoid security by obscurity.

• qKeep security simple.

• qDetect intrusions and keep logs.

• qNever trust infrastructure and services.

• qEstablish secure defaults.

• qUse open standards.

Auditing Applications

Checklist for Auditing Applications

1. qReview and evaluate data input controls.

2. qDetermine the need for error/exception reports related to data integrity, and evaluate whether this need has been fulfilled.

3. qReview and evaluate the controls in place over data feeds to and from interfacing systems.

4. qIn cases where the same data are kept in multiple databases and/or systems, periodic ‘sync’ processes should be executed to detect any inconsistencies in the data.

5. qReview and evaluate the audit trails present in the system and the controls over those audit trails.

6. qThe system should provide a means to trace a transaction or piece of data from the beginning to the end of the process enabled by the system.

7. qThe application should provide a mechanism that authenticates users based, at a minimum, on a unique identifier for each user and a confidential password.

8. qReview and evaluate the application's authorization mechanism to ensure that users are not allowed to access any sensitive transactions or data without first being authorized by the system's security mechanism.

9. qEnsure that the system's security/authorization mechanism has an administrator function with appropriate controls and functionality.

10. qDetermine whether the security mechanism enables any applicable approval processes.

11. qEnsure that a mechanism or process has been put in place that suspends user access on termination from the company or on a change of jobs within the company.

12. qVerify that the application has appropriate password controls.

13. qReview and evaluate processes for granting access to users. Ensure that access is granted only when there is a legitimate business need.

14. qEnsure that users are automatically logged off from the application after a certain period of inactivity.

15. qEvaluate the use of encryption techniques to protect application data.

16. qEvaluate application developer access to alter production data.

17. qEnsure that the application software cannot be changed without going through a standard checkout/staging/testing/approval process after it is placed into production.

18. qEvaluate controls around code checkout, modification, and versioning.

19. qEvaluate controls around the testing of application code before it is placed into a production environment.

20. qEnsure that appropriate backup controls are in place.

21. qEnsure that appropriate recovery controls are in place.

22. qEvaluate controls around the application's data retention.

23. qEvaluate controls around data classification within the application.