Risk Controls Testing Matrix A. Administrative
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Risk Controls Testing Matrix A. Administrative as PDF for free.
More details
- Words: 1,573
- Pages: 9
Risk Controls Testing Matrix A. Administrative
Risk
Control
Test /Question
Results Expected (Best practice)
A1. Copyright violation
Adequate measures to account for and maintain user licenses
User access to sensitive information
Appropriate approval process for creating and removing users from the system
1. What are the procedures for user registration and certification, including servers, groups and users; 2. Determine if requests for access are recorded and approved. 3. Determine if licenses are in place for all users.
Actual
Should have enough licenses for current users and future planned users. Requests for creating a user-id should be approved by management. These requests should be recorded.
4. What is the process for removal of users?
A2. Inadequately trained administrators
Risk
Appropriately trained.
1. Determine roles and responsibilities of Lotus Notes Group members.
Clearly defined roles, segregation of duty.
Being aware of the latest news about Lotus Notes about patch fixes or vulnerabilities.
2. What training does Notes administrators get?
Administrators are being trained on a periodic basis and they are aware of the latest exposures or vulnerabilities related to Notes environment.
Control
Test /Question
Results Expected (Best practice)
Actual
Risk Controls Testing Matrix A. Administrative
B.1 Non-availability of Company systems for an extended period in event of contingency.
Adequate backup routines Data stored at off site facility Tests and procedures to recover data on a timely basis.
1. Review the backup and recovery procedures. 2. Ensure NAB is adequately backed up (ensure any shared mail is also backed up).
Back-up of data from Notes servers. This data taken off-site on a regular basis.
3.Review the system contingency / disaster recovery plans.
Up to-date contingency plans. Plans been distributed to all personnel concerned.
4. Determine that documentation describing system recovery in the event of data loss or disaster is sufficient.
Periodic testing of plans to identify any weakness. Plans to correct on the weakness.
5. Determine if disaster recovery plan has been tested. 6. Review retention of backups. 7. Determine use of remote site storage facilities.
Risk
Control
Test /Question
Results Expected (Best practice)
C.1 Unauthorized access to sensitive information
Appropriate procedures should be followed to provide only authorized access to databases
1. Determine if access to MAIL.BOX is properly restricted.
Only Notes administrators should have access to MAIL.BOX database?
2. How is ACL managed? If individuals are used instead of groups, ask for justification.
Look for use of Groups rather than individuals
Actual
Risk Controls Testing Matrix A. Administrative
B.1 Non-availability of Company systems for an extended period in event of contingency.
Adequate backup routines Data stored at off site facility Tests and procedures to recover data on a timely basis.
1. Review the backup and recovery procedures. 2. Ensure NAB is adequately backed up (ensure any shared mail is also backed up).
Back-up of data from Notes servers. This data taken off-site on a regular basis.
3.Review the system contingency / disaster recovery plans.
Up to-date contingency plans. Plans been distributed to all personnel concerned.
4. Determine that documentation describing system recovery in the event of data loss or disaster is sufficient.
Periodic testing of plans to identify any weakness. Plans to correct on the weakness.
5. Determine if disaster recovery plan has been tested. 6. Review retention of backups. 7. Determine use of remote site storage facilities.
Risk
Control
Test /Question
Results Expected (Best practice)
C.1 Unauthorized access to sensitive information
Appropriate procedures should be followed to provide only authorized access to databases
1. Determine if access to MAIL.BOX is properly restricted.
Only Notes administrators should have access to MAIL.BOX database?
2. How is ACL managed? If individuals are used instead of groups, ask for justification.
Look for use of Groups rather than individuals
Actual
Risk Controls Testing Matrix A. Administrative
B.1 Non-availability of Company systems for an extended period in event of contingency.
Adequate backup routines Data stored at off site facility Tests and procedures to recover data on a timely basis.
1. Review the backup and recovery procedures. 2. Ensure NAB is adequately backed up (ensure any shared mail is also backed up).
Back-up of data from Notes servers. This data taken off-site on a regular basis.
3.Review the system contingency / disaster recovery plans.
Up to-date contingency plans. Plans been distributed to all personnel concerned.
4. Determine that documentation describing system recovery in the event of data loss or disaster is sufficient.
Periodic testing of plans to identify any weakness. Plans to correct on the weakness.
5. Determine if disaster recovery plan has been tested. 6. Review retention of backups. 7. Determine use of remote site storage facilities.
Risk
Control
Test /Question
Results Expected (Best practice)
C.1 Unauthorized access to sensitive information
Appropriate procedures should be followed to provide only authorized access to databases
1. Determine if access to MAIL.BOX is properly restricted.
Only Notes administrators should have access to MAIL.BOX database?
2. How is ACL managed? If individuals are used instead of groups, ask for justification.
Look for use of Groups rather than individuals
Actual
Risk Controls Testing Matrix A. Administrative
C.2 Unauthorized physical access to servers and other related computer equipment
Physical access controlled by placing access restrictions.
Fire, smoke and water detection devices are put in place. Adequate fire extinguishing equipment.
2. Determine that devices are tested and certified regularly.
Damage caused by environmental factors
Risk
1. Determine if adequate fire, smoke and water detection devices are used with the necessary means of extinguishing fires and removing smoke and water.
3. Determine if servers are properly secured. Evaluate the use of physical security over the environment, i.e. use of locks, badge readers, special enclosures, alarms or other forms of access control.
Control
Adequate physical security for all servers and other equipment.
Test /Question
Results Expected (Best practice)
Actual
Risk Controls Testing Matrix A. Administrative
D.1 Unauthorized access to notes server
Server administration so as to restrict access to authorized personnel.
1. Are restricted or unrestricted agents allowed on the server?
Unrestricted agents should not be allowed to run.
2. Is access to the servers denied to all former employees?
Former employees should not have access. The names should be included in the access deny list.
3. Is internet access to the server secure? 4. Is the server machine logically secure (OS)?
Notes part of the server machine should not be accessible for regular users.
5. How is the wireless access to Notes servers’ setup? 6. Are Sametime and Quickplace applications being used? 7. Is there any direct dial-in access to any of the notes servers? Is this through AT & T global dialer?
Risk
Control
Test /Question
Results Expected (Best practice)
Actual
Risk Controls Testing Matrix A. Administrative
E.1 Unauthorized access to sensitive information
Adequate user creation and deletion procedures.
1. How is the ID's stored after creation (for when people forget their passwords) and how are they stored after they have been distributed to the user?
User.ids should be stored at a secure location where only Notes administrators have access. They should be distributed securely when users forget passwords.
2. Evaluate the adequacy of procedures for reclaiming ID's. Ensure only active employees are listed in the address book and former employees are denied access.
Appropriate procedures should be in place to reclaim ids from employees leave the company.
3. Who has access to server.id and certifier ids? [Does server ids have passwords on them]
Access to the notes directory should be secured. Server.id files and user.id files should be secured as well.
Access to server and certifier ids on a need basis. Password management
4. Are security violations investigated? Are violations investigated in a timely manner? 5. Are minimum length requirements set and enforced (what is the standard minimum length)?
Risk
Control
Test /Question
Results Expected (Best practice)
Actual
Risk Controls Testing Matrix A. Administrative
E.1 Unauthorized access to sensitive information
Adequate user creation and deletion procedures.
1. How is the ID's stored after creation (for when people forget their passwords) and how are they stored after they have been distributed to the user?
User.ids should be stored at a secure location where only Notes administrators have access. They should be distributed securely when users forget passwords.
2. Evaluate the adequacy of procedures for reclaiming ID's. Ensure only active employees are listed in the address book and former employees are denied access.
Appropriate procedures should be in place to reclaim ids from employees leave the company.
3. Who has access to server.id and certifier ids? [Does server ids have passwords on them]
Access to the notes directory should be secured. Server.id files and user.id files should be secured as well.
Access to server and certifier ids on a need basis. Password management
4. Are security violations investigated? Are violations investigated in a timely manner? 5. Are minimum length requirements set and enforced (what is the standard minimum length)?
Risk F.1 Virus and Trojans could inflict loss of data
Control
Test /Question
Procedures to check for viruses on mail servers
1. Determine to what degree executable programs are allowed to be uploaded.
Anti-virus software should be installed on all mail servers.
SMTP mail servers configured so that they are not accessible as open relays
2. Determine if ant virus software is installed on all platforms.
E-mail delivered to users should be checked for viruses.
3. Are stored forms used?
Stored forms should not be used or Execution Control Lists should be utilized.
4. Was incoming mail automatically encrypted at the
Results
Risk Controls Testing Matrix A. Administrative
Risk
Control
Test /Question
Results Expected (Best practice)
A1. Copyright violation
Adequate measures to account for and maintain user licenses
User access to sensitive information
Appropriate approval process for creating and removing users from the system
1. What are the procedures for user registration and certification, including servers, groups and users; 2. Determine if requests for access are recorded and approved. 3. Determine if licenses are in place for all users.
Actual
Should have enough licenses for current users and future planned users. Requests for creating a user-id should be approved by management. These requests should be recorded.
4. What is the process for removal of users?
A2. Inadequately trained administrators
Risk
Appropriately trained.
1. Determine roles and responsibilities of Lotus Notes Group members.
Clearly defined roles, segregation of duty.
Being aware of the latest news about Lotus Notes about patch fixes or vulnerabilities.
2. What training does Notes administrators get?
Administrators are being trained on a periodic basis and they are aware of the latest exposures or vulnerabilities related to Notes environment.
Control
Test /Question
Results Expected (Best practice)
Actual
Risk Controls Testing Matrix A. Administrative
B.1 Non-availability of Company systems for an extended period in event of contingency.
Adequate backup routines Data stored at off site facility Tests and procedures to recover data on a timely basis.
1. Review the backup and recovery procedures. 2. Ensure NAB is adequately backed up (ensure any shared mail is also backed up).
Back-up of data from Notes servers. This data taken off-site on a regular basis.
3.Review the system contingency / disaster recovery plans.
Up to-date contingency plans. Plans been distributed to all personnel concerned.
4. Determine that documentation describing system recovery in the event of data loss or disaster is sufficient.
Periodic testing of plans to identify any weakness. Plans to correct on the weakness.
5. Determine if disaster recovery plan has been tested. 6. Review retention of backups. 7. Determine use of remote site storage facilities.
Risk
Control
Test /Question
Results Expected (Best practice)
C.1 Unauthorized access to sensitive information
Appropriate procedures should be followed to provide only authorized access to databases
1. Determine if access to MAIL.BOX is properly restricted.
Only Notes administrators should have access to MAIL.BOX database?
2. How is ACL managed? If individuals are used instead of groups, ask for justification.
Look for use of Groups rather than individuals
Actual
Risk Controls Testing Matrix A. Administrative
B.1 Non-availability of Company systems for an extended period in event of contingency.
Adequate backup routines Data stored at off site facility Tests and procedures to recover data on a timely basis.
1. Review the backup and recovery procedures. 2. Ensure NAB is adequately backed up (ensure any shared mail is also backed up).
Back-up of data from Notes servers. This data taken off-site on a regular basis.
3.Review the system contingency / disaster recovery plans.
Up to-date contingency plans. Plans been distributed to all personnel concerned.
4. Determine that documentation describing system recovery in the event of data loss or disaster is sufficient.
Periodic testing of plans to identify any weakness. Plans to correct on the weakness.
5. Determine if disaster recovery plan has been tested. 6. Review retention of backups. 7. Determine use of remote site storage facilities.
Risk
Control
Test /Question
Results Expected (Best practice)
C.1 Unauthorized access to sensitive information
Appropriate procedures should be followed to provide only authorized access to databases
1. Determine if access to MAIL.BOX is properly restricted.
Only Notes administrators should have access to MAIL.BOX database?
2. How is ACL managed? If individuals are used instead of groups, ask for justification.
Look for use of Groups rather than individuals
Actual
Risk Controls Testing Matrix A. Administrative
B.1 Non-availability of Company systems for an extended period in event of contingency.
Adequate backup routines Data stored at off site facility Tests and procedures to recover data on a timely basis.
1. Review the backup and recovery procedures. 2. Ensure NAB is adequately backed up (ensure any shared mail is also backed up).
Back-up of data from Notes servers. This data taken off-site on a regular basis.
3.Review the system contingency / disaster recovery plans.
Up to-date contingency plans. Plans been distributed to all personnel concerned.
4. Determine that documentation describing system recovery in the event of data loss or disaster is sufficient.
Periodic testing of plans to identify any weakness. Plans to correct on the weakness.
5. Determine if disaster recovery plan has been tested. 6. Review retention of backups. 7. Determine use of remote site storage facilities.
Risk
Control
Test /Question
Results Expected (Best practice)
C.1 Unauthorized access to sensitive information
Appropriate procedures should be followed to provide only authorized access to databases
1. Determine if access to MAIL.BOX is properly restricted.
Only Notes administrators should have access to MAIL.BOX database?
2. How is ACL managed? If individuals are used instead of groups, ask for justification.
Look for use of Groups rather than individuals
Actual
Risk Controls Testing Matrix A. Administrative
C.2 Unauthorized physical access to servers and other related computer equipment
Physical access controlled by placing access restrictions.
Fire, smoke and water detection devices are put in place. Adequate fire extinguishing equipment.
2. Determine that devices are tested and certified regularly.
Damage caused by environmental factors
Risk
1. Determine if adequate fire, smoke and water detection devices are used with the necessary means of extinguishing fires and removing smoke and water.
3. Determine if servers are properly secured. Evaluate the use of physical security over the environment, i.e. use of locks, badge readers, special enclosures, alarms or other forms of access control.
Control
Adequate physical security for all servers and other equipment.
Test /Question
Results Expected (Best practice)
Actual
Risk Controls Testing Matrix A. Administrative
D.1 Unauthorized access to notes server
Server administration so as to restrict access to authorized personnel.
1. Are restricted or unrestricted agents allowed on the server?
Unrestricted agents should not be allowed to run.
2. Is access to the servers denied to all former employees?
Former employees should not have access. The names should be included in the access deny list.
3. Is internet access to the server secure? 4. Is the server machine logically secure (OS)?
Notes part of the server machine should not be accessible for regular users.
5. How is the wireless access to Notes servers’ setup? 6. Are Sametime and Quickplace applications being used? 7. Is there any direct dial-in access to any of the notes servers? Is this through AT & T global dialer?
Risk
Control
Test /Question
Results Expected (Best practice)
Actual
Risk Controls Testing Matrix A. Administrative
E.1 Unauthorized access to sensitive information
Adequate user creation and deletion procedures.
1. How is the ID's stored after creation (for when people forget their passwords) and how are they stored after they have been distributed to the user?
User.ids should be stored at a secure location where only Notes administrators have access. They should be distributed securely when users forget passwords.
2. Evaluate the adequacy of procedures for reclaiming ID's. Ensure only active employees are listed in the address book and former employees are denied access.
Appropriate procedures should be in place to reclaim ids from employees leave the company.
3. Who has access to server.id and certifier ids? [Does server ids have passwords on them]
Access to the notes directory should be secured. Server.id files and user.id files should be secured as well.
Access to server and certifier ids on a need basis. Password management
4. Are security violations investigated? Are violations investigated in a timely manner? 5. Are minimum length requirements set and enforced (what is the standard minimum length)?
Risk
Control
Test /Question
Results Expected (Best practice)
Actual
Risk Controls Testing Matrix A. Administrative
E.1 Unauthorized access to sensitive information
Adequate user creation and deletion procedures.
1. How is the ID's stored after creation (for when people forget their passwords) and how are they stored after they have been distributed to the user?
User.ids should be stored at a secure location where only Notes administrators have access. They should be distributed securely when users forget passwords.
2. Evaluate the adequacy of procedures for reclaiming ID's. Ensure only active employees are listed in the address book and former employees are denied access.
Appropriate procedures should be in place to reclaim ids from employees leave the company.
3. Who has access to server.id and certifier ids? [Does server ids have passwords on them]
Access to the notes directory should be secured. Server.id files and user.id files should be secured as well.
Access to server and certifier ids on a need basis. Password management
4. Are security violations investigated? Are violations investigated in a timely manner? 5. Are minimum length requirements set and enforced (what is the standard minimum length)?
Risk F.1 Virus and Trojans could inflict loss of data
Control
Test /Question
Procedures to check for viruses on mail servers
1. Determine to what degree executable programs are allowed to be uploaded.
Anti-virus software should be installed on all mail servers.
SMTP mail servers configured so that they are not accessible as open relays
2. Determine if ant virus software is installed on all platforms.
E-mail delivered to users should be checked for viruses.
3. Are stored forms used?
Stored forms should not be used or Execution Control Lists should be utilized.
4. Was incoming mail automatically encrypted at the
Results
Risk Controls Testing Matrix A. Administrative
Related Documents
Risk Controls Testing Matrix A. Administrative
June 2020 2
Risk Matrix
June 2020 0
Risk Based Testing
May 2020 7
Testing Risk Document
November 2019 8
Controls
August 2019 42