Uffauditing-data-center-access-control-system-independent

IT Audit: Security Beyond the Checklist
This paper is from the SANS IT Audit site. Reposting is not permited without express written permission.

Copyright SANS Institute Author Retains Full Rights

Interested in learning more?
Check out the list of upcoming events offering "IT Security Audit and Control Essentials (Audit 410)" at http://it-audit.sans.org/events/

Key fingerprint = AF19FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2003,

©

SA

NS

In

sti

tu

As part of GIAC practical repository.

te

20

Barry Cox GSNA Practical Version 2.1

03

,A

ut

ho

AUDITING YOUR DATA CENTER ACCESS CONTROL SYSTEM: AN INDEPENDENT AUDITORS PERSPECTIVE

rr

eta

ins

fu ll r igh ts.
Author retains full rights.

Abstract Keyfingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 A thorough audit of any system looks at the physical access to the server(s). In most cases the data center is where that system resides. The ability to properly control and monitor access to a corporate data center has become a large task. Gone are the days of key or code locked doors. Today electronic access control systems arerequired. Access control systems that use the very technology they are designed to protect. The ability to properly audit you access control system is the key first step to protecting all of the system that reside within any secure data facility.

© SANS Institute 2003,

©

SA

NS

In

sti

tu

As part of GIAC practical repository.

te

20

03

,A

ut

ho

rr

eta

insfu ll r igh ts.

Author retains full rights.

Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

TABLE O F CO NTENTS ASSIGNM ENT ONE COMPANY O VERVIEW THE SYSTEM EVALUATING SYSTEM RISK CURRENT STATE OF P RACTICE ASSIGNM ENT TWO 5 5 6 8 10 13 13 13 14 14 15 15 16 17 17 18 19 20 20 21 21 22 23 24 24 25 27 27 30 31 33 35 36 38 41 43 45

DECISION CRITERIA FOR 10 CHECKLISTITEM TO BE P ERFORMED TEST ITEM #1 TEST ITEM #2 TEST ITEM #3 TEST ITEM #4 TEST ITEM #5 TEST ITEM #6 TEST ITEM #7 TEST ITEM #8 TEST ITEM #9

© SANS Institute 2003,

©

SA

ASSIGNM ENT T HREE

NS

CHECKLIST ITE M ONE - S ERVICE P ACKS AND HO T FIX ES FOR SERVER CHECKLIST ITE M TWO - SERVER ACCOUNT P ASSW ORD POLICIES CHECKLIST ITE M THREE - BACKUP PROCEDURES FOR WORKSTATIONS AND SERVERCHECKLIST ITE M FOUR - GENER AL S ERVER V ULNERABILITY CHECK CHECKLIST ITE M FIVE - RE MOTE CONSOLE M AN AGE MEN T OF THE SERVER CHECKLIST ITE M SIX - GMS32 APPLIC ATION ACCOUNT P ASSWORD POLICIES CHECKLIST ITE M SEV EN - APPLIC ATION PRIVILEGE ASSIGN MEN T CHECKLIST ITE M EIGHT - BACKUP AND RESTORE PROCEDURES FOR THE APPLIC ATION CHECKLIST ITE M NINE - SERVER CONFIGURED AND HARDENED DURING INSTALLATION CHECKLIST ITE M TEN - PH YSIC AL SECURITY OF THE S YSTEM C ONSOLES CHECKLIST ITE M ELEVEN - BUSINESS CON TINUITY OR CONTINGENC Y PL ANNING CHECKLIST ITE M TWELVE - S YS TE M M ODIFICATION \CH ANGE M AN AGE MEN T CHECKLIST ITE M THIRTEEN - APPLIC ATION AL AR M RES PONSE CHECKLIST ITE M FOURTEEN - TR AFFIC ENCR YP TION \INTERCEPTION CHECKLIST ITE M FIFTEEN - ANTI -V IRUS PRAC TICES FOR THESERVER CHECKLIST ITE M SIXTEEN - APPROVING REQU ESTS FOR DATA CEN TER ACCESS CHECKLIST ITE M SEV ENTE EN - PROCESS FOR RE MOV AL /CH AN GE OF ACCESS CHECKLIST ITE M EIGHTEEN - SECURITY AW ARENE SS PRO GR AM CHECKLIST ITE M NINETEEN - S ERVER DI ALUP SUPPOR T M ODEM CON TROL CHECKLIST ITE M TWENTY - RES TRICTED VPN ACCOUNT FOR V ENDOR

In

sti

tu

As part of GIAC practical repository.

te20

03

,A

ut

ho

rr

eta

ins

fu ll r igh ts.

Author retains full rights.

TEST ITEM #10 Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 ASSIGNM ENT FOUR EXECUTIVE SUMMARY OBSERV ATI ON #1 CHECKLIST ITE M #1 – P ATCHES AND FIX ES OBSERV ATI ON #2 CHECKLIST ITE M #2 – S ERVER ACCOUNT P ASSWORD POLICIES OBSERV ATI ON #3 CHECKLIST ITE M #4 – GENER AL...