Scribd
Upload
40 views25 pages

8.4. NGO IT Audit Checklist

The document outlines a comprehensive security audit checklist for NGOs, covering various aspects such as security programs, policies, training, personal and physical security, network security, and incident management. It includes specific questions regarding roles, responsibilities, third-party agreements, employee training, access controls, and disaster recovery plans. The checklist aims to ensure that organizations have robust security measures in place to protect sensitive information and maintain compliance with best practices.

Uploaded by

Camilo Arboleda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
40 views25 pages

8.4. NGO IT Audit Checklist

The document outlines a comprehensive security audit checklist for NGOs, covering various aspects such as security programs, policies, training, personal and physical security, network security, and incident management. It includes specific questions regarding roles, responsibilities, third-party agreements, employee training, access controls, and disaster recovery plans. The checklist aims to ensure that organizations have robust security measures in place to protect sensitive information and maintain compliance with best practices.

Uploaded by

Camilo Arboleda
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 25

NGO Name:

Security Audit Checklist


Topic
1 Security Progam
1.1 Roles & Responsibilities

1.2 External Parties

2 Security Policy
2.1 Information Security Policy & Procedures

3 Training & Awareness


3.1 During Employment – Training, Education &
Awareness
3.1 During Employment – Training, Education &
Awareness

4 Personal Security
4.1 Prior to Employment - Terms and Conditions of
Employment

4.2 Termination or Change in Employment

5 Physical Security
5.1 Secure Area

6 Network Security
6.1 Application and Information Access Control -
Sensitive System Isolation
6.2 Encryption

6.3 Vulnerability Assessment

6.4 Monitoring

7 Logical Access
7.1 Identity & Access Management
7.2 Identity Management

7.3 Entitlement Reviews

8 Operations Management
8.1 Antivirus / End Point Protection

8.2 Security Monitoring

8.3 Media Handling

8.4 Secure Disposal


8.5 Segregation of Computing Environment

8.6 Segregation of Duties

8.7 Change Management

9 Incident Management
9.1 Process & Procedures

10 Business Continuity Management


10.1 Disaster Recovery Plan & Backups
Question
Has your organization formally appointed a central point of contact for security
coordination?

a) If so, whom, and what is their position within the organization?

b) Responsibilities clearly documented? i.e. job descriptions, information


security policy

Do you work with third parties, such as IT service providers, that have access to
your information?

a) Does your organization have Business Associate agreements in place with


these third parties?

b) If not, what controls does your organization have in place to monitor and
assess third parties? i.e. Logging of VPN connections, etc.

Do you have documented information security policies and procedures?

a) Do you have a formal information classification procedure? Please describe


it. For example, critical, essential, and normal.

b) Have formal acceptable use rules been established for assets? Example
assets include data assets, computer equipment, communications equipment,
etc.

c) Do you have formal processes in place for security policy maintenance and
exceptions?

a) Have your employees been provided formal information security training?


b) Have policies been communicated to your employees? Are periodic
security reminders provided?
i.e. New employee orientation, yearly training, posters in public areas, email
reminders, etc.

Are your employees required to sign a non-disclosure agreement?


If so, are employees required to sign the non-disclosure agreement annually?
Non-disclosure and/or confidentiality form at initial employment

Do you have a formal process to manage the termination and or transfer of


employees?
i.e. All equipment is returned, user ID's disabled, badges and/or keys returned.

Do you have effective physical access controls (e.g., door locks) in place that
prevent unauthorized access to facilities?

a) How are physical access controls authorized (who is responsible for ensuring
that only appropriate persons have keys or codes to the facility and to
locations within the facility)?

b) Are there policies and procedures to document repairs and modifications to


physical components of the facility that are related to security?

Network and/or Application Segregation


a) Are systems and networks that host, process and or transfer sensitive
information ‘protected’ (isolated or separated) from other systems and or
networks?

b) Are internal and external networks separated by firewalls with access


policies and rules?
c) Is there a standard approach for protecting network devices to prevent
unauthorized access/ network related attacks and data-theft?
i.e. Firewall between public and private networks, internal VLAN, firewall
separation, separate WLAN network, and/or secure patient portal.

Is sensitive information transferred to external recipients? If so, are controls in


place to protect sensitive information when transferred (e.g. with encryption)?

How often do you perform periodic vulnerability scans on your information


technology systems, networks and supporting security systems? i.e. Internal
assessments, third party assessments, automated?

Are third party connections to your network monitored and reviewed to


confirm authorized access and appropriate usage?
i.e. VPN logs, server Event Logs, automated alerts, regular review of logs or
reports.

Do you have a formal access authorization process based on 'least privilege'


(employees are granted the least amount of access possible in order to
perform their assigned duties) and need to know (access permissions are
granted based upon the legitimate business need of the user to access the
information) ?
i.e. Role-based permissions, limited access based on specific responsibilities,
network access request form?

a) How are systems and applications configured to restrict access only to


authorized individuals?
i.e. Use of unique ID's and passwords, minimum password length?
Complexity? History? Lockout? Password change?

b) Is there a list maintained of authorized users with access (administrative


access) to operating systems? i.e. Active Directory user lists.
c) Is software installation restricted for desktops, laptops and servers?
i.e. Restricted User access to workstations, Group Policy enforcement, AD
privileges on servers (i.e. automatic logoff of workstations)

d) Is access to source application code restricted? If so, how? Is a list of


authorized users maintained?

Are user IDs for your system uniquely identifiable?

a) Any shared accounts at all? i.e. hard coded into applications

Do you have a process to review user accounts and related access?

Has antivirus software been deployed and installed on your computers and
supporting systems (e.g., desktops, servers and gateways)?
a) Product installed? Centrally managed? Updated daily?

Are systems and networks monitored for security events?


If so, please describe this monitoring. i.e. server and networking equipment
logs monitored regularly. Servers, routers, switches, wireless AP's.

Do procedures exist to protect documents, computer media (e.g., tapes, disks,


CD-ROMs, etc.), from unauthorized disclosure, modification, removal, and
destruction?

Is sensitive data encrypted when stored on laptop, desktop and server hard
drives, flash drives, backup tapes, etc.?
i.e. Data at Rest - Is data encrypted on servers? Backups? Mobile devices?

Are there security procedures for the decommissioning (replacement) of IT


equipment and IT storage devices which contain or process sensitive
information?
i.e. use of Shred-IT, Retire-IT, wiping, NIST SP 800-88 Guidelines for Media
Sanitization
Are duties separated, where appropriate, to reduce the opportunity for
unauthorized modification, unintentional modification or misuse of the
organization's IT assets?

Are duties separated, where appropriate, to reduce the opportunity for


unauthorized modification, unintentional modification or misuse of the
organization's IT assets?

Do formal change management procedures exist for networks, systems,


desktops, software releases, deployments, and software vulnerability (e.g.,
Virus or Spyware) patching activities?
i.e. Changes to applications and servers? Appropriate testing, notification, and
approval?

How do you identify, respond to and mitigate suspected or known security


incidents?
i.e. Incident Form filled out as a response to an incident

a) During the investigation of a security incident, is evidence properly collected


and maintained?
i.e. Chain of custody and other computer forensic methodologies followed by
internal and/or external parties?

b) Are incidents identified, investigated, and reported according to applicable


legal requirements?

c) How are incidents escalated and communicated? i.e. documented process


for escalation to management and even outside authorities.

Do you have a mechanism to back up critical IT systems and sensitive data? i.e.
nightly, weekly, quarterly backups? Taken offsite?
a) Have you had to restore files after a systems outage?
Does a Disaster Recovery plan exist for the organization and does it consider
interruption to, or failure of, critical IT systems?
b) Are disaster recovery plans updated at least annually?
c) If not, has the backup and restoration process been tested?
Status
Client Response
Date:

Remark

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy