IT AUDIT CHECKLIST
www.RivialSecurity.com | 1
Applicaon Access Controls
Operang System Access Controls
Virtual Access Controls
User accounts provisioned
Access levels modiable, user privileges limited
to job funcon
Periodical access reviews scheduled
Password complexity requirement
Admin acvity monitored
Database Access Controls
Database admin accounts controlled
Admin acvity monitored
Applicaon access to database restricted
System installaon checklists or images used
Security and event logs enabled
Unnecessary services turned o
Access to hypervisors restricted
Access levels modiable
Periodical access reviews
Password complexity requirement
Secure conguraon guide applied to
hypervisors and SANs
Access to services running on host restricted
Network Access Controls
Firewall for remote access
IDS for remote access
IPS for remote access
VPN for remote access
MFA for remote access
Physical Security Controls
An Malware Controls
Vulnerability Management Controls
Physical perimeter protecons
Locks
Badge access
Baery backup up
Generators
HVAC
An-virus soware
Gateway ltering
Browser protecons
Scanning and remediaon for vulnerabilies
Patch management program
IT AUDIT CHECKLIST
www.RivialSecurity.com | 2
Soware Development Controls User Awareness Controls
Data Protecon Controls
Asset Management Controls
Security Program Controls
Change Management Controls
Disaster Recovery Controls
Vendor Management Controls
Incident Management Controls
Soware development lifecycle established
Secure coding and web app rewall/security
tesng
Users trained on security
Background checks for new employees
Dues separated and documented
Security logs collected and reviewed
Encrypon in transit and at rest
Data classicaon
Usb restricons in place
Removal of data from storage media
Hardware and soware inventoried
Installaon of unauthorized soware, ulity
and audit tools prohibited
System capacity and performance monitored
Risk assessments regularly performed
regularly
Risks migated to acceptable levels
Informaon security policies approved and in place
Periodical independent audits performed
Process for change management instated
Inventory of IT assets
Backups for systems and data
Disaster recovery plan established and
regularly tested
Business impact analysis plan established and
regularly tested
Security clauses included in contracts
SLA’s are monitored
Vendor incident nocaons sent to
subservice organizaons
Incident response plan instated and regularly
tested
Customers noed following vendor incidents