IT Audit checklist [closed]

I recently have taken on the position of a one man show for a company that is going to have an audit. The network isn't anywhere close to prepared and I have been looking for a general audit checklist since one hasn't been provided by the auditors and haven't found much good information out there. Does anyone have a nice template that will give me a good starting point. I know that this will be highly customized to the company but a starting point will be helpful to outline to management just how much work is needed.


Solution 1:

I have been looking for a general audit checklist since one hasn't been provided by the auditors

That is disappointing. I did this for quite a few years, and it was common practice for us to provide a detailed overview of what would be assessed and why (methodology). We submitted formal requests for information, provided tools for the IT staff to run and collect data, including any potential impact of the collection process (if any). We also had to schedule meetings complete with detailed agendas, which usually meant they knew what to expect. There's no constructive purpose served in sandbagging someone in an initiative like this. Issues are usually aplenty, and most IT staff are open to discussing them if the engagement is kicked off properly.

That said, there are plenty of checklists out there if you look. But the primary goal of this effort should be to surface as many issues as possible, prioritize them, and develop action plans for remediation. I wouldn't be too concerned about being "prepared". Since you have started recently, there should be an understanding that the place didn't fall apart overnight.

If the network that you acknowledge is in need of improvement receives a good report, that would probably be a waste of the company's money.

Solution 2:

I'm going to make a rash assumption and assume that you're asking about how to prepare for an internal security audit with a focus on technology, perhaps even a penetration test.

How you prepare for a security audit on the technology side is going to depend on the goal of the audit. If the goal is for it to define the specification for how you improve your infrastructure, you might do nothing. If the goal is to insure that no gaps remain, I'd recommend performing a gap analysis before the audit and correcting any gaps discovered.

For fundamental IT best practices I'd recommend referencing the PCI DSS. Of course, it includes obvious things you should be doing already like patching your software for security vulnerabilities.

To replicate a security audit I'd start with reviewing the penetration testing methodology detailed in the Open Source Security Testing Methodology Manual. (OSSTMM)

If you are looking for further details, I would encourage you to re-write your question to be less ambiguous.