Home page logo
/

educause logo Educause Security Discussion mailing list archives

checklists/auditing within the IT department (3)
From: "Erwin L. Carrow" <erwin.carrow () USG EDU>
Date: Thu, 11 Dec 2008 06:15:39 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

For those interested in "checklists/auditing within the IT department"
please contact me directly.  Information follows

- --
Erwin (Chris) Louis Carrow,
CISSP, INFOSEC, CSSP, CCNP, OCM
IT Auditor II
Board of Regents, University System of Georgia
270 Washington Street S.W., Ste. 7087
Atlanta, GA 30334
(404)657-9890 Office, (678)644-3526 Cell, Email: erwin.carrow () usg edu


SECURITY automatic digest system wrote:
Date:    Wed, 10 Dec 2008 14:41:19 -0600
From:    "Youngquist, Jason R." <jryoungquist () CCIS EDU>
Subject: checklists/auditing within the IT department

I'm looking for any recommendations on books or documents for
auditing/best practices within one's IT department. =20

Our department is broken up into 5 sections:
Data Services - support the student information system - by programming
and system support
Web Services - program web applications & work on databases
Network Services - physical security, networking gear (routers,
firewalls, switches, etc.) servers (Windows, Linux, and a number of
different applications), and VOIP services
End User Support - purchase, deploy, and fix desktop computer-related
issues
Helpdesk/Computer Lab - provide support to customers and student
computer lab(s).

I'm looking for a number of questions/checklists/best practices to ask
individuals in each section of the department.  The goal is to come up
with a list of questions/checklists so each week I'll talk to an
individual from each section of the department and ask them a few
questions (from a long list of questions from their particular area) in
order make sure things are working properly, security is being followed,
and determine if there are any issues that need to be addressed.

Here are some example questions:
Generator XYZ - does a self-check happen?  If so, when?  Has the
self-check been successful?
Servers - Which servers are being backed up?  Are there new servers
which haven't been added to the tape backup schedule yet?
Servers - When was the last time a file restore was done?  Was it
successful?
Inventory - When was the last time a computer inventory was done?  Where
is it located?
VOIP - What steps are being taken to reduce/eliminate toll fraud,
eavesdropping, caller-id spoofing, denial of service, etc.
Web - Is there an inventory of web applications?  If so, where is it
located?
Web - Is there a document of coding best practices?  If so, where is it
located?


I've been doing some googling and brainstorming, but appreciate any
additional information.


Thanks.
Jason Youngquist
Information Technology Security Engineer
Technology Services
Columbia College
1001 Rogers Street, Columbia, MO  65216
(573) 875-7334
jryoungquist () ccis edu
http://www.ccis.edu
=20

------------------------------

Date:    Wed, 10 Dec 2008 14:40:15 -0700
From:    "Basgen, Brian" <bbasgen () PIMA EDU>
Subject: Re: checklists/auditing within the IT department

 Sounds like you are looking for some governance frameworks like COBIT
or I=
SO 27001.

~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD4DBQFJQPZb+lAww4pSzJURAhZKAJ99ST/zFvA5m81ffT8Qimg+VY/ijACXcM/f
GHBQRdVM/B2XGNiV4tyNUA==
=Ofha
-----END PGP SIGNATURE-----

Attachment: erwin_carrow.vcf
Description:


  By Date           By Thread  

Current thread:
  • checklists/auditing within the IT department (3) Erwin L. Carrow (Dec 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]