Ask the Expert

What to include in a remote access audit

What specific areas, or tests, should an IT auditor include in a remote access audit?

    Requires Free Membership to View

Keep in mind that I'm not a licensed lawyer or auditor, but I can certainly make some recommendations on what to test.

During a remote access audit, there are several areas you'll want to assess. These include:

  • Internet scanning and penetration testing: Look at what offerings the remote access service has exposed to the Internet, and whether there are any additional services that show up that shouldn't; these could include internal resources such as websites, databases or applications. . Also, look for standard Internet vulnerabilities and any additional abnormalities that may be obvious.

  • Remote access devices: Review and assess whether there are any vulnerabilities in the inventory devices and components that will utilize the service. If required, ensure third-party background checks are run and periodically reviewed. Ascertain that there is adequate physical security at the third-party location(s). Ensure there is an established communication plan and services for access requests, credential management and incident/help desk support. Evaluate and assess the security policies of the third-party accessing the service.

  • Implementation: Identify and review what protocols are available for the end users. Evaluate the authentication method being used. Ascertain if the physical security of the service is adequate and effective, as well as if the logical access control methods are adequate and effective. Ensure control functions can't be bypassed and that there's a change management process in place as additional functionality and/or problem resolution are addressed. Review architecture and technologies to ensure they meet enterprise standards.

  • Governance: Ensure corporate and security policies are being enforced and business continuity practices are being followed. Evaluate the logging/reporting functions and ensure the service has an effective event-analysis methodology. Evaluate and assess any remote access disaster recovery plans and ensure they are periodically reviewed and updated as necessary.

While you should work with your audit and compliance team to come up with the final list, hopefully this information will be a good start.

This was first published in July 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: