Auditing their web server will involve the complete audit of their platform, server, and applications. Since their servers are windows based, I will first find out the system information, comparing with policy requirements. Then I would determine whether their servers are running the company’s firewall. I would also check if they are running the company firewall, then ensure that all patches have been installed. After that, I would check to see whether the patches that are installed are approved by company provisioned patch management solution. I will also validate the services running on the server; I will also ensure that only approved applications are installed on the server.
While auditing the server I will also check to see that unnecessary services, modules, objects and API’s are removed or disabled. I will also be verifying that only appropriate protocols and ports are allowed to access the server. I will also ensure that the accounts accessing the server have strong passwords, ensure that there are controls for files, directories and virtual directories, then ensure that the web server has appropriate logging enabled and is secure.
I would then audit the web applications. I would ensure that the web applications are protected against injections and attacks; review their website; review these applications for broken authentication; verify the proper authorization controls are enforced; ensure there are proper controls preventing forgery; Review controls surrounding maintaining a secure configuration and evaluate the application’s transport layer protection mechanisms.
When auditing the company’s applications, I will follow specific steps such as reviewing and evaluation of controls built into the system; determination for error reports related to data integrity; I will also be evaluating the controls in place controlling the data feeds to and from interfacing systems. I will also be checking to see if the same data is kept in multiple databases and / or systems.
References
Davis, C., Schiller, M., & Wheeler, K. (2011). IT auditing: Using controls to protect information assets. New York: McGraw-Hill.
Moeller, R. (2011). IT Audit, Control, and Security. S.l.: Wiley.
