1. Review or document the workflow of the application.
2. Identify key exposures within the workflow.
3. Determine if adequate controls exist to mitigate the identified exposures.
4. Access Control
- Review all users that have access to the application and ensure that they require this level of access.
- Signon Access
- Menu Level Access
- File Level Access
- Review User ID associated with the data file to ensure that only authorized users are allowed access to the data.
- Test the invalid attempts for userid and password
- Obtain a copy of the corporate security standards. Determine if a user can log on directly to NT, Unix, Oracle or DB2 without going through the initial logon process.
- Review all default users to ensure that proper security and control is maintained.
- Review the security administration of:
- adding users
- deleting users
- updating user information
- password construction
- Determine who is the system administrator for the application and how many of these administrators are assigned to the application.
5. Integrity Checking
- Evaluate sensitive or critical on-line transactions to ensure that they perform according to the established integrity standards.
- Evaluate sensitive or critical batch jobs to ensure that they perform according to the established integrity standards.
- Review the final edit process to ensure the integrity of the process
- Review all system interfaces to determine that data integrity is properly maintained.
8. Evaluate any recent application failures to ensure that an adequate contingency plan exist.
9. Evaluate several recent application changes to ensure that proper procedures were followed.
10. Evaluate the level of system documentation to ensure that it is adequate.
11. Interview the user to ensure that they are satisfied with the current system and that it meets the organization’s business needs.
12. Review the management reports to see if additional reports are needed:
13. Determine if any back doors exist in the system
- Unix
- Oracle
- Informix
- DB2
- NT
- SAP
