Professional Documents
Culture Documents
Audit Objectives Relating To Subversive Threats
Audit Objectives Relating To Subversive Threats
The auditor’s objective is to verify the security and integrity of financial transactions by
determining that network controls (1) can prevent and detect illegal access both internally and from the
Internet, (2) will render useless any data that a perpetrator successfully captures, and (3) are sufficient
to preserve the integrity and physical security of data
To achieve these control objectives, the auditor may perform the following tests of
controls:
1. Review the adequacy of the firewall in achieving the proper balance between control
and convenience based on the organization’s business objectives and potential risks.
• Proxy services. Adequate proxy applications should be in place to provide explicit user authentication
to sensitive services, applications, and data.
• Filtering. Strong filtering techniques should be designed to deny all services that
are not explicitly permitted. In other words, the firewall should specify only
those services the user is permitted to access, rather than specifying the services
• Segregation of systems. Systems that do not require public access should be segregated from the
Internet.
• Audit tools. The firewall should provide a thorough set of audit and logging
• Probe for weaknesses. To validate security, the auditor (or a professional security
analyst) should periodically probe the firewall for weaknesses just as a computer
Internet hacker would do. A number of software products are currently available for identifying security
weaknesses.4
2. Verify that an intrusion prevention system (IPS) with deep packet inspection (DPI)
is in place for organizations that are vulnerable to DDos attacks, such as financial
institutions.
4. Verify the encryption process by transmitting a test message and examining the contents at various
points along the channel between the sending and receiving
locations.
5. Review the message transaction logs to verify that all messages were received in their
proper sequence.
6. Test the operation of the call-back feature by placing an unauthorized call from outside the
installation.