100% found this document useful (2 votes)

604 views70 pages

Active Directory Audit

Uploaded by

Adegbola Oluwaseun

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLS, PDF, TXT or read online on Scribd

100% found this document useful (2 votes)

604 views70 pages

Active Directory Audit

Uploaded by

Adegbola Oluwaseun

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as XLS, PDF, TXT or read online on Scribd

You are on page 1/ 70

000099Active Directory - Audit Program

Audit Description:
Fiscal Year End:
Audit Period:
Sample Period:

Active Directory Audit

Data Center and Network Operations

Control Objective IT1: Organization’s operations around scheduling, performance, and monitoring of IT programs and processes
are adequately supervised by management in order to assure complete, accurate, and valid processing and recording of financial information.
Risk: If transactions or jobs terminate abnormally or certain programs are not executed, transactions may not be recorded completely or accurately.
If invalid programs are executed, invalid transactions may be recorded or valid transactions may be inaccurately or incompletely recorded.
IT1.01 Batch and online processing procedures are in Preventive Automated High Perform the following procedures to ensure that batch and online processing procedures have been appropriately established Include reference to
place to ensure jobs and transactions are by management: pertinent supporting
processed to normal completion. • Obtain latest copy of the established policies and procedures documents
• Check for creation/revision dates to ensure procedure is up-to-date
• Review for adequacy control points around ensuring jobs and transactions are being
processed to normal completion.

IT1.02 Processing of jobs and transactions is Detective Manual Medium Examine supporting evidence to confirm that the batch and online processing operate in accordance with established policies Tab 1
monitored by management for successful and and procedures and that exceptions are promptly resolved:
timely completion. Exceptions are promptly • Examine entity documentation, such as completed processing logs and access control listings, indicating that
resolved by management to provide for the processing is monitored in accordance with established policies and procedures;
accurate, complete and authorized processing. • Obtain a listing of errors and/or error logs over the period of intended reliance
• Using attribute sampling guidelines, select an adequate sample of errors or error logs from the audit population
over the period of intended reliance
• Examine documented evidence to ascertain that the errors have been appropriately resolved in accordance
with management's intentions and established procedures;
• Ensure sufficient documentary evidence exists to corroborate your conclusions
• Document your conclusions

Alternatively, assurance can be gained via online observation:

• Observe online that logging of processing is enabled, and observe the execution of scheduled processing to
ensure that exceptions to processing are recorded in error logs;
• Observe procedures performed by management to ensure timely resolution of identified exceptions;
• Observations should be conducted on an unannounced basis whenever possible
• Tests should be conducted in a manner that evidences that control activity is operating effectively throughout
the period of intended reliance.
• Document your conclusions

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 1 of 70

000099Active Directory - Audit Program

IT1.03 Transaction logs are enabled to track Detective Manual Medium Examine entity documentation or observe online to confirm that the automated transaction logs are enabled and operate in Include reference to
processing and to verify the authorization and accordance with established policies and procedures. pertinent supporting
integrity of real-time job and transaction documents
processing performed. Further, confirm that transaction logs are appropriately reviewed by responsible parties in accordance with established policies
and procedures and that only authorized employees have access to turn transaction logs on or off. Ensure sufficient
documentary evidence exists to corroborate management's assertions. Document your conclusions.

IT1.04 Automated scheduling tools (i.e. the Windows Preventive Manual Medium Perform the following procedures to ensure that automated scheduling tools have been implemented and operate in Include reference to
AT Job Scheduler) are in place to manage the accordance with established policies and procedures: pertinent supporting
processing of jobs and transactions and (1) View the list of scheduled jobs and note whether logging of changes to the job schedule has been enabled documents
schedule. Changes to the job schedule are to confirm that tools are adequately monitored:
appropriately approved by management. • To view the list of tasks scheduled using the Task Scheduler Wizard; access the Task Scheduler Wizard
using the Scheduled Task applet within the Control Panel of the system of interest.
• To view the list of scheduled tasks using the AT job scheduler; open a command line and type the
command “at” (without the quotes)
• Assess appropriateness of the list of scheduled tasks
• Assess the process for handling exceptions to the expected schedule
• Ensure only appropriate users have access to manage tasks
• Ensure the list of scheduled tasks is reviewed by management as appropriate
(monitored by management in accordance with established policies/procedures)
• Document your conclusions

(2 ) Assess the process for monitoring the Windows Task Scheduler or AT Command:
• A log of past scheduled tasks can be obtained by opening the "Scheduled Task" applet within the "Control
Panel" of the system of interest and selecting the "View Log" option from the "Advanced" menu.
• Ascertain changes to the task schedule are made in accordance with management's intentions and the
established policies and procedures
• Ensure only appropriate users have access to manage tasks
• Ensure sufficient documentary evidence exists to confirm management approval exists for changes to the
job/task schedule
• Document your conclusions

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 2 of 70

000099Active Directory - Audit Program

IT1.05 Access to automated scheduling tools and Preventive Automated High Examine entity documentation including printouts or onscreen displays of user access profiles or tables that detail users who Tab 2
executable programs is appropriately restricted have access to automated scheduling tools and executable programs in accordance with established policies and procedures.
to ensure only authorized users have the ability In order to manage the job scheduler, a user must be a member of one of the following groups:
to execute, modify, delete, or create job • Administrators, OR
schedule. • Backup Operators, OR
• Server Operators, OR
• Have permission to write to the Tasks folder located in the Windows directory.

Examine online screens or printouts of the individuals with access to manage the
job scheduler (define or modify production schedules):
• Assess the listing for reasonableness/appropriateness of access privileges
• Document your conclusions

Control Objective IT2: Organization’s data is appropriately managed during the update and storage process to ensure it remains complete, accurate, and valid.

Risk: If data is not retained, in the event of systems incident, it may not be possible to reconstruct the data from source documentation.

IT2.01 Automated data retention tools are in place to Preventive Automated High Examine entity documentation, including automated data retention tool documentation and access control reports, indicating Include reference to
manage the backup and retention of data that the data retention tools are implemented and the backup and retention of data is performed in accordance with established pertinent supporting
schedules. Changes to the backup and data policies and procedures. documents
retention schedule are appropriately approved
by management.
Alternatively, observe the implementation of automated data retention tools. Observe online within the data retention tool the
schedule used to backup data to confirm that the schedule was implemented in accordance with established policies and
procedures approved by management.

Observations should be conducted on an unannounced basis whenever possible. Tests should be performed to gain evidence
that the control activity operated throughout the period of intended reliance and to conclude that the control activity operated
effectively during such time.

Document your conclusion.

IT2.02 Backup procedures exist for Windows system Preventive Automated High Perform the following procedures to ensure that back up strategy has been appropriately established by management and that Include reference to
files critical to financial processing and critical Windows environment system files and Windows based data files critical to financial processing are appropriately pertinent supporting
Windows managed storage areas that contain included in the back up strategy: documents
the data files. • Obtain latest copy of the established policies and procedures
• Check for creation/revision dates to ensure procedure is up-to-date
• Review for adequacy control points that ensure that all critical Windows environment
system files & Windows based data files critical to financial processing are
appropriately backed up in accordance with established policies and procedures.

IT2.03 Backups and retention of data are Detective Manual Medium Examine entity documentation or online screens indicating whether the selected data was appropriately backed-up, retained, Tab 3
appropriately planned, scheduled, and and/or destroyed as defined in the electronic backup and retention schedule and reviewed by management in accordance with
supervised by management. Retention periods established policies and procedures. Examine online or printed documentation of data held in storage, schedules for erasure
are in line with best practices, audit and release of data.
requirements and business needs.
Management periodically reviews retention Perform the following procedures to confirm that backups are executed in accordance with established policies and procedures
records. and that exceptions are promptly resolved:

• Examine entity documentation, such as completed backup logs indicating that the processing is monitored in
accordance with established policies and procedures
• Examine entity documentation such as exceptions and/or problem logs over the period of intended reliance
• Using attribute sampling guidelines, select an adequate sample of backup errors over the period of intended
reliance (your audit timeframe)
• Examine related documentation to ascertain that the errors were appropriately resolved in accordance with
management's intentions and the established policies/ procedures (evidence that backups were re-run to
normal completion);
• Ensure sufficient documentary evidence exists to corroborate your conclusions
• Document your conclusions.

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 3 of 70

000099Active Directory - Audit Program

IT2.04 Backup tapes are properly labeled and timely Preventive Manual Low Examine entity documentation that all media is clearly labeled and stored in a secured, environmentally controlled location in Tab 4
stored in a secured environmentally controlled accordance with established policies and procedures.
location to minimize risk of data lost.
Observe the on-site and/or off-site storage locations. Verify the adequacy of the facilities locations, physical security systems,
and environmental controls.

• Using attribute sampling guidelines, select an adequate sample of backups over the period of intended reliance
• Trace backup tapes to the storage locations
• Tapes stored on-site - observe to confirm tapes are stored in a secure storage
• Tapes stored off-site - examine documentary evidence to confirm tapes were appropriately shipped off-site
• Ensure sufficient documentary evidence exists to corroborate your conclusions
• Document your conclusions.

IT2.05 Backups are archived off-site to minimize risk Preventive Manual Low Examine entity documentation, such as backup inventory logs and off-site storage location receiving tickets/transmittals, that Tab 5
that data is lost. the control activity was performed in accordance with established policies/procedures.

If feasible, observe the off-site storage locations. Verify the adequacy of the facilities locations, physical security systems, and
environmental controls. Observations should be conducted on an unannounced basis whenever possible and should be
performed to gain evidence that the control activity operated throughout the period of intended reliance and to conclude that
the control activity operated effectively during such time.

IT2.06 The readability of backup and retained data is Detective Manual Medium Examine entity documentation that the periodic testing of the ongoing readability of backups was performed in accordance with Include reference to
periodically assessed through restoration or established policies and procedures. pertinent supporting
other methods. documents
Select a sample of readability assessments performed by management over the period of intended reliance and examine
documented evidence that the readability of backups is tested periodically in accordance with established policies and
procedures. Document your conclusions.

Control Objective IT3: Facilities that house relevant IT infrastructure are appropriately safeguarded to protect the integrity of organization’s data managed by that infrastructure.

Risk: Inadequate physical security measures may result in unauthorized physical access, loss or substitution of data or malicious damage to the computer facility, entity's equipment and hardware;
information resources may not be available when they are needed. Such damage could result in failure of the entity's critical processes.
IT3.01 A physical access control mechanism is in Preventive Manual Medium Examine entity documentation, including access listing of personnel with authority to change physical access mechanisms, that Tab 6
place to restrict access to protected areas to the control activity was performed in accordance with established policies and procedures:
appropriate personnel. Authority to change
physical access control mechanisms is (1) Physical access control mechanisms
restricted to authorized personnel. • Observe the entity personnel access the facilities through the access control mechanism
• Observations should be conducted on an unannounced basis whenever possible
• Tests should be performed to gain evidence that the control activity operated throughout the period of
intended reliance and to conclude that the control activity operated effectively during such time.
• Access the access control mechanism for adequacy
• Document your conclusions

(2) Ability to administer access to the restricted areas

• Obtain a system generated listing of personnel with authority to change physical access mechanisms
(i.e., grant access, reset security codes, etc.)
• Review for appropriateness with management to ensure only appropriate individuals have access to
change physical access mechanisms
• Document your conclusions

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 4 of 70

000099Active Directory - Audit Program

IT3.02 Access to the computer/server room is Preventive Manual Medium Examine entity documentation, such as the steps involved in granting and removing physical access, the frequency of security Tab 7
monitored and is restricted to authorized code changes, logs indicating whether access has been granted or revoked and logs (manual and automatic) indicating
individuals who require such access to perform personnel who have gained access to sensitive areas. Examine documentation of problems such as thefts or other security
their job responsibilities. Information violations.
technology management approval is required
before access is granted.
Examine access listing of personnel with physical access to the computer/server room and ensure that access is granted and
removed in accordance with established policies and procedures:
• Obtain a system generated listing of users with access to the restricted areas
• Review for appropriateness to ensure only appropriate individuals have access to restricted areas
• Document your conclusions

Observe the physical security monitoring mechanisms and resources of the immediate surroundings of computer equipment.
Observe the following:
• Entry of employees and visitors and physical access controls, entry/exit controls
• Reports, logs, and other information used, including how they are used
• Procedures performed when exceptions are encountered
• Document your conclusions

IT3.03 Periodic reviews of access to information Detective Manual Medium Examine documentation indicating that reviews of access listings of personnel with access to the restricted areas and Include reference to
technology resources and facilities are personnel with authority to change physical access mechanisms have been conducted and unauthorized personnel have been pertinent supporting
performed by management to ensure that only removed promptly. Document your conclusion. documents
users that need such access to perform their
job function are authorized.

Information Security
Control Objective IT4: Logical security tools are techniques are appropriately implemented to ensure only appropriate individuals have access
to organization’s information resources to ensure complete, accurate, and valid processing or recording of financial information.
Risk: Control activities within the significant flows of transactions may be ineffective, desired segregation of duties may not be enforced, and
significant information resources may be modified inappropriately, disclosed without authorization, and/or become unavailable when needed.
IT4.01 Security policies procedures around access to Preventive Manual Low Perform the following procedures to ensure that access security strategy has been appropriately established and maintained Include reference to
the network and communication software are by management to provide for the overall direction and configuration of information security as it relates to restricting access to pertinent supporting
documented and maintained. Compliance with the network and communication software to appropriate personnel: documents
the policies is monitored by management. • Obtain latest copy of the established policies and procedures
• Check for creation/revision dates to ensure procedure is up-to-date
• Review for control points around security and restriction of access to information resources for adequacy
(granting access to users, disablement of accounts users no longer requiring access to the system, etc.)
• Corroborate with employees responsible for user administration that the policy is followed as described
• Document your conclusions.

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 5 of 70

000099Active Directory - Audit Program

IT4.02 The identity of users (both local and remote) is Preventive Automated High Windows Servers Include reference to
authenticated to the Windows environment Examine the entity’s documentation to confirm that Windows password policies are configured to be consistent with standard pertinent supporting
through passwords or similar authentication build or baseline security configuration documents: documents
mechanisms. Such mechanisms are in • Ensure that the local account policy settings are in accordance with corporate policy
compliance with entity security policies. The • Confirm that the following settings are in line with entity's policies and procedures:
use of passwords incorporates policies on - Required password length
periodic change, confidentiality, and password - Password expiration
format (e.g., password length, alphanumeric - Password history
content). - Login attempts before lockout
- Time before login attempts are reset
- Account lockout duration
• Document your conclusions.

Active Directory (Domain Controllers) - Domain Account Policies Tab 8

• Examine password parameters for the Active Directory domain and any relevant OUs
• Confirm that Account Policy password and authentication requirements in corporate
policy are enforced for Active Directory accounts
• Confirm that the settings are inline with entity's policies and procedures
• Document your conclusions.
Note: There are numerous tools that work with Windows Active Directory and include information on Windows and Active
Directory password parameters. If tools are not available, please refer to [Tab 8] for guidance on manual data collection.

Active Directory (Domain Controllers) - Individual Account Level Control N/A

Domain Account Policy values can be overridden at individual user account level. As such, appropriate Domain Account Policy
values do not necessarily mean that security at the individual account level is similarly appropriate.

If users are not required to change their passwords on a frequent basis, their passwords are likely to become known to other
employees and potential intruders. The user profile could then be used to gain unauthorized access to systems and data until
the real user changes the password to a new one.

Perform the following procedures to confirm that security settings for individual accounts do not override intended policy
settings:
• Obtain system generated listing of accounts in Active Directory with information
below included for further analysis:
- Password Never Expires (Yes/No)
- Last Password Change (Date)

(1) Password Never Expires Tab 9

• Examine the listing of users with passwords set to never expire for appropriateness
• Document your conclusions

(2) Last Password Change Tab 10

• Examine the listing of users with passwords not changed as required by the entity's
documented procedures and assess for appropriateness
• Document your conclusions

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 6 of 70

000099Active Directory - Audit Program

IT4.03 Windows default accounts are appropriately Preventive Manual Medium Examine the entity’s documentation to confirm that: Include reference to
safeguarded - accounts are either modified, • The default “Administrator” account has been renamed pertinent supporting
eliminated, or disabled or passwords for such - The administrator account has full control by default. It is a good idea to rename the documents
accounts are modified. administrator account. Management could then create another account called
Administrator with lowest permission on the network so if a hacker does get hold of the
administrator account, they will have the lowest form of privileges on the network
• The default “Guest” account has been disabled
• Confirm that generic user IDs have been removed, disabled or have appropriate
business justification for their existence:
- Obtain a listing of Windows user accounts defined in the system
(can be obtained by opening the “Active Directory Users & Computers”
application in the “Administrative Tools” program group)
- Examine the listing for enabled default or generic Windows accounts
- Determine if there is a valid business rationale for their existence
- Document your conclusions.

IT4.04 Use of privileged access within the Windows Preventive Manual Medium The number of accounts with Administrator privilege should be kept to a minimum. These accounts should only be used for Tab 11
environment is limited to appropriate administrative functions. Users with administrative privileges should use a separate account for normal day-to-day use.
personnel. Examine the entity’s documentation to confirm that:
• Only appropriate user accounts belong to the standard administrator groups and a
periodic review of such groups is performed by management
• Only appropriate user accounts have delegated administrative authority for the OUs
of interest
• The built-in Administrator account should be renamed to a less obvious name to
lessen the possibility of hackers guessing the password, as they would have to
guess account name also. This account can never be locked out due to failed logon
attempts. The account cannot be disabled or deleted
• Document your conclusions.

Manual Data Collection

• A list of user IDs that belong to the groups of interest can be found by accessing
the “Active Directory Users & Computers” application in the “Administrative
Tools” program group and navigating to the appropriate groups
• A list of user accounts with delegated administrative permission for an OU of interest
can be found by accessing the “Active Directory Users & Computers” application
in the “Administrative Tools” program group and navigating to the OU of interest
• Once the OU is found, right-click on the OU, select “Properties,” then navigate to the
“Security” tab and click on the “Advanced” button.

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 7 of 70

000099Active Directory - Audit Program

IT4.05 The Windows environment is configured and Detective Manual Medium For more-secure environment, management has an option to track access to some or all of the resources on the network. Tab 12a
activated to record and report security events There are numerous auditing options and configurations that management can choose from. This granularity helps in many
(such as security violation reports, ways:
unauthorized attempts to access information • It allows targeting specific activities
resources) as defined in information security • Narrower audit scope results in smaller logs (makes review of logged data more efficient)
policies; reports generated are regularly • Reduced load on the system (provides more resources to other activities).
reviewed and necessary action taken.
Examine the entity’s documentation to confirm that the following items are occurring in accordance with the entity’s established
policies and procedures or leading practices:

• Audit logs are securely stored and retained; Tab 12b

• Access to audit logs is restricted;
• Audit logs are regularly reviewed;
• Actions are taken upon the identification of audit log anomalies
• Document your conclusions.

Manual Data Collection

• General audit policy settings can be found in the Local Policies section of the Default
Domain (Controller) Security Policy (or other applicable group policy).
• Directory/file audit settings can be obtained by examining the “Properties” of the folder
and then selecting the “Security” tab. Next click “Advanced” and the select the
“Auditing” tab. Specific file audit settings are then listed for that directory.
• To confirm permissions on the event logs: Locate the %systemroot%\system32\config
folder and right click on it. Select Properties. Then click on the Security tab and a list of
all users with access permissions to this folder is listed.

IT4.06 Security settings are appropriately configured Preventive Manual Medium In addition to the password parameter settings (refer to control IT4.02 above) and audit log settings (refer to control IT4.06 Tab 13
to prevent unauthorized or inappropriate use of above), examine entity documentation to confirm that:
the Windows environment supporting financial • Domain security policies are configured to be consistent with standard build or baseline
systems. Configuration options are security configuration documents
documented and management reviews and • Any deviations from standard build or baseline security configuration documents are
approves changes to security configuration approved by management through a formal review process
settings. • Document your conclusions.

Manual Data Collection

• Domain security policies & the directory services configuration can be obtained
by opening “Active Directory Users & Computers” application in “Administrative
Tools” program group
• Once open, the Default Domain Security Policy can be obtained by accessing “Group
Policy” tab of the “Properties” page for the domain of interest. The Default Domain
Controller Security Policy can be obtained by accessing the “Group Policy” tab of the
“Properties” page for the “Domain Controllers” OU within the domain of interest.

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 8 of 70

000099Active Directory - Audit Program

IT4.07 Users have a unique user identifier in order to Preventive Automated High Examine entity documentation, such as a listing of system users and user IDs, indicating that the users are required to have a Tab 14
distinguish one user from another and to unique user identifier in accordance with established policies and procedures. If shared user IDs exist, confirm that
establish accountability. Access to shared IDs shared/generic user IDs have justification for their existence and that access to shared IDs is monitored by management:
is monitored by management.
• Obtain a listing of Windows user accounts defined in the system
(can be obtained by opening the “Active Directory Users & Computers” application in
the “Administrative Tools” program group)
• Examine the listing for enabled shared or generic Windows accounts
• Determine if there is a valid business rationale for their existence
• Confirm that access to such IDs is monitored by management
• Document your conclusions.

IT4.08 Management authorizes the nature and extent Preventive Manual Medium Examine entity documentation, (e.g., written requests from user management for changes to employee access privileges), Tab 15
of user access privileges. User access indicating that application owners authorize the nature and extent of user access privileges was performed in accordance with
privileges are periodically reviewed by established policies and procedures:
management to verify access privileges remain • Obtain a listing of Windows user accounts defined in the system
appropriate. (can be obtained by opening the “Active Directory Users & Computers” application in
the “Administrative Tools” program group)
• Examine the listing for accounts created during the period of intended reliance
(the audited timeframe)
• Use your attribute sampling guidelines to select an adequate sample of the accounts
created over the period under review for further testing
• For selected accounts, examine documentary evidence (e.g., access forms, etc.) to
confirm that access was appropriately approved by management before it was granted
• Document your conclusions.

Further, examine entity documentation, (e.g., periodic sign-off of user access listing and related access, etc.) indicating that
access to Active Directory is periodically reviewed by management to ensure access remains appropriate:
• Have a discussion with individual(s) performing the review to determine if the reviews
take place and the frequency of such reviews
• Examine documentary evidence to ensure access to Active Directory is reviewed by
management as appropriate in accordance with established policies/procedures
• Document your conclusions.

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 9 of 70

000099Active Directory - Audit Program

IT4.09 Procedures are in place to ensure that the Preventive Manual Medium Examine entity documentation, (e.g., written requests from user management for changes to employee access privileges), Tab 16
security administrator is notified of employees indicating that application owners manage the nature and extent of user access privileges in accordance with established
who have changed roles and responsibilities, policies and procedures:
transferred, or been terminated. Access • Obtain a listing of Windows user accounts defined in the system
privileges of such employees are immediately (can be obtained by opening the “Active Directory Users & Computers” application in
changed to reflect their new status. the “Administrative Tools” program group)
• Obtain an HR listing of terminations over the period of intended reliance

• Compare the two listings (use MS Access or VLOOKUP function in Excel) to ensure that
access to Active Directory is appropriately disabled for employees that do not require
such access (i.e., employee's access to systems have been appropriately disabled)
- Alternatively, obtain a listing of current employees to compare with the user listing of
users in Active Directory. Anyone with access to Active Directory but not on the listing
of current employees should be investigated for appropriateness.
• Validate the listing of terminations with active accounts in Active Directory for accuracy
(i.e., for terminated employees that may have been re-hired, etc.)
• Document your conclusions.

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 10 of 70

000099Active Directory - Audit Program

IT4.10 Management reviews that current information Detective Manual Medium Inquire about configuration of access privileges within network and communication software for operations, user administration, Include reference to
technology employees’ access rights are security, and data control personnel to confirm that appropriate segregation of duties exists. If one individual has responsibility pertinent supporting
appropriately segregated. Identified for more than one of these functions, that individual could conceal errors or fraudulent activity. In addition to the functions documents
segregation of duties conflicts are promptly above, the following responsibilities should be segregated:
corrected. • Initiate request to alter transactional data, security parameters, or employee access
privileges
• Approve editing of transactional data, security parameters, or employee access privileges
• Edit transactional data, security parameters, or employee access privileges.

Examine entity documentation (e.g., periodic sign-off of user access listing for information technology personnel and related
access privileges), indicating that privileges are periodically reviewed by information technology management to verify that
access privileges remain appropriate. Document your conclusions.

IT4.11 Terminals and work stations are protected by Preventive Automated High Perform the following procedures to reperform the programmed elements of the control activity: Include reference to
time-out facilities, which are activated after an • Examine policies and procedures regarding time-out protection for local and remote pertinent supporting
appropriate, predetermined period of inactivity terminals and workstations documents
has elapsed. • Log onto the system and assess the functioning and effectiveness of time-out facilities on
terminals and workstations
• Observe on a sample of local and remote terminals and workstations that timeout facilities
have been activated and assess the security parameters configuring the time-out period
for appropriateness
• Document your conclusions.

It is recommended that observations are conducted on an unannounced basis whenever possible. Tests should be performed
to gain evidence that the control activity operated throughout the period of intended reliance and to conclude that the control
activity operated effectively during such time.

Control Objective IT5: Systems configuration and security settings are appropriately implemented and administered to protect against
unauthorized modifications that can result in incomplete, inaccurate, or invalid processing or recording of organization’s data.

Risk: Significant information resources may be modified inappropriately, disclosed without authorization, and/or unavailable when needed. Security breaches may go undetected.

IT5.01 Security policies procedures over information Preventive Manual Low Perform the following procedures to ensure that security strategy has been appropriately established and maintained by Include reference to
security settings and configuration for management to provide for the overall direction and configuration of information security: pertinent supporting
implemented, new, or modified network and • Obtain latest copy of the established policies and procedures documents
communication software are documented and • Check for creation/revision dates to ensure procedure is up-to-date
maintained. Compliance with the policies is • Review for adequacy control points around information security settings and
monitored by management. configuration
• Obtain samples of signed User Acknowledgement Forms or Security Policy
Acceptance Forms to evidence that employees are made aware of security policies.

IT5.02 Sensitive data is encrypted while being Preventive Automated High Examine entity documentation indicating that sensitive data is encrypted while being transmitted in accordance with Include reference to
transmitted. established policies and procedures. Examine entity documentation, including change documents, that key storage, key pertinent supporting
transmission, the retirement of keys, and inputting keys into an application is controlled. documents

For manual elements of the control activity (if any), reperform the control activity and review the access control over encryption
software in accordance with the established policies and procedures. Document your conclusions.

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 11 of 70

000099Active Directory - Audit Program

IT5.03 Available service packs and patches are Preventive Manual Medium A software patch or hot-fix is a program file that installs one or more files on the system to correct a software problem or Tab 17
examined to determine applicability to the address security vulnerabilities that are discovered in software components. If entity lacks a policy to ensure relevant hot-fixes
Windows environment. Procedures are in place are promptly identified and installed, the system will be exposed to an increased risk of being compromised, damaged or
to ensure that appropriate Windows security exploited (i.e. unauthorized remote access to the system; illegal execution of code; elevation of privileges; and denial of service
patches and fixes are applied to prevent attacks, etc.).
exploitation of known security vulnerabilities.
Compliance with such procedures is monitored
by management. For each update that is released in response to a security vulnerability, a recommendation on the vulnerability’s severity should
be determined by management. The following recommended severity ratings are assigned by Microsoft as each service pack,
security update, patch and hot-fixe is released:
• Critical - vulnerability can result in propagation of an Internet worm without user action
• Important - vulnerability can result in compromise of the confidentiality, integrity, or
availability of users' data, or of the integrity or availability of processing resources
• Moderate - exploitability is mitigated by difficulty of exploitation
• Low - vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

In most situations, it is sufficient for auditors to confirm the presence of Critical and Important service packs, security updates,
patches and hot-fixes (although highly critical systems may require more thorough testing).

Perform the following procedures to ensure that appropriate service packs, security updates, patches and hot-fixes are
promptly evaluated and installed:
• Obtain a listing of service packs, security updates, patches and hot-fixes for a given
version of Windows (can be found on Microsoft’s web site at http://www.microsoft.com/)
• Obtain a listing of service packs, security updates, patches and hot-fixes installed on the
system
• Determine if there is a valid business rationale for service packs, security updates,
patches, and hot-fixes that have not been applied.

Perform the following procedures to ensure that management is aware of newly discovered security vulnerabilities:
• Examine entity documentation, (e.g., security bulletins, vendor news releases, logs of
patch application), indicating that vulnerabilities are identified and application of patches
and fixes are periodically reviewed by information technology management to provide
that the security configuration remains appropriate
• Observe that security administrators receive (via e-mail) automatic notification of security
bulletins from vendors and that actions are taken upon receipt of bulletins
• Observe online the automated release schedules for the implementation of security
patches and fixes.

Perform the following procedures to ensure that management is aware of newly released patches and fixes:
• Ensure procedures exist to periodically monitor vendor and third-party or industry sources
for patch and update release information
• Procedures to assess patch or update’s relevance to the existing implementation(s) of
Windows
• Procedures to determine criticality and significance of the patch or update (e.g., threat,
vulnerability and likelihood of vulnerability exploitation)
• Existence of a deployment schedule, including deployment scope
• Document your conclusions.

IT5.04 The Windows environment file system is Preventive Manual Medium Examine the entity’s documentation to confirm that: Include reference to
configured to restrict access to critical • NTFS is in use on disks that support storage of Windows system files and data pertinent supporting
Windows system files and Windows managed (can be obtained by examining the “Properties” of each drive or using the Disk documents
storage areas that contain data files and Management Menu under the Computer Management Admin Utility to view all drives on
applications critical to financial processing. that server)
Management reviews the configuration of file
access controls. • Directory permissions of all directories that support the storage of Windows system files
and financial applications and data are adequately secure according to corporate policy
and/or recommended practice
(can be obtained by examining the “Properties” of the folder and then selecting the
“Security” tab; users and groups with permissions are then listed; highlight each user
or group to see the permissions for that user or group listed)

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 12 of 70

configured to restrict access to critical pertinent supporting
Windows system files and Windows managed documents
storage areas that contain data files and
applications critical to financial processing. 000099Active Directory - Audit Program
Management reviews the configuration of file
access controls.
Control Control Description Control Control Control Testing Procedures: Testing Ref. Conclusion on Exception Details Mitigating
No Type Nature Risk The testing guidance below has been designed to assist the reviewer in performing the tests of operating effectiveness of an Ref. to supporting Operating For ineffective controls Controls
Preventive/ Manual/ High/ entity's internal controls to gain reasonable assurance that controls operate effectively in accordance with established policies, evidence obtained Effectiveness For ineffective
Detective Automated Medium/ procedures, and guidelines and applicable laws and regulations. during the test of Effective/ controls
Low control Ineffective

• Ensure there is a process in place by which management identifies those directories

that require access controls, and the process is performed in accordance with established
policies and procedures;
• Ensure there is a process in place by which management reviews and approves changes
to those access controls, and the process is performed in accordance with established
policies and procedures.
• Document your conclusions.

IT5.05 Owners over the network and communication Preventive Manual Medium Examine entity documentation indicating that appropriate owners have been identified and defined for the systems and data Include reference to
software are defined to establish accountability elements. If available, examine documentary evidence (such as e-mails, memos, or meeting minutes) indicating the owners’ pertinent supporting
for the security and integrity of systems and involvement in the definition of security requirements of and the authorization of access to their assigned data elements. documents
data.

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 13 of 70

000099Active Directory - Audit Program

IT5.06 The configuration of trust relationships for the Detective Manual Medium A trust relationship is a link between two domains where the trusting domain honors logon authentications of the trusted Include reference to
Windows environment is approved by domain. Active Directory services support two forms of trust relationships: pertinent supporting
management. Management monitors the • One-way, non-transitive trusts - if Domain A trusts Domain B, Domain B does not documents
configuration on a regular basis. automatically trust Domain A. If Domain A trusts Domain B and Domain B trusts Domain C,
then Domain A does not automatically trust Domain C.
• Two-way, transitive trusts - the default in Windows 200x*. if Domain A trusts Domain B,
then Domain B trusts Domain A. In a transitive trust relationship, if Domain A trusts
Domain B and Domain B trusts Domain C, then Domain A trusts Domain C.

The trusting domain will rely on the trusted domain to verify the user ID and password of users logging on the trusted domain.
Trusted domains can potentially provide paths for illegal access to the trusting domains. Weak security standards applied in
trusted domains can undermine security on the trusting domains.

Examine trust relationships between the domains for appropriateness. Ensure that security in domains trusted by the domain in
scope for audit is implemented and administered to appropriate standards.

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 14 of 70

000099Active Directory - Audit Program

Change Control

Control Objective IT6: Programs and systems are appropriately acquired or developed in a manner that supports the accurate, complete, and valid processing and recording of organization’s financial information.

Risk: Inappropriate decisions to acquire or develop programs and systems can result in implementation of software that is unable to meet the entity's information processing needs,
there is an increased risk that financial reporting applications will not be able to pass data between underlying network and infrastructure components.
IT6.01 A procedure, approved by management, is Preventive Manual Medium Examine documentary evidence by selecting a sample of programs and/or systems newly acquired or developed and Tab 18
established to guide the acquisition, examining relevant documentation to support that the methodology has been followed:
development, modification, and maintenance of • Examine entity documentation for the guidelines and procedures required to be performed
network and communication software to as part of any system acquisition or system development project
establish consistency of development and • Review for control points around acquisition, development, modification, and maintenance
maintenance activities within the entity. of network and communication software
• Obtain a listing of network and communication software acquired or developed over the
period of intended reliance (the audited timeframe)
• Use your attribute sampling guidelines to select an adequate sample of such acquisitions
or development projects completed over the period under review for further testing
• For selected acquisitions or development projects, examine documentary evidence to
confirm that methodology has been followed
• Document your conclusions.

Tests should be performed to gain evidence that the control activity operated throughout the period of intended reliance and to
conclude that the control activity operated effectively during such time. The supporting documents should indicate that the
established methodology was used to guide the acquisition or development of network and communication software in
accordance with established policies and procedures.

IT6.02 A process is defined by which alternative Preventive Manual Medium Examine documentary evidence indicating that alternative approaches for the acquisition or development of network and Include reference to
approaches to the acquisition, development, communication software are reviewed, scored, and evaluated in accordance with established selection criteria, policies and pertinent supporting
modification, or maintenance of network and procedures. Document your conclusions. documents
communication software are evaluated and
approved to verify that management has
identified and accepted any processing
constraints inherent in the system being
acquired, developed, modified, or maintained.

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 15 of 70

000099Active Directory - Audit Program

IT6.03 Any acquisitions, development, modifications, Preventive Manual Medium Examine documentary evidence such as policies and procedures, requirement lists, and the results of the approval processes Tab 19
or maintenance projects affecting Windows conducted, indicating that the development, implementation or modification projects are approved in accordance with
environment are approved by management established policies and procedures:
prior to implementation. • Obtain a listing of network and communication software acquired or developed over the
period of intended reliance (the audited timeframe)
• Use your attribute sampling guidelines to select an adequate sample of such acquisitions
or development projects completed over the period under review for further testing
• For selected acquisitions or development projects, examine documentary evidence to
confirm that projects were approved by authorized individuals prior to implementation
• Document your conclusions.

IT6.04 A quality assurance function is established to Preventive Manual Medium Perform the following procedures to ensure that a quality assurance function operates as established: Tab 20
independently confirm that the systems • Obtain a listing of network and communication software acquired or developed over the
acquisition (for purchased Windows software) period of intended reliance (the audited timeframe)
and/or system development (for in-house • Use your attribute sampling guidelines to select an adequate sample of such acquisitions
developed tools or when modifications to the or development projects for further testing
purchased software are required) project • For selected acquisitions or development projects, examine documentary evidence such
follows the entity's defined procedures and as reports from quality assurance reviews to verify that quality assurance personnel:
standards. Recommendations from the QA
function are appropriately addressed by (1) appropriately identified deviations from the entity’s procedures and standards
management. (2) appropriately communicated problems to management
(3) recommendations resulted in remedial actions, indicating that quality assurance
function has confirmed that systems development and acquisition is compliant with the
entity's procedures and standards
• Document your conclusions.

Control Objective IT7: Programs and systems are appropriately implemented in a manner that supports the accurate, complete, and valid processing and recording of organization’s financial information.

Risk: Inappropriate development and implementation of programs and systems can result in unreliable processing, incomplete recording of data, or lost data. Appropriate implementation of systems
includes design and implementation of controls within the systems to support the initiation, recording, processing, and reporting of financial information and disclosure.
IT7.01 Acquired, developed, and modified network Preventive Manual Medium Examine documentary evidence indicating that test cases and expected results are prepared and signed off by business Tab 21
and communication software is tested prior to owners and development management in accordance with established policies and procedures.
implementation in accordance with test plans.
Test cases and test results relevant to network Examine documentary evidence indicating that purchased systems and in house development and modifications are tested
and communication software acquisition, prior to implementation in accordance with management approved test plans:
development, modification, and maintenance
projects are prepared and are approved by • Obtain a listing of network and communication software acquired or developed over the
appropriate business owners and/or period of intended reliance (the audited timeframe)
management. • Use your attribute sampling guidelines to select an adequate sample of such acquisitions
or development projects completed over the period under review for further testing
• For selected acquisitions or development projects, examine documentary evidence to
confirm that testing was appropriately performed prior to implementation
• Document your conclusions.

Further, observe the use of a separate test environment by observing a system developer or tester log into the system test
environment and identify by (observing the name of the environment to which the developer or tester has authenticated) that
the environment is different from those used for production system processing. Observe an on-screen listing, or obtain a listing
of users with access to test environment and validate that access to the environment is appropriate. Document your
conclusions.
IT7.02 Problems encountered during testing of Preventive Manual Medium Examine documentary evidence indicating that problems encountered during testing of development and modifications are Tab 22
acquired, developed, and modified network and followed up for correction in accordance with established policies and procedures:
communication software in Windows
environment are documented; errors
appropriately resolved.

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 16 of 70

000099Active Directory - Audit Program

Control Control Description Control Control Control Testing Procedures: Testing Ref. Conclusion on Exception Details Mitigating
No Type Nature Risk The testing guidance below has been designed to assist the reviewer in performing the tests of operating effectiveness of an Ref. to supporting Operating For ineffective controls Controls
Preventive/ Manual/ High/ entity's internal controls to gain reasonable assurance that controls operate effectively in accordance with established policies, evidence obtained Effectiveness For ineffective
Detective Automated Medium/ procedures, and guidelines and applicable laws and regulations. during the test of Effective/ controls
IT7.02 Problems encountered during testing of Preventive Manual Medium
Low control Tab 22 Ineffective
acquired, developed, and modified network and
communication software in Windows • Obtain a listing of network and communication software acquired or developed over the
environment are documented; errors period of intended reliance (the audited timeframe)
appropriately resolved. • Use your attribute sampling guidelines to select an adequate sample of such acquisitions
or development projects completed over the period under review for further testing
• For selected acquisitions or development projects, examine documentary evidence to
confirm that:
(1) Testing was appropriately performed prior to implementation
(2) Problems encountered during testing were followed up for correction and resolved
• Document your conclusions.

IT7.03 Network and communication software is Preventive Automated High Examine documentary evidence indicating that programs and systems are modified and tested in an environment separate Include reference to
developed, modified and tested in an from the production environment and that access to environments are appropriately restricted in accordance with established pertinent supporting
environment separate from the production policies and procedures. documents
environment. Access to the development and
test environments is appropriately restricted.
Observe information technology personnel as they perform development, modification and testing of programs and systems to
determine whether activities are performed in logically isolated environment. Assess whether access to the environments are
appropriately restricted to authorized personnel by examining on-screen or documentary evidence listing the personnel
authorized to use the test environment.

Document your conclusion.

IT7.04 Network and communication software is tested Preventive Automated High Examine documentary evidence indicating that users perform acceptance testing for program and system development and Tab 23
by end-users (user acceptance testing). Such modifications in accordance with established policies and procedures:
testing is performed in a protected environment • Obtain a listing of network and communication software acquired, developed, or modified
separate from production before the acquired, over the period of intended reliance (the audited timeframe)
developed, or modified programs or systems • Use your attribute sampling guidelines to select an adequate sample of such acquisitions
are implemented. or development projects completed over the period under review for further testing
• For selected acquisitions or development projects, examine documentary evidence to
confirm that user acceptance testing was appropriately performed in accordance with
established policies and procedures
• Document your conclusions.

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 17 of 70

000099Active Directory - Audit Program

IT7.05 Formal acceptance that testing has been Preventive Manual Medium Examine documentary evidence by obtaining a sample of changes made and verify that final approval that testing has been Tab 24
satisfactorily completed and that user satisfactorily completed was obtained from appropriate business owner and/or management prior to program and system
requirements have been met is obtained from development and modifications being implemented in accordance with established policies and procedures:
the appropriate business owners and/or
management before the acquired, developed,
• Obtain a listing of network and communication software acquired, developed, or modified
or modified programs or systems are
over the period of intended reliance (the audited timeframe)
implemented.
• Use your attribute sampling guidelines to select an adequate sample of such acquisitions
or development projects completed over the period under review for further testing
• For selected acquisitions or development projects, examine documentary evidence to
confirm that final approval that testing has been satisfactorily completed was obtained
from appropriate business owner and/or management prior to implementation in
accordance with established policies and procedures
• Document your conclusions.

IT7.06 Sufficient operations, technical, and user Preventive Manual Medium Examine documentary evidence by sampling the related documentation from a selection of network and communication Include reference to
documentation is prepared, used, and updated software. Documentation should be readily available and indicate that operations, technical, and user documentation is pertinent supporting
when installing and/or maintaining network and established, used and updated when installing and/or maintaining network and communication software in accordance with documents
communication software so that detailed established policies and procedures. Document your conclusions.
procedures for the operation and control of the
system placed into production are available
when needed.

IT7.07 The business risks and impact of proposed Preventive Manual Medium Examine documentary evidence by obtaining a listing of changes implemented over the period of intended reliance and Tab 25
network and communication software changes sampling selected changes to trace to an appropriate assessment of the risks and impact the change could represent:
is assessed and reviewed by management • Obtain a listing of network and communication software acquired, developed, or modified
before implementation. The results of this over the period of intended reliance (the audited timeframe)
assessment are used when designing, staffing, • Use your attribute sampling guidelines to select an adequate sample of such acquisitions
and scheduling such implementation, in order or development projects completed over the period under review for further testing
to minimize disruptions to operations. • For selected acquisitions, development projects, or modifications examine documentary
evidence to confirm that appropriate assessment of the risks and impact the change could
represent has been performed by management prior to implementation in accordance
with established policies and procedures
• Document your conclusions.

If no risk assessment is documented, documentary evidence (i.e., meeting minutes) of appropriate change management
meetings where the risks and impact where discussed should be examined. Evidence should indicate that management has
completed a review and approval of the assessment of the business risks and the impact of changes in accordance with
established policies and procedures.

IT7.08 A post implementation review is performed to Detective Manual Medium Examine documentary evidence indicating that a post-implementation review is performed in accordance with established Tab 26
establish whether the objectives for policies and procedures:
implementing the network and communication • Obtain a listing of network and communication software acquired, developed, or modified
software changes have been met. Identified over the period of intended reliance (the audited timeframe)
issues are brought to the attention of the • Use your attribute sampling guidelines to select an adequate sample of such acquisitions
business owner and to information systems or development projects completed over the period under review for further testing
management. • For selected acquisitions, development projects, or modifications examine documentary
evidence to confirm that post implementation review was appropriately performed by
management to confirm that objectives for implementing the network and communication
software changes were met
• Document your conclusions.

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 18 of 70

000099Active Directory - Audit Program

IT7.09 Available vendor updates (service packs, Preventive Manual Medium Perform the following procedures to ensure that appropriate service packs, patches, security updates, and hot-fixes are Tab 27
patches, security updates, hot-fixes released promptly evaluated and installed:
by Microsoft) are examined to determine • Obtain a listing of service packs, patches, security updates, and hot-fixes installed on the
applicability to the Windows environment. system
Implementation of these updates are • Use your attribute sampling guidelines to select an adequate sample of service packs,
documented and approved by management to patches, security updates, and hot-fixes implemented over the period under review for
ensure that all changes to the production further testing
environment were documented, tested, and • Obtain evidence that corroborates the responses to your inquiries by examining
authorized. documentation for the implementation of service packs, patches, security updates, and
hot-fixes are documented, approved by management and tested prior to implementation
in accordance with established policies and procedures.
• Document your conclusions.

NOTE: This control activity can be tested in conjunction with testing of the standard change management process (IT6 and IT7
controls above) as long as the sample selected for testing includes implementation of Windows service packs and updates.

Control Objective IT8: Programs and systems are appropriately managed to prevent unauthorized modifications and errors and to ensure accurate, complete, and valid processing and recording of organization’s information.

Risk: Inappropriate management of the transfer of changes to the financial reporting systems may result in modifications that do not perform as expected and
can result in inaccurate calculations, unreliable processing, incomplete recording of data, lost data, cutoff errors, and other misstatements of the accounting records.
IT8.01 User and other requests for modifications to Preventive Manual Medium Perform the following procedures to obtain evidence that corroborates the responses to your inquiries by examining entity Tab 28
network and communication software, documentation that user and other requests for modifications including upgrades and emergency changes are documented,
including upgrades, and changes, are approved by management, and tested in accordance with established policies and procedures:
documented and approved by management to • Obtain a listing of modifications to the network and communication software over the period
verify that all changes were documented, of intended reliance
tested, and authorized. • Use your attribute sampling guidelines to select an adequate sample of modifications
implemented over the period under review for further testing
• Obtain documentary evidence to confirm that such modifications are documented, approved
by management and tested prior to implementation in accordance with established policies
and procedures.
• Document your conclusions.

IT8.02 Implementation of changes to network and Detective Manual Medium Examine documentary evidence, such as change control logs, change management meeting minutes, listings of changes Include reference to
communication software is monitored by implemented in production, and samples of emergency change requests, indicating that management monitors implementation pertinent supporting
management (e.g. change management of all changes in accordance with established policies and procedures. Tests should be performed to gain evidence that the documents
meeting, etc.), to verify that only approved control activity operated throughout the period of intended reliance and to conclude that the control activity operated effectively
changes are made. during such time.
IT8.03 Modifications to network and communication Preventive Manual Medium Obtain evidence that corroborates the responses to your inquiries by examining entity documentation indicating that Include reference to
software are tested in an environment other modifications are tested in the production environment and access to the production environments is appropriately restricted in pertinent supporting
than the production environment. Access to accordance with established policies and procedures. Examine the listing of users with access to the production environment documents
make changes is appropriately restricted to and confirm that developers and Quality Assurance (QA) analysts do not have “change” access.
prevent unauthorized modifications.
Observe employees responsible for testing changes perform procedures in an environment separate from production. Observe
that access to migrate changes to the production environment is appropriately restricted in accordance with established
policies and procedures.

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 19 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 20 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 21 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 22 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 23 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 24 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 25 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 26 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 27 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 28 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 29 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 30 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 31 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 32 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 33 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 34 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 35 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 36 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 37 of 70

000099Active Directory - Audit Program

Planned Planned Remediation Ref. to Post-

Remediation Remediation Date Status Remediation
Procedures For ineffective Completed/ Testing Details
For ineffective controls In Progress If applicable
controls

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 38 of 70

000099Active Directory Audit - Supporting Evidence - Tab 1

Control IT1.02
Activity #
Control Processing of jobs and transactions is monitored by management for successful and timely completion. Exceptions are promptly resolved by management to provide for accurate, complete and authorized processing.
Activity
Test Steps 1) On [date], obtained from [Name, Title] a system generated listing of exceptions/errors generated as a results of [tool] that supports [batch process] in [Active Directory, Windows] environment and is used to [brief description of tool's purpose]. Noted a total
of [count] exceptions/errors between [date] and [date];
2) Per [entity] sampling guidance, haphazardly selected [count] exceptions/errors occurred over the period of intended reliance for detailed testing
3) For each selected exception/error obtained documentary evidence to confirm that errors were resolved appropriately in accordance with management's intentions and established procedures.
4) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of exceptions to job processing over the period of intended reliance:

Count Error ID: Error Description Error Date Selected for Error Resolved? Resolved Resolved By Issues Comments/ Issue Description
(if applicable) Detailed (Yes/No) On (Name, Title) Noted?
Testing? (Date) (Yes/No)
(Yes/No) N/A for errors NOT selected for testing
1
2

Total 0 0

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 39 of 70

000099Active Directory Audit - Supporting Evidence - Tab 2

Control IT1.05
Activity #
Control Access to automated scheduling tools and executable programs is appropriately restricted to ensure only authorized users have the ability to execute, modify, delete, or create job schedule.
Activity
Test Steps 1) On [date], obtained from [Name, Title] a system generated listing of users with access to the automated scheduling tools and executable programs;
2) Reviewed the listing with [Name, Title] on [date] for appropriateness to ensure only authorized users have such access;
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Users with access to automated scheduling tools and executable programs:

Count User ID User Name Access Details Access Appropriate Per Issues Comments/ Issue Description
Job Responsibilities? Noted?
(Yes/No) (Yes/No)
1
2

Total 0 0 0

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 40 of 70

000099Active Directory Audit - Supporting Evidence - Tab 3

Control IT2.03
Activity #
Control Backups and retention of data are appropriately planned, scheduled, and supervised by management. Retention periods are in line with best practices, audit requirements and business needs. Management periodically reviews retention
Activity records.
Test Steps 1) On [date], obtained from [Name, Title] a system generated listing of backup exceptions/errors over the period of intended reliance;
2) Per [entity] sampling guidance, haphazardly selected [count] backup exceptions/errors for detailed testing;
3) For each selected backup exception/error obtained documentary evidence to confirm that the error was resolved appropriately in accordance with management's intentions and the established policies/procedures.
4) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of backup [errors/error logs/days of occurrence] over the period of intended reliance
Count System ID Backup Description Backup Date Error Description Selected for Error Resolved? Resolved Resolved By Issues Comments/ Issue Description
(Full/Incremental; Detailed (Yes/No) On (Name, Title) Noted?
Daily/Weekly/Monthly) Testing? (Date) (Yes/No)
(Yes/No) N/A for errors NOT selected for testing
1
2

Total 0 0

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 41 of 70

000099Active Directory Audit - Supporting Evidence - Tab 4

Control IT2.04
Activity #
Control Backup tapes are properly labeled and timely stored in a secured environmentally controlled location to minimize risk of data lost.
Activity
Test Steps 1) Per [entity] sampling guidance, haphazardly selected [count] backups over the period of intended reliance for detailed testing;
2) For each backup obtained documentary evidence to confirm that backup tapes were appropriately created and stored in an appropriate location as per established rotation schedule;
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Backups - Assessment of backup tape storage location against established rotation schedule:
Count System ID Backup Description Backup Date Tape ID Tape Location Tape Location Appropriate As Issues Noted? Comments/ Issue Description
(Full/Incremental; Per Rotation Schedule? (Yes/No)
Daily/Weekly/Monthly) (Yes/No)

1
2

Total 0

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 42 of 70

000099Active Directory Audit - Supporting Evidence - Tab 5

Control IT2.05
Activity #
Control Backups are archived off-site to minimize risk that data is lost.
Activity
Test Steps 1) Examined [entity]'s rotation schedule
2) Per [entity] sampling guidance, haphazardly selected [count] backup tapes that are on the rotation for off-site archival;
3) For each backup tape selected for testing, obtained documentary evidence to confirm that backup tapes were appropriately sent off-site;
4) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Backups - Assessment of off-site archival

Count System ID Backup Description Backup Date Tape ID Tape Location Backup Archived Transmittal Sheet Exists to Off-Site Issues Comments/ Issue Description
(Full/Incremental; Off-Site? Confirm Archival? Archival Date Noted?
Daily/Weekly/Monthly) (Yes/No) (Yes/No) (Yes/ No)

1
2

Total 0 0

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 43 of 70

000099Active Directory Audit - Supporting Evidence - Tab 6

Control IT3.01
Activity #
Control A physical access control mechanism is in place to restrict access to protected areas to appropriate personnel. Authority to change physical access control mechanisms is restricted to authorized personnel.
Activity
Test Steps 1) On [date], obtained from [Name, Title] a system generated listing of users with access to change physical access mechanisms (reset assess codes, grant access to the computer room, etc.);
2) Reviewed the listing with [Name, Title] on [date] for appropriateness to ensure only authorized users have such access;
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Personnel with authority to change physical access mechanisms:

Count User ID User Name Title Access Type Access Access Access Form Approved By Approval Approval-Related Access Access- Comments/ Issue
Granted Approved? Completed? (Name, Title) Date Issues Noted? Appropriate? Related Description
On (Yes/No) (Yes/No) (Yes/No) (Yes/No) Issues
(Date) Complete for users with access granted during the period of intended reliance. N/A for older accounts. Noted?
(Yes/No)

1
2

Total 0 0 0 0 0

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 44 of 70

000099Active Directory Audit - Supporting Evidence - Tab 7

Control IT3.02
Activity #
Control Access to the computer/server room is monitored and is restricted to authorized individuals who require such access to perform their job responsibilities. Information technology management approval is required before access is granted.
Activity
Test Steps 1) On [date], obtained from [Name, Title] a system generated listing of users with access to the computer/server room;
2) Reviewed the listing with [Name, Title] on [date] for appropriateness to ensure only authorized users have such access;
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Personnel with physical access to the computer/server room:

Count User ID User Name Title Access Type Access Access Access Form Approved By Approval Approval- Access Access- Comments/ Issue
Granted Approved? Completed? (Name, Title) Date Related Issues Appropriate? Related Description
On (Yes/No) (Yes/No) Noted? (Yes/No) Issues
(Date) (Yes/No) Noted?
(Yes/No)
Complete for users with access granted during the period of intended reliance. N/A for older
accounts.

1
2

Total 0 0 0 0 0

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 45 of 70

000099Active Directory Audit - Supporting Evidence - Tab 8

Control IT4.02
Activity #
Control The identity of users (both local and remote) is authenticated to the Windows environment through passwords or similar authentication mechanisms. Such mechanisms are in compliance with entity security policies. The
Activity use of passwords incorporates policies on periodic change, confidentiality, and password format (e.g., password length, alphanumeric content).
Test Steps 1) Obtained Default Domain Policy and Administrator Password Policy from [Name, Title] on [Date]
2) Obtained [Entity]'s password policies and procedures
3) Examined Domain Accounts Policy settings against [Entity]'s documented policies and procedures to ensure that password settings are in compliance with the policy
4) Please refer to testing table below for details.
Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]
Results

Effective Domain Account Policies defined for the system per comparison with the leading practice and established procedures:
Note: Please note that appropriate policy values do not necessarily mean that security at account level is similarly appropriate (these values can be overridden at individual account level ). Other sections of this audit program will allow auditor to confirm that
security settings for individual accounts do not override intended policy settings.

Count Domain Policy Domain Policy Description Leading Domain Policy Domain Policy Settings Issues Comments/ Issue
Practice Requirement Value Appropriate? Noted? Description
(Per documented (Implemented (Yes/ No) (Yes/ No)
procedure) Setting)
1 Minimum Password Defines the minimum number of characters a password must contain. If it is zero then blank 8 or greater
Length passwords are allowed. Allowing blank passwords is a very high security risk, as it could
allow any person in possession of a valid User ID (Account Name) to gain access to your
system if the account has a null password. This policy can be overridden by the Password
Complexity policy.
2 Effective Minimum The effective minimum number of characters a password must contain when changing a 8 or greater
Password Length user password. The value is calculated from the settings of the Minimum Password Length
and Password Complexity parameters. If the Password Complexity policy is enabled, the
system will only accept user passwords with a minimum of 3 characters that comply with
Password Complexity requirements.

For example:
• If the Minimum Password Length is 0 and the Password Complexity policy is enabled then
the Effective Minimum Password Length will be 3.
• If the Minimum Password Length is 0 and the Password Complexity policy is disabled then
the Effective Minimum Password Length will be 0.
• If the Minimum Password Length policy is set to a value of 3 or greater then the Effective
Minimum Password Length will be the same as the Minimum Password Length policy
regardless of the setting of the Password Complexity policy.

3 Maximum Password The period of time a password can be used before the system forces the user to change it. 30 to 90
Age in Days The value can be between 1 and 999 days. A value of 0 means that passwords never expire.
Passwords that never expire are a security risk as they can be compromised over time. Note
that it is possible to override this value in individual user accounts via the Password Never
Expires option.

4 Minimum Password The minimum number of days that must elapse between password changes. The value can 0 to 7
Age in Days be between 0 and 999 days. A value of ‘0’ allows a user to change her password
immediately if she suspects it is known by someone else. However, this setting can increase
the risk of passwords remaining the same despite system-enforced changes. This is
because a user could change her password several times in quick succession until it is set
back to the original value. Setting the Password History Size to a sufficiently large value can
reduce this risk.

5 Password History Determines whether old passwords can be reused. It is the number of new passwords that 13 or greater
Size must be used by a user account before an old password can be reused. For this to be fully
effective, immediate changes should not be allowed under Minimum Password Age.
6 Password Complexity In order to meet the password complexity requirement, passwords must contain characters Enabled
from (for example) at least three (3) of the following four (4) classes:
• English Upper Case Letters (A, B, C, ... Z)
• English Lower Case Letters (a, b, c, ... z)
• Westernised Arabic Numerals (0, 1, 2, ... 9)
• Non-alphanumeric ("Special characters") (E.g., punctuation symbols)
This policy has an effect on the Effective Minimum Password Length.

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 46 of 70

000099Active Directory Audit - Supporting Evidence - Tab 8

Count Domain Policy Domain Policy Description Leading Domain Policy Domain Policy Settings Issues Comments/ Issue
Practice Requirement Value Appropriate? Noted? Description
(Per documented (Implemented (Yes/ No) (Yes/ No)
procedure) Setting)
7 Reversible Password Determines whether Windows 200x* will store passwords using reversible encryption. This Disabled
Encryption policy setting provides support for applications, which use protocols that require knowledge
of the user password for authentication purposes. Storing passwords using reversible
encryption is essentially the same as storing clear-text versions of the passwords. For this
reason, this policy should not be enabled unless application requirements outweigh the need
to protect password information. By default, this setting is disabled in the Default Domain
Group Policy for domains and in the local security policy of workstations and servers.

8 User Must Logon to In order to change passwords, users must log on to the domain. This option can enhance Enabled
Change Password security by ensuring that users are logged on and authenticated before being able to change
their password. However, it could be disruptive to users whose passwords have expired, as
they would not be allowed to change their password before logging on. This option should be
used at the discretion of Management.
9 Lockout Threshold Lockout Threshold indicates the number of failed logon attempts for user accounts before 3
accounts are locked out. The value can be 1 to 999 failed attempts. A value of 0 will allow an
unlimited number of failed logon attempts.
10 Lockout Duration Lockout Duration indicates the amount of time an account will remain locked out when the 0
Lockout Threshold is exceeded. The value can be 1 to 99999 minutes; a value of 0 (forever)
indicates that the account cannot log on until an administrator unlocks it. N/A is set when
Lockout Threshold is set to 0.
11 Reset Lockout Reset Lockout Counter in Minutes. Specifies the period within which invalid logon attempts 1440
Counter in Minutes are monitored. I.e. if the number of failed logon attempts defined in Lockout Threshold is
reached within the number of minutes defined for Reset Lockout Counter in Minutes the
account is locked out for the period specified under Lockout Duration. The value for Reset
Lockout Counter in Minutes can be 1 to 99999 minutes.
- Allowing an excessive or unlimited number of invalid logon attempts can compromise
security and allow intruders to log on to your system.
- Setting the Lockout Duration to 0 (forever) will help ensure that administrators are alerted
of potential intruder attacks as only they can unlock accounts.
- Setting Lockout Duration to a small amount (e.g. 5 minutes) will undermine the
effectiveness of the Lockout Threshold and administrators might not be alerted to potential
intruder attacks.
- If the value for Reset Lockout Counter in Minutes is too small (e.g. 1 minute) it will increase
the risk of intruders gaining access to your system via repeated password guessing
attempts. If the value is too high it may inconvenience genuine users by locking out their
accounts when they enter incorrect passwords accidentally.

The Leading Practice values are:

• Lockout Threshold = 3
• Lockout Duration = 0 (Forever)
• Reset Lockout Counter in Minutes = 1440 minutes

12 Force Logoff When When enabled users will be forcibly disconnected from servers on the domain immediately Enabled
Logon Time Expires after their valid logon hours are exceeded. Valid logon hours are defined at user account
level. This option enhances security by ensuring that users are disconnected if they exceed
their valid logon hours or do not log off when leaving work. However, it could be disruptive to
users who have to work after hours and could compromise data integrity etc. This option
should be used at the discretion of Management.
13 Rename It is a good practice to rename the Administrator built-in account. This will minimize the risks New Name
Administrator of intruders using these well-known accounts when attempting to log on to the domain.
Account
14 Rename Guest It is a good practice to rename the Guest built-in account. This will minimize the risks of Disable
Account intruders using these well-known accounts when attempting to log on to the domain.
15 Allow Lockout of Allows the built-in administrator account to be locked out from network logons. This policy Enabled
Local Administrator setting can be modified using the “passprop” command-line utility.
Account

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 47 of 70

000099Active Directory Audit - Supporting Evidence - Tab 8

Count Domain Policy Domain Policy Description Leading Domain Policy Domain Policy Settings Issues Comments/ Issue
Practice Requirement Value Appropriate? Noted? Description
(Per documented (Implemented (Yes/ No) (Yes/ No)
procedure) Setting)
16 Prevent Transfer of Forces the client to use a protocol that does not allow the domain controller to get the clear Enabled
Passwords in Clear text password. To modify this policy, display and note the current value for the
Text pwdProperties property using the Windows Support Tool, ADSIEdit. Add Hex 4 (constant
DOMAIN_PASSWORD_NO_CLEAR_CHANGE in the Microsoft documentation) to the
current value and save the new setting. Note: An incorrect modification to the Active
Directory may harm the integrity of the system.
17 Disable Password Removes the requirement that the machine account password be automatically changed Disabled
Changes for Machine every week. This value is ignored in Windows XP and later.
Accounts

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 48 of 70

000099Active Directory Audit - Supporting Evidence - Tab 9

Control IT4.02
Activity #
Control The identity of users (both local and remote) is authenticated to the Windows environment through passwords or similar authentication mechanisms. Such mechanisms are in compliance with entity security policies. The use of
Activity passwords incorporates policies on periodic change, confidentiality, and password format (e.g., password length, alphanumeric content).
Test Steps 1) On [date], obtained a system generated listing of IDs in Active Directory from [Name, Title]. Noted [count] Active Directory user IDs, [count] of those are active IDs (excluding disabled, expired and locked out IDs);
2) Examined the listing noting [count] active IDs with "Password Never Expires" set to "Yes" meaning that users are not forced to change their passwords.
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Analysis of Users by Password Never Expires Setting:

Count Account ID Account Description Created On Account Locked? Account Account Expired? Password Never Issues Comments/ Issue Description
(Date) (Yes/No) Disabled? (Yes/No) Expires? Noted? *Note: for certain service account this setting might
*Exclude if lockout duration is set (Yes/No) *Please exclude (Yes/No) (Yes/ No) be appropriate
to 0 (forever). Otherwise *Please exclude expired IDs *Please exclude those
(temporary lock) leave for further disabled IDs set to "No"
analysis.
1
2
3
4
5
Total 0 0

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 49 of 70

000099Active Directory Audit - Supporting Evidence - Tab 10

Test Steps 1) On [date], obtained from [Name, Title] a system generated listing of IDs in Active Directory. Noted [count] Active Directory user IDs, [count] of those are active IDs (excluding disabled, expired and locked out IDs);
2) Examined the listing by "Last password Change Date" field noting [count] users that did not change their passwords in [password change interval] days or over as required by [entity's] password policy.
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Analysis of Users by Last Password Change Date:

Count Report Account ID Account Description Account Account Locked? Account Account Password Last Number of Days Since Last Issues Comments/ Issue Description
Date Created On (Yes/No) Disabled? Expired? Changed On Password Change Noted? *Note: for certain service account this
(Date) *Exclude if lockout duration is set (Yes/No) (Yes/No) (Date, MM/DD/YY) (Yes/ No) setting might be appropriate
to 0 (forever). Otherwise *Please exclude *Please exclude
(temporary lock) leave for further disabled IDs expired IDs
analysis.
1 0
2 0
3 0
4 0
5 0
Total 0

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 50 of 70

000099Active Directory Audit - Supporting Evidence - Tab 11

Control IT4.04
Activity #
Control Use of privileged access within the Windows environment is limited to appropriate personnel.
Activity
Test Steps 1) On [date], obtained from [Name, Title] a system generated listing of users with privileged access in Active Directory;
2) Reviewed the listing with [Name, Title] on [date] for appropriateness to ensure only authorized users have such access;
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Personnel with privileged access:

Count User ID User Name Title Access Type Account Reason For Account Access Access Form Approved By Approval Approval- Access Access- Comments/ Issue
Created Creation Approved? Completed? (Name, Title) Granted Related Issues Appropriate? Related Description
On (Yes/No) (Yes/No) On Noted? (Yes/No) Issues
(Date) (Date) (Yes/No) Noted?
(Yes/No)
Complete for privileged users with access granted during the period of intended reliance. N/A for older
accounts.

1
2

Total 0 0 0 0 0

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 51 of 70

000099Active Directory Audit - Supporting Evidence - Tab 12a

Control IT4.05
Activity #
Control The Windows environment is configured and activated to record and report security events (such as security violation reports, unauthorized attempts to access information resources) as defined in information security policies; reports
Activity generated are regularly reviewed and necessary action taken.
Test 1) Obtained from [Name, Title] on [Date] domain controller audit policy settings
Steps 2) Examined audit policy settings against [Entity]'s documented policies or established procedures to ensure that audit policy settings are in compliance with the policy or established procedure
3) Please refer to testing table below for details.
Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]
Results

Domain Controller Policy Settings (Local Policy) - Audit Policy Settings

Note: In Windows 200x* domains, each domain controller can have different "local policy" settings. The domain controllers usually inherit the same "local policy" settings by belonging to one Organizational Unit (e.g. Domain Controllers) to which the same policies apply.
However, by having domain controllers, for example, in different Organizational Units, different "local policies" can be applied to domain controllers.

Audit Features: The auditing features can be used to record details of user and other activities in audit logs. This information enhances security by providing you with a powerful detective control and a historical analysis tool. The audit logs can be viewed via Event Viewer.
Audit policy settings on a Windows 200x* domain controller apply to the specific machine (domain controller) where the policy is effective.

Count Audit Policy Audit Policy Description Recommended Audited Events Audit Policy Issues Comments/ Issue Description
Minimums (Indicate if audit records are Requirement Noted?
logged for successful, failed, (Per documented (Yes/ No)
or both events) procedure)
1 Audit Account Account Logon Events - These events provide tracking information for activities such as logons of service Success, Failure
Logon Events accounts and the authentication of service accounts in Windows 200x*. This will audit each time a user is
logging on or off from another computer in which the computer performing the auditing is used to validate the
account.
2 Audit Account Account Management Events - Logs an event when, for example: Success, Failure
Management • A user account or group is created, changed, or deleted;
• A user account is renamed, disabled, or enabled; or
• A password is set or changed.
3 Audit Directory Directory Service Access Events - These events provide tracking information for activities in the Active Success, Failure
Service Access Directory (e.g. changing an object’s properties and settings) in Windows 200x* domains. (on domain
controllers only)
4 Audit Logon Logon and Logoff Events - This will audit each event that is related to a user logging on to, logging off from, or Success, Failure
Events making a network connection to the computer configured to audit logon events.
5 Audit Object Object Access Events - This will audit each event when a user accesses an object. Objects include files, Failure
Access folders, printers, Registry keys, and Active Directory objects. Logs an event when, for example, a user:
• Accesses a directory or a file that is flagged for auditing; or
• A user sends a print job to a printer that is flagged for auditing.
6 Audit Policy Policy Changes Events - This will audit each event that is related to a change to one of the three “policy” areas Success, Failure
Change on a computer. These policy areas include:
• User Rights Assignment
• Audit Policies
• Trust relationships
7 Audit Privilege Privilege Use Events - This will audit each event that is related to a user performing a task that is controlled by Failure
Use a user right (except for those rights related to logon and logoff).
8 Audit Process Process Tracking Events - These events provide detailed tracking information for events such as program None
Tracking activation, some forms of handle duplication, indirect object accesses, and process exit.
9 Audit System System Events - Logs an event when, for example: Success, Failure
Events • A user restarts or shuts down the computer; or
• An event that affects the system security or security log occurs.

00-049© Confidential Copyrighted Material. May Not be Reproduced or Distributed. Page 52 of 70

000099Active Directory Audit - Supporting Evidence - Tab 12b

Control IT4.05
Activity #
Control The Windows environment is configured and activated to record and report security events (such as security violation reports, unauthorized attempts to access information resources) as defined in information security policies; reports
Activity generated are regularly reviewed and necessary action taken.
Test Steps 1) Obtained from [Name, Title] on [Date] domain controller event log settings
2) Examined event log settings against [Entity]'s documented policies or established procedures to ensure that event log settings are in compliance with the policy or established procedure
3) Please refer to testing table below for details.
Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]
Results

Domain Controller Policy Settings (Local Policy) - Event Log Settings

Note: In Windows 200x* domains, each domain controller can have different "local policy" settings. The domain controllers usually inherit the same "local policy" settings by belonging to one Organizational Unit (e.g. Domain Controllers) to which the same policies
apply. However, by having domain controllers, for example, in different Organizational Units, different "local policies" can be applied to domain controllers.

Event Logs Features: Event logs contain all events logged by the system auditing controls (audit policy) and can help identify sources of system problems or problems with software. Windows 200x* event logs:
• Application log - The application log contains events logged for programs/applications.
• Security log - Contains valid and invalid logon attempts as well as events related to resource use, such as creating, opening, or deleting files or other objects.
• System log - Contains events logged by the Windows 200x* system components (i.e., failure of a driver or other system component to load during start up); logged events are predetermined by Windows 200x*.
Count Event Log Policy Event Log Policy Description Recommended Default Actual Event Log Issues Comments/ Issue Description
Event Log Event Log Event Log Requirement Noted?
Setting Value Setting Policy (Per documented (Yes/ No)
Value procedure)

1 Maximum Application Log The Log Size is in Kilobytes >10 MB 512

Size
2 Maximum Security Log Size The Log Size is in Kilobytes >10 MB 512
3 Maximum System Log Size The Log Size is in Kilobytes >10 MB 512
4 Restrict Guest Access to It is a good practice to enable this feature as it minimizes the risks of unauthorized persons getting Enabled Enabled
Application Log read access to logs.
5 Restrict Guest Access to It is a good practice to enable this feature as it minimizes the risks of unauthorized persons getting Enabled Enabled
Security Log read access to logs.
6 Restrict Guest Access to It is a good practice to enable this feature as it minimizes the risks of unauthorized persons getting Enabled Enabled
System Log read access to logs.
7 Retain Application Log When the Log Size Limit is reached the Retention Method for Logs defines the action that will be >14 days 7
8 Retain Security Log taken: >14 days 7
9 Retain System Log • Overwrite events as needed (As needed) - the log will not be archived. This option is a good choice >14 days 7
for low-maintenance systems
10 Retention Method for By Days By Days
• Overwrite events older than & Retain Log (in days) - the number of days the log is archived at
Application Log
scheduled intervals (minimizes the chance of losing important log entries & keeps log sizes
11 Retention Method for reasonable) By Days By Days
Security Log • Do not overwrite events (Manually) - events remain in the log until cleared manually; new events
12 Retention Method for are discarded when maximum log size is reached. By Days By Days
System Log • Overwrite events as needed (As needed) or Do not overwrite events (Manually) makes Retain Log
(in days) option unavailable (N/A).
13 Shutdown Computer when The Shut down when Security Log is Full option ensures that no auditable activities, including security Disabled Disabled
Security Log is Full violations, occur while the system is unable to log them. This option should be used at the discretion
of Management, as the system will automatically shutdown when the security log is full.

000099Active Directory Audit - Supporting Evidence - Tab 13

Control IT4.06
Activity #
Control Security settings are appropriately configured to prevent unauthorized or inappropriate use of the Windows environment supporting financial systems. Configuration options are documented and management reviews and approves
Activity changes to security configuration settings.
Test Steps 1) Obtained from [Name, Title] on [Date] domain and domain controller security option settings
2) Examined security option settings against [Entity]'s documented policies or established procedures to ensure that security option settings are in compliance with the policy or established procedure
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Domain & Domain Controller Policy Settings (Local Policy) - Security Option Settings
Note: In Windows 200x* domains, each domain controller can have different "local policy" settings. The domain controllers usually inherit the same "local policy" settings by belonging to one Organizational Unit (e.g. Domain Controllers) to which the same policies apply.
However, by having domain controllers, for example, in different Organizational Units, different "local policies" can be applied to domain controllers.

Security Option Settings Features: The correct Security Option settings will enhance security, auditing and management. Enabling some of these policies can strengthen security but undermine the performance, operational ease of use, or connectivity with clients using
third party or earlier versions of authentication protocols. On the other hand, enabling others, will decrease security, but enhance performance, functionality, and connectivity.
Count Security Option Policy Security Option Policy Description Leading Practices Actual Policy Requirement Issues Comments/ Issue Description
Value (Per documented Noted?
procedure) (Yes/ No)
1 Allow server operators Determines if Server Operators are allowed to submit jobs by means of the AT schedule facility. By default, you must Disabled
to schedule tasks be an administrator in order to submit jobs by means of the AT scheduler. Enabling this security policy setting allows
members of the Server Operators group to submit AT schedule jobs on Domain Controllers without having to make
them Administrators. This policy is not defined by default.
2 Allow system to be Determines whether a computer can be shut down without having to log on to Windows. When this policy is enabled, Disabled
shut down without the Shut Down command is available on the Windows logon screen. When this policy is disabled, the option to shut
having to log on down the computer does not appear on the Windows logon screen. In this case, users must be able to log on to the
computer successfully and have the Shut down the system user right in order to perform a system shutdown. By
default, this option is enabled on workstations and disabled on servers in Local Computer Policy.
3 Clear virtual memory A paging file is a system file, so it cannot be encrypted. The file system security for paging files prevents any user Enabled
page file when system from gaining access to and reading these files, and these security settings cannot be changed. However, someone
shuts down other than the authorized user might start the computer under a different operating system to read a Windows 2000
paging file. To prevent others from reading the contents of paging files that might contain plaintext of encrypted files,
enabling this option will clear the paging files every time the computer shuts down.
4 Disable By default, users are required to press CTRL+ALT+DEL before logging on. This is because programs can be Disabled
CRTL+ALT+DEL designed to appear as a logon screen and collect account passwords. By pressing CTRL+ALT+DEL these programs
requirement for logon can be foiled. Disabling CRTL+ALT+DEL is a potential security risk.
5 Do not display last user By default, Windows 2000 places the username of the last user to log on the computer in the Username text box of Enabled
name in logon screen the Logon dialog box. This makes it more convenient for the most frequent user to log on. To help keep usernames
secret, you can enable this option. This is especially useful if a computer that is generally accessible is being used, for
example, for the (renamed) built-in Administrator account.
6 Prevent system Determines whether the computer account password should be prevented from being reset every week. As a part of Disabled
maintenance of Windows 2000 security, computer account passwords are changed automatically every seven days. If this policy is
computer account enabled, the machine is prevented from requesting a weekly password change. If this policy is disabled, a new
password password for the computer account will be generated every week. This policy is defined by default in Local Computer
Policy where it is disabled by default.
7 Recovery Console: By default, the Recovery Console requires you to provide the password for the Administrator account before Disabled
Allow automatic accessing the system. If this option is set, the Recovery Console does not require you to provide a password and will
administrative logon automatically log on to the system. Activating this policy eliminates a security barrier used to protect your computer
against intruders. You should only enable this policy on systems that have controlled access to the console, such as
those in rooms that can be locked.
8 Recovery Console: This policy allows a floppy/stiffy drive copy and access to all drives and all folders during a Recovery Console session Disabled
Allow floppy copy and (a text-mode command interpreter that allows the system administrator to gain access to the hard disk of a computer
access to all drives and running Windows 2000, regardless of the file format used, for basic troubleshooting and system maintenance).
all folders
9 Send unencrypted If this policy is enabled, the Server Message Block (SMB) redirector is allowed to send clear-text passwords to non- Disabled
password to connect to Microsoft SMB servers which do not support password encryption during authentication. By default, this option is
third-party SMB disabled. This setting can weaken the overall security of an environment and should only be used after careful
servers consideration of the consequences of plain text passwords in your specific environment.

000099Active Directory Audit - Supporting Evidence - Tab 13

Count Security Option Policy Security Option Policy Description Leading Practices Actual Policy Requirement Issues Comments/ Issue Description
Value (Per documented Noted?
procedure) (Yes/ No)
10 Strengthen default Determines the strength of the default discretionary access control list (DACL) for objects. Windows 2000 maintains a Enabled
permissions of global global list of shared system resources such as DOS device names, mutexes, and semaphores. In this way, objects
system objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who
can access the objects with what permissions. If this policy is enabled, the default DACL is stronger, allowing non-
admin users to read shared objects, but not modify shared objects that they did not create. By default, this option is
enabled.
11 Access this Computer Allows a user to connect to the computer from the network. By default, this right is assigned to Administrators, Initially granted to
from the Network Everyone, and Power Users. Administrators,
Everyone and
Power Users.
Restrict as required.
12 Act as part of the Allows a process to authenticate like a user and thus gain access to the same resources as a user. Only low-level Grant to no one
operating system authentication services should require this privilege. Note that potential access is not limited to what is associated with unless there are
the user by default; the calling process might request that arbitrary additional privileges be added to the access token. necessary
Note that the calling process can also build an anonymous token that does not provide a primary identity for tracking service/application
events in the audit log. When a service requires this privilege, configure the service to use the LocalSystem account accounts that
(which already includes the privilege), rather than create a separate account and assign the privilege to it. require such
access.

13 Add workstations to Allows a user to add workstations to the domain. Adding a workstation to a domain enables the workstation to Authorized
the domain recognize the domain's user and global groups accounts. By default, members of a domain's Administrators and administrators
Account Operators groups have the right to add a workstation to a domain. This right cannot be taken away. They can
also grant this right to other users.
14 Change the system Allows the user to set the time for the internal clock of the computer. By default, this privilege is assigned to Authorized
time Administrators and Power Users. administrators
15 Force shutdown from a Allows a user to shut down a computer from a remote location on the network. (See also “Shut down the system” in Authorized
remote system this table.) By default, this privilege is assigned to Administrators. administrators
16 Generate security Allows a process to generate entries in the security log. The security log is used to trace unauthorized system access. Enabled
audits
17 Load and unload Allows a user to install and uninstall Plug and Play device drivers. This privilege does not apply to device drivers that Administrators
device drivers are not Plug and Play; these device drivers can be installed only by Administrators. Note that device drivers run as
trusted (highly privileged) programs; a user can abuse this privilege by installing hostile programs and giving them
destructive access to resources. By default, this privilege is assigned to Administrators.
18 Log on as a batch job Allows a user to log on by using a batch-queue facility. By default, this right is assigned to Administrators. Grant to no one
unless there are
necessary
service/application
accounts that
require such
access.

19 Log on as a service Allows a security principal to log on as a service. Services can be configured to run under the LocalSystem account, Grant to no one
which has a built-in right to log on as a service. Any service that runs under a separate account must be assigned the unless there are
right. By default, this right is not assigned to anyone. necessary
service/application
accounts that
require such
access.

20 Manage auditing and Allows a user to specify object access auditing options for individual resources such as files, Active Directory objects, Authorized
security log registry keys and other objects. Object access auditing is not actually performed unless you have enabled it in Audit administrators
Policy (under Security Settings, Local Policies). A user who has this privilege also can view and clear the security log
from Event Viewer. By default, this privilege is assigned to Administrators.
21 Shut down the system Allows a user to shut down the local computer. At domain level this applies to all domain controllers in the domain. Authorized
administrators
22 Take ownership of files Allows a user to take ownership of any securable object in the system, including Active Directory objects, files and Authorized
or other objects folders, printers, registry keys, processes, and threads. At domain level this applies to all domain controllers in the administrators
domain.

000099Active Directory Audit - Supporting Evidence - Tab 14

Control IT4.07
Activity #
Control Users have a unique user identifier in order to distinguish one user from another and to establish accountability. Access to shared IDs is monitored by management.
Activity
Test Steps 1) On [date], obtained a system generated listing of IDs in Active Directory from [Name, Title]. Noted [count] Active Directory user IDs, [count] of those are active IDs (excluding disabled, expired and locked out IDs);
2) Examined the listing for shared/generic IDs, noting [count] accounts;
3) Obtained valid business rationale for their existence;
- Note: If it is not feasible to assess all generic accounts for appropriateness, use your attribute sampling guidelines to select an adequate sample of generic accounts for testing
4) Please refer to testing table below for details.
Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]
Results

List of shared/generic accounts defined in the domain:

Count Account Account Description Account Locked? Account Account Business Rationale Valid End User Access Restricted To Access Issues Comments/ Issue
Name (Yes/No) Disabled? Expired? Business Account? (Name/Title, if Appropriate? Noted? Description
*Exclude if lockout duration is set (Yes/No) (Yes/No) Reason (Yes/No) applicable) (Yes/No) (Yes/No)
to 0 (forever). Otherwise *Please exclude *Please Exists?
(temporary lock) leave for further disabled IDs exclude (Yes/No)
analysis. expired IDs
1
2

Total 0 0

000099Active Directory Audit - Supporting Evidence - Tab 15

Control IT4.08
Activity #
Control Management authorizes the nature and extent of user access privileges. User access privileges are periodically reviewed by management to verify access privileges remain appropriate.
Activity
Test Steps 1) On [date], obtained a system generated listing of IDs in Active Directory from [Name, Title]. Noted [count] user IDs in Active Directory;
2) Examined the listing of accounts in Active Directory noting [count] accounts that have been created during the period of intended reliance (between [date] and [date]).
3) Following [entity]'s sampling guidelines, selected [count] newly created accounts for detailed testing to confirm user access was authorized by management before access was granted.
4) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of user IDs created in Active Directory over the period of intended reliance:
Count User ID User Name Access Type Creation Date Selected for Reason For Account Access Access Form Approved By Approved by Approval Issues Comments/ Issue
*Remove user IDs Detailed Creation Approved? Completed? (Name, Title) Authorized Granted On Noted? Description
created prior to the Testing? (Yes/No) (Yes/No) Manager? (Date) (Yes/No)
period of intended (Yes/No) (Yes/No)
reliance
Complete for users selected for detailed testing in Column "F". N/A for remaining accounts.

1
2

Total 0 0 0 0 0 0

000099Active Directory Audit - Supporting Evidence - Tab 16

Control IT4.09
Activity #
Control Procedures are in place to ensure that the security administrator is notified of employees who have changed roles and responsibilities, transferred, or been terminated. Access privileges of such employees are immediately changed to
Activity reflect their new status.
Test Steps 1) On [date], obtained a system generated listing of IDs in Active Directory from [Name, Title]. Noted [count] active accounts (excluding disabled, expired and locked out IDs).
2) To test, obtained an HR listing of terminations over the period of intended reliance (between [date] and [date]) from [name, title] on [date]. Per comparison with the Active Directory user listing, noted [count] accounts that belong to the terminated
employees.
- Alternatively, obtain a listing of current employees to compare with the user listing of users in Active Directory. Anyone with access to Active Directory but not on the listing of current employees should be investigated.
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of terminated employees with active accounts in Active Directory:

Count Employee Employee Name Employee Employee Termination Employee Corresponding Account Description Account Locked? Account Account Issues Comments/ Issue
ID Type Status Date Re-Hired? Account Name in (Yes/No) Disabled? Expired? Noted? Description
(Yes/No) Active Directory *Exclude if lockout duration is (Yes/No) (Yes/No) (Yes/No)
set to 0 (forever). Otherwise *Please exclude *Please exclude
(temporary lock) leave for disabled IDs expired IDs
further analysis.
1
2

Total 0

000099Active Directory Audit - Supporting Evidence - Tab 17

Control IT5.03
Activity #
Control Available service packs and patches are examined to determine applicability to the Windows environment. Procedures are in place to ensure that appropriate Windows security patches and fixes are applied to prevent exploitation of known
Activity security vulnerabilities. Compliance with such procedures is monitored by management.
Test Steps 1) On [date], obtained a listing of updates (service packs, security updates, patches and hot-fixes) released in response to the known security vulnerabilities from [i.e., microsoft.com, etc.]
2) Additionally, on [date] obtained a system generated listing of updates applied in the system from [Name, Title]
3) Examined the listing of updates released in response to the known security vulnerabilities against the listing of updates applied in the system noting [count] updates that have been released but not applied
4) Investigated to determine if valid business rationale exists for service packs, security updates, patches, and hot-fixes that have not been applied
5) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of Windows security patches and fixes released by Microsoft:

• Security Patch - A broadly released fix for a specific product, addressing a security vulnerability
• Critical Update - A broadly released fix for a specific problem, addressing a critical, non-security related bug
• Update - A broadly released fix for a specific problem, addressing a non-critical, non-security related bug
• Hotfix - A single package composed of one or more files used to address a problem in a product
• Update Rollup - A set of security patches, critical updates, updates, & hotfixes, released as a cumulative offering or targeted at a single product component
• Service Pack - A set of hotfixes, security patches, critical updates, & updates since the release of the product, including many resolved problems that have not been made available through other software updates

Count Update Service Description Vendor's Security Vulnerability Vulnerability’s Update Installed Installed By Justification For Updates Not Issues Comments/ Issue Description
Reference Pack (i.e., Addressed by the Update Severity as Applied in On (Name, Title) Applied in the System Noted?
Microsoft) Determined by the System? (Date) (Yes/No)
Severity Management (Yes/No)
Rating
1
2

Total 0 0

000099Active Directory Audit - Supporting Evidence - Tab 18

Control IT6.01
Activity #
Control A procedure, approved by management, is established to guide the acquisition, development, modification, and maintenance of network and communication software to establish consistency of development and
Activity maintenance activities within the entity.
Test Steps 1) On [date], obtained from [name, title] a listing of network and communication software acquired or developed between [date] and [date] (the period of intended reliance), noting [count] projects took place during that time
2) Per [entity]'s sampling guidance, haphazardly selected [count] of such acquisitions or development projects to confirm that [entity]'s methodology that guides the acquisition or development of network and communication software
has been followed
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of acquisition or development of network and communication software projects:

Count Project ID Project Description Completed/ Selected for Methodology Issues Comments/ Issue
Implemented On Detailed Appropriately Noted? Description
(Date) Testing? Followed? (Yes/No)
(Yes/No) (Yes/No)
Complete for projects selected for detailed testing in Column "F". N/A for remaining
projects.

1
2

Outline specific control points from

the entity's methodology that
guides the acquisition or
development of network and
communication software. Add
additional columns as necessary.

000099Active Directory Audit - Supporting Evidence - Tab 19

Control IT6.03
Activity #
Control Any acquisitions, development, modifications, or maintenance projects affecting Windows environment are approved by management prior to implementation.
Activity
Test Steps 1) On [date], obtained from [name, title] a listing of network and communication software acquired or developed between [date] and [date] (the period of intended reliance), noting [count] projects took place during that time
2) Per [entity]'s sampling guidance, haphazardly selected [count] of such acquisitions or development projects to confirm that projects were approved by authorized individuals prior to implementation
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of network and communication software acquisitions or development projects:

Count Project ID Project Description Completed/ Selected Project Approved Approved By Approved by Approved Prior to Issues Comments/ Issue Description
Implemented for Approved by On (Name, Title) Authorized Implementation? Noted?
On Detailed Management? (Date) Approver? (Yes/No) (Yes/ No)
(Date) Testing? (Yes/No) (Yes/No)
(Yes/No)
Complete for projects selected for detailed testing in Column "F". N/A for remaining projects.

1
2

Total 0 0 0 0 0

000099Active Directory Audit - Supporting Evidence - Tab 20

Control IT6.04
Activity #
Control A quality assurance function is established to independently confirm that the systems acquisition (for purchased Windows software) and/or system development (for in-house developed tools or when modifications to the purchased
Activity software are required) project follows the entity's defined procedures and standards. Recommendations from the QA function are appropriately addressed by management.
Test Steps 1) On [date], obtained from [name, title] a listing of network and communication software acquired or developed between [date] and [date] (the period of intended reliance), noting [count] projects took place during that time
2) Per [entity]'s sampling guidance, haphazardly selected [count] of such acquisitions or development projects to confirm that the Quality Assurance function confirmed that project followed the entity's defined procedures and standards
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of network and communication software acquisitions or development projects:

Count Project ID Project Description Completed/ Selected QA Assessment Assessment Performed By Problems Noted as Problems Problems Issues Comments/ Issue
Implemented for Assessment Performed On (Name, Title) Part of Communicated to Addressed/ Noted? Description
On Detailed Performed? (Date) Assessment? Management? Resolved? (Yes/ No)
(Date) Testing? (Yes/No) (Yes/No) (Yes/No) (Yes/No)
(Yes/No)
Complete for projects selected for detailed testing in Column "F". N/A for remaining projects.

1
2

Total 0 0 0 0 0 0

000099Active Directory Audit - Supporting Evidence - Tab 21

Control IT7.01
Activity #
Control Acquired, developed, and modified network and communication software is tested prior to implementation in accordance with test plans. Test cases and test results relevant to network and communication software acquisition,
Activity development, modification, and maintenance projects are prepared and are approved by appropriate business owners and/or management.
Test Steps 1) On [date], obtained from [name, title] a listing of network and communication software acquired or developed between [date] and [date] (the period of intended reliance), noting [count] projects took place during that time
2) Per [entity]'s sampling guidance, haphazardly selected [count] of such acquisitions or development projects to confirm that testing was appropriately performed prior to implementation
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of network and communication software acquisitions or development projects:

Count Project ID Project Description Completed/ Selected Testing Testing Tested By Test Results Approval Date Approved By Issues Comments/ Issue
Implemented for Performed? Performed On (Name, Title) Approved by (Name, Title) Noted? Description
On Detailed (Yes/No) (Date) Authorized (Yes/ No)
(Date) Testing? Approver?
(Yes/No) (Yes/No)
Complete for projects selected for detailed testing in Column "F". N/A for remaining projects.

1
2

Total 0 0 0 0

000099Active Directory Audit - Supporting Evidence - Tab 22

Control IT7.02
Activity #
Control Problems encountered during testing of acquired, developed, and modified network and communication software in Windows environment are documented; errors appropriately resolved.
Activity
Test Steps 1) On [date], obtained from [name, title] a listing of network and communication software acquired or developed between [date] and [date] (the period of intended reliance), noting [count] projects took place during that time
2) Per [entity]'s sampling guidance, haphazardly selected [count] of such acquisitions or development projects to confirm that testing was appropriately performed and that problems encountered during testing were followed up for correction and resolved
prior to implementation
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of network and communication software acquisitions or development projects:

Count Project ID Project Description Completed/ Selected Testing Testing Testing Performed By Problems Problems Successful Issues Comments/ Issue
Implemented for Performed? Performed On (Name, Title) Encountered Resolved? Test Noted? Description
On Detailed (Yes/No) (Date) During (Yes/No) Results? (Yes/No)
(Date) Testing? Testing? (Yes/No)
(Yes/No) (Yes/No)
Complete for projects selected for detailed testing in Column "F". N/A for remaining projects.

1
2

Total 0 0 0 0 0 0

000099Active Directory Audit - Supporting Evidence - Tab 23

Control IT7.04
Activity #
Control Network and communication software is tested by end-users (user acceptance testing). Such testing is performed in a protected environment separate from production before the acquired, developed, or modified programs or systems are
Activity implemented.
Test Steps 1) On [date], obtained from [name, title] a listing of network and communication software acquired or developed between [date] and [date] (the period of intended reliance), noting [count] projects took place during that time
2) Per [entity]'s sampling guidance, haphazardly selected [count] of such acquisitions or development projects to confirm that user acceptance testing was appropriately performed
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of network and communication software acquisitions or development projects:

Count Project ID Project Description Completed/ Selected User Testing Testing Performed By Problems Problems Successful Issues Comments/ Issue
Implemented On for Acceptance Performed (Name, Title) Encountered Resolved? End-Result? Noted? Description
(Date) Detailed Testing On During (Yes/No) (Yes/No) (Yes/ No)
Testing? Performed? (Date) Testing?
(Yes/No) (Yes/No) (Yes/No)
Complete for projects selected for detailed testing in Column "F". N/A for remaining projects.

1
2

Total 0 0 0 0 0 0

000099Active Directory Audit - Supporting Evidence - Tab 24

Control IT7.05
Activity #
Control Formal acceptance that testing has been satisfactorily completed and that user requirements have been met is obtained from the appropriate business owners and/or management before the acquired, developed, or modified programs or
Activity systems are implemented.
Test Steps 1) On [date], obtained from [name, title] a listing of network and communication software acquired or developed between [date] and [date] (the period of intended reliance), noting [count] projects took place during that time
2) Per [entity]'s sampling guidance, haphazardly selected [count] of such acquisitions or development projects to confirm that final approval that testing has been satisfactorily completed was obtained from appropriate business owner and/or management prior
to implementation
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of network and communication software acquisitions or development projects:

Count Project ID Project Description Completed/ Selected Testing Testing Successful Test Results Approval Approved By Implementation Issues Comments/ Issue
Implemented for Performed? Performed End-Result? Approved by Date (Name, Title) Approved by Noted? Description
On Detailed (Yes/No) On (Yes/No) Business Business Owner? (Yes/ No)
(Date) Testing? (Date) Owner? (Yes/No)
(Yes/No) (Yes/No)
Complete for projects selected for detailed testing in Column "F". N/A for remaining projects.

1
2

Total 0 0 0 0 0 0

000099Active Directory Audit - Supporting Evidence - Tab 25

Control IT7.07
Activity #
Control The business risks and impact of proposed network and communication software changes is assessed and reviewed by management before implementation. The results of this assessment are used when designing, staffing, and
Activity scheduling such implementation, in order to minimize disruptions to operations.
Test Steps 1) On [date], obtained from [name, title] a listing of network and communication software acquired or developed between [date] and [date] (the period of intended reliance), noting [count] projects took place during that time
2) Per [entity]'s sampling guidance, haphazardly selected [count] of such acquisitions or development projects to confirm that appropriate assessments of the risks and impact changes could represent are performed by management prior to implementation
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of network and communication software acquisitions or development projects:

Count Project ID Project Description Completed/ Selected Risk & Impact Assessment Assessment Performed By Assessment Assessment Results Assessment Issues Comments/ Issue
Implemented for Assessment Performed (Name, Title) Results Communicated To Results Noted? Description
On Detailed Performed? On Communicated to (Names, Titles) Communicated (Yes/ No)
(Date) Testing? (Yes/No) (Date) Affected Parties? On
(Yes/No) (Yes/No) (Date)
Complete for projects selected for detailed testing in Column "F". N/A for remaining projects.

1
2

Total 0 0 0 0

000099Active Directory Audit - Supporting Evidence - Tab 26

Control IT7.08
Activity #
Control A post implementation review is performed to establish whether the objectives for implementing the network and communication software changes have been met. Identified issues are brought to the attention of the business owner and to
Activity information systems management.
Test Steps 1) On [date], obtained from [name, title] a listing of network and communication software acquired or developed between [date] and [date] (the period of intended reliance), noting [count] projects took place during that time
2) Per [entity]'s sampling guidance, haphazardly selected [count] of such acquisitions or development projects to confirm that post implementation review was appropriately performed by management to ensure that objectives for implementing the network
and communication software changes were met
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of network and communication software acquisitions or development projects:

Count Project ID Project Description Completed/ Selected Post Assessment Assessment Performed By Problems Problems Objectives for Issues Comments/ Issue
Implemented On for Implementation Performed (Name, Title) Encountered Resolved? Implementation Noted? Description
(Date) Detailed Assessment On During (Yes/No) Met? (Yes/No)
Testing? Performed? (Date) Assessment? (Yes/No)
(Yes/No) (Yes/No) (Yes/No)
Complete for projects selected for detailed testing in Column "F". N/A for remaining projects.

1
2

Total 0 0 0 0 0 0

000099Active Directory Audit - Supporting Evidence - Tab 27

Control IT7.09
Activity #
Control Available vendor updates (service packs, patches, security updates, hot-fixes released by Microsoft) are examined to determine applicability to the Windows environment. Implementation of these updates are documented and approved by
Activity management to ensure that all changes to the production environment were documented, tested, and authorized.
Test Steps 1) On [date], obtained from [name, title] a system generated listing of updates (service packs, security updates, patches and hot-fixes) applied in the system between [date] and [date] (the period of intended reliance), noting [count] updates have been
implemented during that time
2) Per [entity]'s sampling guidance, haphazardly selected [count] of such updates to confirm that the implementations of service packs, security updates, patches and hot-fixes are appropriately documented, approved by management and tested
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of Windows service packs, patches, security updates, and hot-fixes released by Microsoft and applied in the system during the period of intended reliance:
Count Update Description Severity Selected for Update Approved? Update Update Approved By Update Update Update Tested By Problems Problems Successful Issues Comments/ Issue
Reference Rating Detailed (Yes/No) Approved (Name, Title) Tested? Tested (Name, Title) Encountered Resolved? End-Result? Noted? Description
Testing? On (Yes/No) On During (Yes/No) (Yes/No) (Yes/No)
(Yes/No) (Date) (Date) Testing?
(Yes/No)
Complete for updates selected for detailed testing in Column "F". N/A for remaining updates.
1
2

Total 0 0 0 0 0 0 0

000099Active Directory Audit - Supporting Evidence - Tab 28

Control IT8.01
Activity #
Control User and other requests for modifications to network and communication software, including upgrades, and changes, are documented and approved by management to verify that all changes were documented, tested, and authorized.
Activity
Test Steps 1) On [date], obtained from [name, title] a listing of changes to the network and communication software between [date] and [date] (the period of intended reliance), noting [count] changes have been made during that time
2) Per [entity]'s sampling guidance, haphazardly selected [count] of such changes/modifications to confirm that modifications to the network and communication software are documented, approved by management and tested prior to implementation
3) Please refer to testing table below for details.

Test [Exceptions Noted: describe exceptions.] or [No Exceptions Noted.]

Results

Listing of modifications to the network and communication software applied in the system during the period of intended reliance:
Count Change Change Completed/ Change Change Change Change Approved By Change Change Change Tested By Problems Problems Successful Issues Comments/ Issue
Reference Description Implemented Selected Approved? Approved (Name, Title) Tested? Tested (Name, Title) Encountered Resolved? End-Result? Noted? Description
On for (Yes/No) On (Yes/No) On During (Yes/No) (Yes/No) (Yes/No)
(Date) Detailed (Date) (Date) Testing?
Testing? (Yes/No)
(Yes/No)
Complete for updates selected for detailed testing in Column "F". N/A for remaining updates.

1
2

Total 0 0 0 0 0 0 0

MIDTERM EXAM - Attempt Review
67% (3)
MIDTERM EXAM - Attempt Review
12 pages
Security MCQ
100% (3)
Security MCQ
32 pages
Active Directory Infrastructure Assessment Template V1.0
100% (2)
Active Directory Infrastructure Assessment Template V1.0
93 pages
IA 1-4 IT General and Application Controls Table
100% (1)
IA 1-4 IT General and Application Controls Table
1 page
ITGC - IT Genral
100% (2)
ITGC - IT Genral
20 pages
CIS Controls v8 Mapping To SOC2!2!2023
No ratings yet
CIS Controls v8 Mapping To SOC2!2!2023
152 pages
Infrastructure Assessment Report Dec 2020
No ratings yet
Infrastructure Assessment Report Dec 2020
10 pages
ISO27k Router Security Audit Checklist 1
100% (1)
ISO27k Router Security Audit Checklist 1
8 pages
Infrastructure Audit Checklist
No ratings yet
Infrastructure Audit Checklist
3 pages
CIS Controls Initial Assessment Tool (V8.0a) : Instructions - Read Me First
No ratings yet
CIS Controls Initial Assessment Tool (V8.0a) : Instructions - Read Me First
21 pages
Firewall Audit Work Program
100% (1)
Firewall Audit Work Program
12 pages
Active Directory Migration Checklist
No ratings yet
Active Directory Migration Checklist
5 pages
Audit Logging and Monitoring Policy TEMPLATE V1
100% (1)
Audit Logging and Monitoring Policy TEMPLATE V1
3 pages
Active Directory Audit Checklist
75% (4)
Active Directory Audit Checklist
3 pages
Best Practices For Securing Active Directory
No ratings yet
Best Practices For Securing Active Directory
299 pages
Audit Program for Application Controls
No ratings yet
Audit Program for Application Controls
7 pages
Network Checklist Ver 2
No ratings yet
Network Checklist Ver 2
10 pages
Windows 2003 AD Security Baseline
No ratings yet
Windows 2003 AD Security Baseline
35 pages
Fixed Assets Internal Controls Checklist
0% (1)
Fixed Assets Internal Controls Checklist
2 pages
Cybersecurity Incident Playbook
No ratings yet
Cybersecurity Incident Playbook
14 pages
Best Practices For Securing Active Directory
50% (2)
Best Practices For Securing Active Directory
314 pages
EY Security Operations Centers Helping You Get Ahead of Cybercrime
100% (1)
EY Security Operations Centers Helping You Get Ahead of Cybercrime
20 pages
IT Password Policy - 2022
No ratings yet
IT Password Policy - 2022
9 pages
CIS Excel Compliance Overview
No ratings yet
CIS Excel Compliance Overview
5 pages
Cloud Security Policy Template
No ratings yet
Cloud Security Policy Template
4 pages
Iso 27001 Sample
100% (1)
Iso 27001 Sample
54 pages
Splunk For Monitoring and Auditing Active Directory
No ratings yet
Splunk For Monitoring and Auditing Active Directory
9 pages
Ransomware Response Guide
100% (1)
Ransomware Response Guide
4 pages
Defense in Depth Checklist Controls: 50 Easy-to-Implement Controls To Strengthen Your Security
No ratings yet
Defense in Depth Checklist Controls: 50 Easy-to-Implement Controls To Strengthen Your Security
8 pages
ISO 27001 Documentation - Secureframe
No ratings yet
ISO 27001 Documentation - Secureframe
1 page
Data Privacy and Protection Fundamentals
No ratings yet
Data Privacy and Protection Fundamentals
48 pages
IT Asset Management Guide
100% (1)
IT Asset Management Guide
5 pages
Active Directory IT Audit Checklist 1711870611
No ratings yet
Active Directory IT Audit Checklist 1711870611
5 pages
Best Practice Guide For Securing Active Directory Installations and Day-To-Day Operations - Part II
No ratings yet
Best Practice Guide For Securing Active Directory Installations and Day-To-Day Operations - Part II
126 pages
Active Directory Security Guide
100% (1)
Active Directory Security Guide
53 pages
Active Directory Audit Policies and Event Viewer 1685205906
No ratings yet
Active Directory Audit Policies and Event Viewer 1685205906
38 pages
Ultimate NIST CSF Checklist
100% (5)
Ultimate NIST CSF Checklist
19 pages
Privileged Access Management Best Practices
No ratings yet
Privileged Access Management Best Practices
7 pages
Cybersecurity Frameworks Guide
100% (1)
Cybersecurity Frameworks Guide
38 pages
Active Directory Security Audit Guide
No ratings yet
Active Directory Security Audit Guide
7 pages
Step-by-Step Guide Active Directory Migration From Windows Server 2008 R2 To Windows Server 2022
No ratings yet
Step-by-Step Guide Active Directory Migration From Windows Server 2008 R2 To Windows Server 2022
14 pages
Active Directory Services Audit - Document References
100% (1)
Active Directory Services Audit - Document References
7 pages
FINAL - Identity and Access Management Policy - ENG - 2
100% (1)
FINAL - Identity and Access Management Policy - ENG - 2
11 pages
Penetration Testing Report Template
100% (1)
Penetration Testing Report Template
3 pages
Active Directory Security Guide
No ratings yet
Active Directory Security Guide
88 pages
Information Security Lms PDF
No ratings yet
Information Security Lms PDF
6 pages
Active Directory Security Tips
No ratings yet
Active Directory Security Tips
3 pages
SOW Security
100% (2)
SOW Security
3 pages
Cyberark Privileged Access Management Solutions
100% (1)
Cyberark Privileged Access Management Solutions
13 pages
Best Practices Guide For IT Governance & Compliance
No ratings yet
Best Practices Guide For IT Governance & Compliance
14 pages
IT Audit Questionnaire
100% (1)
IT Audit Questionnaire
126 pages
Cloud Security Checklist
No ratings yet
Cloud Security Checklist
2 pages
Artificial Intelligence Security Policy
No ratings yet
Artificial Intelligence Security Policy
9 pages
Troubleshoot AD FS Issues in Azure Active Directory and Office 365
100% (1)
Troubleshoot AD FS Issues in Azure Active Directory and Office 365
16 pages
IT Security Architecture Guide
No ratings yet
IT Security Architecture Guide
41 pages
IT General Control Audit Work Program
No ratings yet
IT General Control Audit Work Program
7 pages
How To Audit Business Continuity Programs
No ratings yet
How To Audit Business Continuity Programs
4 pages
EY Global Information Security Survey-2018-19
No ratings yet
EY Global Information Security Survey-2018-19
36 pages
Active Directory Audit Guide
No ratings yet
Active Directory Audit Guide
1 page
FFIEC ITBooklet E-Banking
No ratings yet
FFIEC ITBooklet E-Banking
84 pages
PDF Lab Manual For Security Guide To Network Security
0% (1)
PDF Lab Manual For Security Guide To Network Security
3 pages
IT POLICY & Ethics
No ratings yet
IT POLICY & Ethics
71 pages
Presentation 1
No ratings yet
Presentation 1
37 pages
Appin Technology Lab (Network Security Courses)
No ratings yet
Appin Technology Lab (Network Security Courses)
21 pages
Ricoh Security Solutions Brochure
No ratings yet
Ricoh Security Solutions Brochure
18 pages
Audit For ActiveDirectory Windows 2008 Server
No ratings yet
Audit For ActiveDirectory Windows 2008 Server
17 pages
Chapter 10 - 1 - Operasi Sistem Informasi
No ratings yet
Chapter 10 - 1 - Operasi Sistem Informasi
28 pages
PIB Presentation - 28092020 PDF
No ratings yet
PIB Presentation - 28092020 PDF
55 pages
Pentest Report
No ratings yet
Pentest Report
63 pages
Fraudulent Emails Warning
No ratings yet
Fraudulent Emails Warning
18 pages
ISO 27001 Gap Analysis BPC
100% (1)
ISO 27001 Gap Analysis BPC
14 pages
Presentation On PIB 2020
No ratings yet
Presentation On PIB 2020
27 pages
CC7178 Cyber Security Management: Presenter: Kiran Kumar Shah
No ratings yet
CC7178 Cyber Security Management: Presenter: Kiran Kumar Shah
21 pages
Vulnerability Management Policy
No ratings yet
Vulnerability Management Policy
5 pages
Third-Party-Service Provider-Audit
No ratings yet
Third-Party-Service Provider-Audit
41 pages
SQL Server Audit Checklist
No ratings yet
SQL Server Audit Checklist
1 page
Vulnerability Assessment and Penetration Testing IJERTV10IS050111
No ratings yet
Vulnerability Assessment and Penetration Testing IJERTV10IS050111
6 pages
2018R - B Tech ESE Timetable - Nov 2021
No ratings yet
2018R - B Tech ESE Timetable - Nov 2021
13 pages
What Is Decision Support System? Explain The Components, Decision Making Phases and Analytical Models of DSS
No ratings yet
What Is Decision Support System? Explain The Components, Decision Making Phases and Analytical Models of DSS
4 pages
Active Directory Security Guide
No ratings yet
Active Directory Security Guide
2 pages
Lateral Movement Detection GPO Settings Cheat Sheet: Accounts, Users and Groups
100% (1)
Lateral Movement Detection GPO Settings Cheat Sheet: Accounts, Users and Groups
1 page
A Cybersecurity Culture Framework and Its Impact On Zimbabwean Organizations
No ratings yet
A Cybersecurity Culture Framework and Its Impact On Zimbabwean Organizations
19 pages
Elements SAP Authorization Concept
No ratings yet
Elements SAP Authorization Concept
7 pages
Identity and Access Management Policy 1714758366
No ratings yet
Identity and Access Management Policy 1714758366
6 pages
AD Privileged Audit - ps1
No ratings yet
AD Privileged Audit - ps1
24 pages
Active Directory Disaster Recovery - GPO Restore
No ratings yet
Active Directory Disaster Recovery - GPO Restore
11 pages
QF 01 Rev18 Questionaire For Offer Preparation Updated - 637796734931738402
No ratings yet
QF 01 Rev18 Questionaire For Offer Preparation Updated - 637796734931738402
6 pages
Windows Server 2012 R2 Hardening Checklist - IsO - Information Security Office - UT Austin Wikis
100% (1)
Windows Server 2012 R2 Hardening Checklist - IsO - Information Security Office - UT Austin Wikis
7 pages
Authorization Concept Implementation
No ratings yet
Authorization Concept Implementation
16 pages
Penetration Testing Report: Date
No ratings yet
Penetration Testing Report: Date
9 pages
ISO27k ISMS Information Risk Management Process
No ratings yet
ISO27k ISMS Information Risk Management Process
2 pages
Healthcare Regulation Essentials
No ratings yet
Healthcare Regulation Essentials
5 pages
Critical Transaction & Critical Combination
No ratings yet
Critical Transaction & Critical Combination
6 pages
1 1+introduction+to+course
No ratings yet
1 1+introduction+to+course
6 pages
CH 7 IDS AC &amp Other Sec Tools
No ratings yet
CH 7 IDS AC &amp Other Sec Tools
46 pages
Case Study - Runing Config
No ratings yet
Case Study - Runing Config
4 pages
Câu hỏi và trả lời TACN
No ratings yet
Câu hỏi và trả lời TACN
3 pages
Encrypted Text Analysis
100% (1)
Encrypted Text Analysis
10 pages
6 Sem
No ratings yet
6 Sem
46 pages
A Detection of Cyber Attacks in IoT Systems
No ratings yet
A Detection of Cyber Attacks in IoT Systems
35 pages
(Ebook) CISSP For Dummies by Lawrence C. Miller, Peter H. Gregory ISBN 9781119210245, 1119210240 Instant Access 2025
No ratings yet
(Ebook) CISSP For Dummies by Lawrence C. Miller, Peter H. Gregory ISBN 9781119210245, 1119210240 Instant Access 2025
93 pages