When the integrity of your operating system is compromised, it is perfectly possible for controls that are in individual applications to become compromised as well.
It is for this reason that the assessment of the operating system security controls is based on SOX compliance.
The objective of the auditor is to determine whether the access privileges are given in a way that is fully consistent with the need to keep incompatible functions separate and is also in full accordance with the policies in place within the enterprise.
An operating system security audit will involve:
- A full review of company procedures and policies for keeping incompatible functions separated and that adequate security is in pace
- A review of the privileges given to a cross section of users to determine if they have the correct access rights for their job description and for their positions in the enterprise. All individuals should be given access to programs and data strictly on a need-to-know basis
- A full review of personnel records to ensure privileged staff are put through a full security check that is compliant with enterprise policy
- A full review of employee records to check that all staff members have formally accepted their responsibility to maintain data confidentiality
- A review of the allowed log-on times – permission should be in accordance with the job that is being done
- Verify that every user is required to have a password
- Verify that all new staff members are fully informed of the need to use a password and of the policies surrounding password control
- A full review of the control procedures for ensuring that passwords are changed on a regular basis
- A full review of the password file to make sure that all weak passwords are found and then disallowed. Software may be used to scan for weak passwords
- Verification that password files are fully encrypted and the key is secure
- A review of the lockout procedures and policy. Most systems will allow admin to define how many failed login attempts can happen and what the action is after then Lockout duration must be specified, ranging from a minute or two right up to complete lockout that requires reactivation
- A full review of the enterprise policies surrounding virus control and virus infection. The auditor will be looking to ensure that there are proper management policies in pace to stop destructive programs form being introduced to the system
- Verification that all employees have been fully educated on the subject of viruses, of the damage they can cause to the system and that they are fully aware of the risky practices that have the potential to introduce and spread malicious programs and viruses
- Verification that a new software is fully tested first on a standalone machine before it is implemented across the board
- Verification that the firewalls and antivirus software are installed, are up to date and are updated on a regular basis
- Verification that operating system updates are covered under a policy and are applied on a specified basis