You are on page 1of 12

Section 1 Security policy 1.1.1 1.1.2 3.1 3.1.1 3.1.

Sub section Information security policy Information security policy document Review and evaluation

2 Organisational Security 2.1 4.1 Information security infrastructure 2.1.1 4.1.1 Management information security forum 2.1.2 4.1.2 Information security coordination 2.1.3 4.1.3 Allocation of information security responsibilities 2.1.4 4.1.4 Authorisation process for information processing facilities 2.1.5 4.1.5 Specialist information security advise 2.1.6 2.1.7 2.2 2.2.1 4.1.6 4.1.7 4.2 4.2.1 Co-operation between organisations Independent review of information security Security of third party access Identification of risks from third party access

2.2.2 2.3 2.3.1

4.2.2 4.3 4.3.1

Security requirements in third party contracts Outsourcing Security requirements in outsourcing contracts

3 Asset classification and control 3.1 5.1 Accountability of assets 3.1.1 5.1.1 Inventory of assets 3.2 3.2.1 3.2.2 5.2 5.2.1 5.2.2 Information classification Classification guidelines Information labelling and handling

4 Personnel security 4.1 6.1 4.1.1 6.1.1 4.1.2 4.1.3 4.1.4 4.2 4.2.1 4.3 4.3.1 4.3.2 4.3.3 4.3.4 6.1.2 6.1.3 6.1.4 6.2 6.2.1 6.3 6.3.1 6.3.2 6.3.3 6.3.4

Security in job definition and Resourcing Including security in job responsibilities Personnel screening and policy Confidentiality agreements Terms and conditions of employment User training Information security education and training Responding to security incidents and malfunctions Reporting security incidents Reporting security weaknesses Reporting software malfunctions Learning from incidents



Disciplinary process

5 Physical and Environmental Security 5.1 7.1 Secure Area 5.1.1 7.1.1 Physical Security Perimeter 5.1.2 5.1.3 7.1.2 7.1.3 Physical entry Controls Securing Offices, rooms and facilities

5.1.4 5.1.5 5.2 5.2.1

7.1.4 7.1.5 7.2 7.2.1

Working in Secure Areas Isolated delivery and loading areas Equipment Security Equipment siting protection

5.2.2 5.2.3 5.2.4

7.2.2 7.2.3 7.2.4

Power Supplies Cabling Security Equipment Maintenance

5.2.5 5.2.6 5.3 5.3.1 5.3.2

7.2.5 7.2.6 7.3 7.3.1 7.3.2

Securing of equipment off-premises Secure disposal or re-use of equipment General Controls Clear Desk and clear screen policy Removal of property

6 Communications and Operations Management 6.1 8.1 Operational Procedure and responsibilities 6.1.1 8.1.1 Documented Operating procedures 6.1.2 6.1.3 8.1.2 8.1.3 Operational Change Control Incident management procedures



Segregation of duties

6.1.5 6.1.6

8.1.5 8.1.6

Separation of development and operational facilities External facilities management

6.2 6.2.1 6.2.2 6.3 6.3.1

8.2 8.2.1 8.2.2 8.3 8.3.1

System planning and acceptance Capacity Planning System acceptance Protection against malicious software Control against malicious software

6.4 6.4.1

8.4 8.4.1

Housekeeping Information back-up

6.4.2 6.4.3 6.5 6.5.1

8.4.2 8.4.3 8.5 8.5.1

Operator logs Fault Logging Network Management Network Controls

6.6 6.6.1 6.6.2

8.6 8.6.1 8.6.2

Media handling and Security Management of removable computer media Disposal of Media

6.6.3 6.6.4 6.7 6.7.1

8.6.3 8.6.4 8.7 8.7.1

Information handling procedures Security of system documentation Exchange of Information and software Information and software exchange agreement

6.7.2 6.7.3

8.7.2 8.7.3

Security of Media in transit Electronic Commerce security

6.7.4 6.7.5

8.7.4 8.7.5

Security of Electronic email Security of Electronic office systems



Publicly available systems



Other forms of information exchange

7 Access Control 7.1 9.1 7.1.1 9.1.1

Business Requirements for Access Control Access Control Policy

7.2 7.2.1 7.2.2 7.2.3 7.2.4 7.3 7.3.1 7.3.2 7.4 7.4.1

9.2 9.2.1 9.2.2 9.2.3 9.2.4 9.3 9.3.1 9.3.2 9.4 9.4.1

User Access Management User Registration Privilege Management User Password Management Review of user access rights User Responsibilities Password use Unattended user equipment Network Access Control Policy on use of network services

7.4.2 7.4.3 7.4.4 7.4.5 7.4.6 7.4.7 7.4.8 7.4.9 7.5 7.5.1 7.5.2 7.5.3

9.4.2 9.4.3 9.4.4 9.4.5 9.4.6 9.4.7 9.4.8 9.4.9 9.5 9.5.1 9.5.2 9.5.3

Enforced path User authentication for external connections Node Authentication Remote diagnostic port protection Segregation in networks Network connection protocols Network routing control Security of network services Operating system access control Automatic terminal identification Terminal log-on procedures User identification and authorisation

7.5.4 7.5.5 7.5.6 7.5.7 7.5.8

9.5.4 9.5.5 9.5.6 9.5.7 9.5.8

Password management system Use of system utilities Duress alarm to safeguard users Terminal time-out Limitation of connection time

7.6 7.6.1 7.6.2 7.7 7.7.1 7.7.2

9.6 9.6.1 9.6.2 9.7 9.7.1 9.7.2

Application Access Control Information access restriction Sensitive system isolation Monitoring system access and use Event logging Monitoring system use

7.7.3 7.8 7.8.1 7.8.2

9.7.3 9.8 9.8.1 9.8.2

Clock synchronisation Mobile computing and teleworking Mobile computing Teleworking

8 System development and maintenance 8.1 10.1 Security requirements of systems 8.1.1 10.1.1 Security requirements analysis and specification

8.2 8.2.1 8.2.2

10.2 Security in application systems 10.2.1 Input data validation 10.2.2 Control of internal processing

8.2.3 8.2.4 8.3 8.3.1 8.3.2 8.3.3 8.3.4 8.3.5 8.4 8.4.1 8.4.2 8.4.3 8.5 8.5.1 8.5.2 8.5.3

10.2.3 Message authentication 10.2.4 Output data validation 10.3 Cryptographic controls 10.3.1 Policy on use of cryptographic controls 10.3.2 Encryption 10.3.3 Digital Signatures 10.3.4 Non-repudiation services 10.3.5 Key management 10.4 10.4.1 10.4.2 10.4.3 10.5 10.5.1 10.5.2 Security of system files Control of operational software Protection of system test data Access Control to program source library Security in development and support process Change control procedures Technical review of operating system changes

10.5.3 Technical review of operating system changes

8.5.4 8.5.5

10.5.4 Covert channels and Trojan code 10.5.5 Outsourced software development

9 Business Continuity Management 9.1 11.1 Aspects of Business Continuity Management 9.1.1 11.1.1 Business continuity management process 9.1.2 11.1.2 Business continuity and impact analysis

9.1.3 9.1.4

11.1.3 Writing and implementing continuity plan 11.1.4 Business continuity planning framework


11.1.5 Testing, maintaining and re-assessing business continuity plan

10 Compliance 10.1 10.1.1 10.1.2

12.1 Compliance with legal requirements 12.1.1 Identification of applicable legislation 12.1.2 Intellectual property rights (IPR)

10.1.3 10.1.4 10.1.5 10.1.6 10.1.7 10.2 10.2.1 10.2.2 10.3 10.3.1 10.3.2

12.1.3 Safeguarding of organisational records 12.1.4 Data protection and privacy of personal information 12.1.5 Prevention of misuse of information processing facility 12.1.6 12.1.7 12.2 12.2.1 12.2.2 Regulation of cryptographic controls Collection of evidence Reviews of Security Policy and technical compliance Compliance with security policy Technical compliance checking

12.3 System audit considerations 12.3.1 System audit controls 12.3.2 Protection of system audit tools

Audit Question

Whether there exists an Information security policy, which is approved by the management, published and commitment and set out the to all Whether it states the management communicated as appropriate organisational approach to managing information security. Whether the Security policy has an owner, who is responsible for its maintenance process ensures that ato a defined review process. Whether the and review according review takes place in response to any changes affecting the basis of the original assessment, example: Whether there is a management forum to ensure there is a clear direction and visible management support of management Whether there is a cross-functional forum for security initiatives within representatives from relevant parts of the organisation to coordinate Whether responsibilities for the protection of individual assets and for carrying out specific security processes were clearly defined. for any Whether there is a management authorisation process in place new information processing facility. This should include allwhere Whether specialist information security advice is obtained new appropriate. A specific individual may be identified to co-ordinate in-house knowledge and experiences towith law consistency, and provide help in Whether appropriate contacts ensure enforcement authorities, regulatory bodies, information service providers and telecommunication Whether the implementation of security policy is reviewed independently on regular basis. This is to provide assurance that Whether risks from third party access are identified and appropriate security controls implemented. are identified, classified and reasons for Whether the types of accesses access are justified. with third party contractors working onsite was Whether security risks identified thereappropriate controls are implemented. Whether and is a formal contract containing, or referring to, all the security requirements to ensure compliance with the organisations Whether security requirements are addressed in the contract with the third contract should address how has legal requirements are to be met, The party, when the organisation the outsourced the management and how the security of the organisations assets are maintained and Whether an inventory or register is maintained with the important assets associated with each information system. security classification Whether each asset identified has an owner, the defined and agreed and the location identified. Whether there is an Information classification scheme or guideline in place; whichappropriate set of procedures are information information Whether an will assist in determining how the defined for is to be labelling and handling in accordance with the classification scheme

Whether security roles and responsibilities as laid in Organisations information security general responsibilities for implementing or This should include policy is documented where appropriate. maintaining security policy as well as specific responsibilities for at the Whether verification checks on permanent staff were carried out time should include character reference, confirmation of claimed This of job applications. academicemployees are asked to sign Confidentiality or non-disclosure Whether and professional qualifications and independent identity agreement asagreement covers the security of the information Whether this a part of their initial terms and conditions of the processing facility and organisation assets. Whether terms and conditions of the employment covers the employees responsibility for information security. Where appropriate, Whether all employees of the organisation and third party users (where relevant) receive appropriate Information Security training and regular Whether a formal reporting procedure exists, to report security incidents a formal appropriate management channels as quickly as to Whether through reporting procedure or guideline exists for users, report security weakness in, or threats to,report any software Whether procedures were established to systems or services. malfunctions. are mechanisms in place to enable the types, volumes Whether there and costs of incidents and malfunctions to be quantified and monitored.

Whether there is a formal disciplinary process in place for employees who have violated organisational security policies and procedures.

What physical border security facility has been implemented to protect the Information processing service. Some examples of such security facility are card control entry gate, walls, entry controls are in place to allow only authorised personnel into What manned reception etc., various areas within organisation. Information processing service, Whether the rooms, which have the are locked orInformation processing service is protected from natural Whether the have lockable cabinets or safes. and man-madeis any potential threat from neighbouring premises. Whether there disaster. The information is only on need to know basis. Whether there exists any security control for third parties or for personnel working in secure Whether the delivery area and information processing area are isolated from each other to avoid any unauthorised access. Whether a risk assessment was conducted to determine the security in such areas. Whether the equipment was located in appropriate place to minimise unnecessary items requiring special protection were isolated to reduce Whether the access into work areas. the general level of protection required. Whether controls were adopted to minimise risk from potential threats such as theft, fire, explosives, smoke, water, dist, vibration, chemical Whether there is a policy towards eating, drinking and smoking on in proximity environmental processingare monitored which would Whether to information conditions services. adverselythe equipment is protected from power failures by using Whether affect the information processing facilities. permanence power and telecommunications cable carrying data or Whether the of power supplies such as multiple feeds, uninterruptible supporting information services are protected fromin place for sensitive Whether there are any additional security controls interception or or critical the equipment is maintained as per the suppliers Whether information. recommended service intervals and specifications. Whether the maintenance is carried out only by authorised personnel. Whether logs are maintained with all suspected or actual faults and all preventive and corrective measures. Whether appropriate controls are implemented while sending equipment off premises. If the equipment is covered by insurance, whether the insurance requirements equipment usage outside an organisations premises for Whether any are satisfied. information processing has to be authorised by the management. the Whether the security provided for these equipments while outside premisesstoragepar withcontaining sensitive information are inside the Whether are on device or more than the security provided physically destroyed or securely over written. Whether automatic computer screen locking facility is enabled. This would lock the screen when the computerany confidential material in Whether employees are advised to leave is left unattended for a the form of paper documents, media etc., in a locked manner while Whether equipment, information or software can be taken offsite without appropriate authorisation. Whether spot checks or regular audits were conducted to detect unauthorised removal ofaware of these types of spot checks or regular Whether individuals are property. audits.

Whether the Security Policy has identified any Operating procedures such as Back-up, Equipment maintenance and used. Whether such procedures are documented etc., Whether all programs running on production systems are subject to strict change control i.e., any change to be change made to the Whether audit logs are maintained for any made to those production production programs. Whether an Incident Management procedure exist to handle security incidents. Whether the procedure addresses the incident management responsibilities, orderly and quick response to security incidents. Whether the procedure addresses different types of incidents ranging from denial of service toand logsof confidentiality etc., and ways to Whether the audit trails breach relating to the incidents are maintained and and areasaction taken in a are separated in order to Whether duties proactive of responsibility way that the incident doesnt reduce opportunities for unauthorised modification or misuse of

Whether the development and testing facilities are isolated from operational facilities. For example development software should run on Whether any of the Information processing facility is managed by external company associated with such management is identified in Whether the risks or contractor (third party). advance, necessary approvalthird party and appropriate and application Whether discussed with the is obtained from business controls were owners. Whether the capacity demands are monitored and projections of future capacity requirements are made. This RAM, CPU on critical servers. Example: Monitoring Hard disk space, is to ensure that adequate Whether System acceptance criteria are established for new information systems, upgrades and newprior to acceptance. Whether suitable tests were carried out versions. Whether there exists any control against malicious software usage. Whether the security policy does address software licensing issues such as prohibiting usage Procedure to verify all warning bulletins are Whether there exists any of unauthorised software. accurate Antivirus software is installed to the malicious software usage. Whether and informative with regards on the computers to check and isolate or this software viruses from updated on a regular basis to check Whether remove any signature is computer and media. any latestall the traffic originating from un-trusted network in to the Whether viruses. organisation is checked for viruses. Example: Checking for viruses on Whether Back-up of essential business information such as production server, critical network components, configurationFull Backup. were Example: Mon-Thu: Incremental Backup and Fri: backup etc., Whether the backup media along with the procedure to restore the backup are stored securely and regularly tested the actual that they Whether the backup media are well away from to ensure site. could be restored within the maintain a log of their the operationalas Whether Operational staffs time frame allotted in activities such name of the person, errors, checked on regular basis against the Whether Operator logs are corrective action etc., Operating procedures. Whether faults are reported and well managed. This includes corrective action being taken, review of the fault logs and checking the actions Whether effective operational controls such as separate network and system administration facilities were be established where of remote Whether responsibilities and procedures for management necessary. equipment, includingany special controlsareas were established. Whether there exist equipment in user to safeguard confidentiality and integrity of data processing over the public network and to protect Whether there exist a procedure for management of removable computerthe media that are no longer required are disposed off and Whether media such as tapes, disks, cassettes, memory cards securely and safely. Whether disposal of sensitive items are logged where necessary in order to maintain an audit trail. Whether there exists a procedure for handling the storage of information. Does this procedure address issues such as information Whether the system documentation is protected from unauthorised access. the access list for the system documentation is kept to Whether minimum and authorised by the application owner. Example: System Whether there exists any formal or informal agreement between the organisations for exchange of information and software. Whether the agreement does addresses the security issues based on the sensitivity of the media while being transported taken into account. Whether security of business information involved. Whether the media is well protected from unauthorised access, misuse or corruption. Whether Electronic commerce is well protected and controls implemented to protect against fraudulent activity, contract dispute and Whether Security controls such as Authentication, Authorisation are considered in the ECommerce arrangements between trading partners Whether electronic commerce environment. include a there is a policy in place for the acceptable use of electronic Whether documented agreement, which commits both parties to the mail or does security policy does address the isolating potentially to Whether controls such as antivirus checking, issues with regards unsafe attachments,Acceptable use policy to address theput inof Whether there is an spam control, anti relaying etc., are use place to Electronic office systems.

Whether there are any guidelines in place to effectively control the business there is any formalassociated with the electronic office Whether and security risks authorisation process in place for the information to be madecontrols in place toSuch asthe integrity of such Whether there are any publicly available. protect approval from informationinclude controls such as firewalls, Operating system This might publicly available from any unauthorised access. hardening, any are any policies, procedures or controls in place to Whether there Intrusion detection type of tools used to monitor the protect the exchange of information through the use of voice, facsimile Whether staffs are reminded to maintain the confidentiality of sensitive information while using such forms of information exchange facility. Whether the business requirements for access control have been defined and documented. policy does address the rules and rights for Whether the Access control each user or users and service providers were given a clear statement Whether the a group of user. of the business requirement to be met by access controls. Whether there is any formal user registration and de-registration procedure forallocation access to multi-user information systems and Whether the granting and use of any privileges in multi-user information system reallocation ofis restricted and controlled i.e., The allocation and environment passwords should be controlled through athe users are asked to sign a statement to keep the password Whether formal management process. confidential. exist a process to review user access rights at regular Whether there intervals. Example: Special privilege review every 3 months, normal Whether there are any guidelines in place to guide users in selecting and maintaining secure contractors are made aware of the security Whether the users and passwords. requirements and procedures for protecting unattended equipment, as Example: Logoff when session is finished or set up auto log off, terminate sessions when finished etc., Whether there exists a policy that does address concerns relating to networks and network accessed, Parts of network to be services such as: Authorisation services to determine who is allowed to do what, Procedures to protect the access to network connections and network services. there is any control that restricts the route between the user Whether terminal and the designated computer services the user is authorised Whether there exist any authentication mechanism for challenging external connections. Examples: Cryptography based technique, hardware tokens, software tokens, challenge/ response protocol etc., Whether connections to remote computer systems that are outside organisations securitydiagnostic ports are securely controlled i.e., Whether accesses to management are authenticated. Node protectedthe a security mechanism. partners and/ or third parties Whether by network (where business need access toexists any network connection control for perimeter Whether there information system) is segregated using shared networks thereextend beyond the control to ensure that computer Whether that exist any network organisational boundaries. Example: connections and information flows do not breach the access control Whether the routing controls are based on the positive source and destination identification mechanism. Example: Network Address does Whether the organisation, using public or private network service ensure that a clear description of security attributes of all services used Whether automatic terminal identification mechanism is used to authenticate connections. Whether access to information system is attainable only via a secure log-on a procedure in place for logging in to an information Whether there system. This is to minimise the opportunity of unauthorised access. Whether unique identifier is provided to every user such as operators, system administrators and all otheronly be supplied under exceptional The generic user accounts should staff including technical. circumstances where there is a clear business benefit. Additional Whether the authentication method used does substantiate the claimed identity ofthere exists a password management system that enforces only the Whether the user; commonly used method: Password various password controls such as: individual password for Whether the system utilities that comes with computer installations, but may override system and application is considered forcontrolled. might Whether provision of a duress alarm control is tightly users who be the target of coercion. areas should be configured to clear the Inactive terminal in public screen orthere downany restriction after a defined time for high-risk Whether shut exist automatically on connection period of inactivity. applications. This type of set up should be considered for sensitive

Whether access to application by various groups/ personnel within the organisation should be defined in the access control policy as per the Whether sensitive systems are provided with isolated computing environment such as running on a dedicated computer, share Whether audit logs recording exceptions and other security relevant events are produced and set up for monitoring the use assist in future Whether procedures are kept for an agreed period to of information processing facility. The procedure should ensure that the users are performing only the activities thatresults of the authorised.activities are reviewed regularly. Whether the are explicitly monitoring Whether the computer or communication device has the capability of operating a real time clock, it shouldclock is to an agreed ensure the The correct setting of the computer be set important to standard such accuracy of the audit logs. Whether a formal policy is adopted that takes into account the risks of working with computing arrangedsuch as notebooks, palmtops etc., Whether trainings were facilities for staff to use mobile computing facilities to raise their policy, procedure and/ or standardresulting from Whether there is any awareness on the additional risks to control teleworking activities, this should be consistent is in place against Whether suitable protection of teleworking site with organisations threats such as theft of equipment, unauthorised disclosure of Whether security requirements are incorporated as part of business requirement statementand new systems or forshould reflect business Security requirements for controls identified enhancement to existing value of information assets are completed prior to commencement of Whether risk assessments involved and the consequence from failure system development. Whether data input to application system is validated to ensure that it is correct and appropriate. as: Different type of inputs to check for error Whether the controls such messages, Procedures are responding to validation errors, defining Whether areas of risks for identified in the processing cycle and validationappropriate controls areIn some cases the data that has been Whether checks were included. identified for applications to mitigate fromcontrols will depend on nature of application and business impact The risks during internal processing. of any corruption of data. of security risk was carried out to determine if Whether an assessment Message authentication is required; and to identify most appropriate a technique used to detect unauthorised changes to, or corruptionof application system istransmitted electronic of, the contents of the validated to ensure Whether the data output that the processing of stored information is correct and appropriate to Whether there is a Policy in use of cryptographic controls for protection of information is in place. Whether a risk assessment was carried out to identify the level of protection the information should be given. to protect the data. Whether encryption techniques were used Whether assessments were conducted to analyse the sensitivity of the data and Digital signatures were used to protect the authenticity and Whether the level of protection needed. integrity of electronic documents. were used, where it might be Whether non-repudiation services necessaryDispute involving use of a digital signature on an electronic Example: to resolve disputes about occurrence or non-occurrence of payment or contract. Whether there is a management system is in place to support the organisations use of cryptographic techniques such as Secret key Whether the Key management system is based on agreed set of standards, procedures and secure methods. Whether there are any controls in place for the implementation of software on operational systems. This is to controlled. The use of Whether system test data is protected and minimise the risk of operational database containing personal information should be Whether strict controls are in place over access to program source libraries. This is to reduce the potential for corruption of computer Whether there are strict control procedures in place over implementationare changes or procedure in place to ensure is to Whether there of process to the information system. This application system is reviewed and tested after change in operating i.e., to install Periodically it is necessary to upgrade operating system system. service packs, patches,restrictions in place to limit changes to software Whether there are any hot fixes etc., packages. As far as possible the vendor supplied software packages should be used without modification. If changes are deemed essential the original

Whether there are controls in place to ensure that the covert channels and Trojan codescan expose information new or upgraded and obscure A covert channel are not introduced into by some indirect system. means. Trojan are controls in placeaffect outsourcing software. is not Whether there code is designed to over a system in a way that The points to be noted includes: Licensing arrangements, escrow arrangements, contractual requirement for quality assurance, testing Whether there is a managed process in place for developing and maintaininginclude Organisation throughout the organisation. regular This might business continuity wide Business continuity plan, testing and updating of the causeformulating and documenting a Whether events that could plan, interruptions to business process were identified example: equipment failure, flood and fire.impact of Whether a risk assessment was conducted to determine such interruptions. plan was developed based on the risk assessment Whether a strategy results to plans were an overall approach to business continuity.within Whether determine developed to restore business operations the required time frame following an and updated. failure to business Whether the plan is regularly tested interruption or Whether there is a single framework of Business continuity plan. Whether this framework is maintained to ensure that all plans are consistent and identify priorities for testing and maintenance. Whether this identifies conditions for activation and individuals responsible for executing each component of the plan. to ensure that Whether Business continuity plans are tested regularly they are up to date continuity plans were maintained by regular reviews Whether Business and effective. and updates to ensure their continuing effectiveness. Whether procedures were included within the organisations change management programme to ensure that Business continuity matters Whether all relevant statutory, regulatory and contractual requirements were explicitly defined andand individual for each information system. Whether specific controls documented responsibilities to meet these requirements were defined and documented. compliance with legal Whether there exist any procedures to ensure restrictions on use of material in respect of which there may be Whether the procedures are well implemented. Whether proprietary software products are supplied under a license agreement that limits the use of the products tois protected from loss Whether important records of the organisation specified machines. destruction andis a management structure and control in place to Whether there falsi function. protect data andinformationpersonal information.for any non-business Whether use of privacy of processing facilities or unauthorisedlog-on a warning message is presented on the Whether at the purpose, without management approval is treated as computerthe regulation of cryptographic control is entered is private and Whether screen indicating that the system being as per the sector and national agreement. involved in collecting the evidence is in Whether the process accordance with legal and industry best practise. Whether all areas within the organisation is considered for regular review to information systemswith security policy, standards and Whether ensure compliance were regularly checked for compliance with security implementation standards. is carried out by, or under the Whether the technical compliance check supervision of, competent, authorised persons. Whether audit requirements and activities involving checks on operational systems shouldaudit tools such as software or data files are Whether access to system be carefully planned and agreed to protected to prevent any possible misuse or compromise.