Microcomputer Security Internal Control Questionnaire

Last Modified Thursday, 05-Sep-1996 12:12:44 PDT

ACKNOWLEDGMENTS: Internal Audit Departments and individuals that contributed to this internal control questionnaire are listed at the bottom of this page. Contributions and comments would be greatly appreciated!

OBJECTIVE: To determine that there is accountability for computer system used and to ensure integrity of microcomputer-based programs and data.

  1. Is the computer equipment physically secured by being located in a secured area (no public access) or by the use of locking devices?

  2. Has the department analyzed and classified its data and files in terms of sensitivity or criticality?

  3. Does the department use access control software to establish access controls over its critical data and programs? If yes, what kind of software?

  4. Has the department established a formal procedure for adding individuals to the list of those authorized to access the system, changing their access capabilities, and deleting them from the list? Is this procedure followed on a consistent basis?

  5. Are user IDís and PASSWORDS required to access the system?

  6. Do the access controls only allow authorized persons access to the system?

  7. Do the access controls restrict access to only those resources needed to perform the job and provide varying access levels (i.e., on a need-to-know basis)?

  8. Are passwords uniquely assigned (not shared or no group passwords) to each authorized user?

  9. Are passwords kept confidential?

  10. Are passwords constructed in such a way that they are difficult to decipher or guess?

  11. Does the system require passwords to be at least 4 alpha/numeric characters in length?

  12. Does the system mask passwords from appearing/displaying on the screen or appearing when entered?

  13. Does the system force passwords to change on a regular basis (e.g., every 30 days or at least quarterly)?

  14. Does the system permit certain passwords to be re-used by the same individuals?

  15. Are passwords quickly and easily changed by the password owner or designated management personnel?

  16. Does the system allow the use of blanks for passwords?

  17. Does the system allow the use of the same password consecutively?

  18. Are passwords stored in an encrypted file?

  19. Does the access control software disable or disconnect terminals after a predetermined number of invalid/unsuccessful access attempts (e.g., 3 times) to the system?

  20. Does the access control software disable or disconnect terminals after a predetermined period of inactivity (e.g., 5 or 15 minutes)?

  21. Does the system maintain a log of system activities including unsuccessful access attempts to provide an audit trail of activity? If yes, is the log reviewed periodically? Are exception items investigated? Who perform these duties?

  22. Does the department use any programs to analyze system log and report on specifically defined security items? If yes, what programs and who control these programs?

  23. Are changes to the system log (if permitted) routinely documented and reviewed by an independent individual for propriety? Is the system log protected from accidental or intentional destruction?

  24. Has the department purchased any hardware/software in the past twelve months? If yes, what and when? Was the request approved by user management?

  25. Does the department have the original diskettes and documentation of each software package that is executed/installed on each computer?

  26. Does the department utilize any non-standard (e.g., in-house developed) software packages?

  27. Is access to powerful utilities or service aids that can alter data files and programs (i.e., allow programs or users to circumvent standard software protection) restricted (i.e., used only for authorized purposes)?

  28. Are all files, programs, and documentation need to operate the critical end user computing systems backed-up and maintained off-site? What is the location of the remote off-site facility? Is the facility properly secured?

  29. Does the department have an emergency preparedness/disaster recovery plan?


University of California, Santa Barbara (Internal Audit)
University of California, Santa Cruz (Internal Audit)

[ Home Page ] [ What's New? ] [ Auditing ] [ Security ] [ Technologies ] [ Control ]

For comments or problems, please e-mail
Slemo Warigon lonestar@rain.org
or call (805) 893-3817.
Copyright © 1996 The WariNet Haven