Application Audit-Checklist







Sno.DomainSub DomainControl Checkpoints
1?Asset ManagementInventory of assetsAre all the system configurations properly documented?
2?Asset ManagementInventory of assetsIs the configuration document regularly updated as per a fixed schedule?
3Access ControlAccess Control PolicyWhether the users and service providers are given access as per the access control matrix if any approved by Business.‎
4Access ControlAccess Control PolicyIs there an access control (including remote access) policy that has been approved by management, communicated to the users?
5Access ControlUser Access Management - User RegistrationWhether there is any formal user registration and de-registration procedure for granting access to all information systems and services.
6Access ControlUser Access Management - User RegistrationIs authorization from information owner taken before assigning user access to the information system?
7Access ControlUser Access Management -Privilege ManagementWhether the allocation and use of any privileges in information system environment are restricted and controlled i.e., Privileges are allocated on need-to-use basis, privileges are allocated only after formal authorization process.
8Access ControlUser Access Management -Privilege ManagementAre unique user IDs used for access to Information systems such as server, desktops, network devices etc.?
9Access ControlUser Access Management -User Password ManagementIs there a process to communicate userid and password (temporary) in a secure manner? Is the initial user password unique?
10Access ControlOperating system access control - Secure log-on proceduresAre logon banners configured for all systems access ? Also whether access to operating system is controlled by secure log-on procedure.
11Access ControlPassword Management systemWhether there exists a password management system that enforces various password controls such as: individual password for accountability, enforce password changes, password storage in encrypted form, masking of passwords on screen etc.,
12Access ControlUser Access Management -Review of user access rightsIs there a password vault to store critical user credentials (e.g. system master credentials) for use in an emergency? Is there an approval process for use of these credentials? Is there a process to update the credentials periodically? Are the password updated after every checkout and use?
13Access ControlUser Access Management -Review of user access rightsWhether there exists a process to review user access rights at regular intervals.
14Access ControlUser Access Management -Review of user access rightsIs allocation and use of privileged access rights restricted and controlled (logged and reviewed)?
15Access ControlOperating system access control - User Identification and authenticationWhether unique identifier (user ID) is provided to ‎every user such as operators, system administrators and ‎all other staff including technical. ‎
16Access ControlOperating system access control - User Identification and authenticationWhether generic user accounts are supplied only under ‎exceptional circumstances where there is a clear ‎business benefit.
17Access ControlApplication access Control - Error Message handlingUpon logon failure, does the error message describe the cause of the failure to the user (Invalid password, invalid user ID, etc.)?
18Access ControlApplication access Control -Login Time stampUpon successful logon, does a message indicate the last time of successful logon for Portals?
19Access ControlApplication access ControlIs two factor authentication deployed for “high-risk” environments?
20Access ControlAccess control to Program source codeAccess to program source code shall be restricted
21Access ControlApplication access ControlIs there a process to temporarily disable or suspend user access for users are on temporary leave ?
22Access ControlOperating system access control - Use of system utilities Is the use of system utilities (administrative and troubleshooting tools) restricted to authorized users only)
23Access ControlApplication access Control - Session time-outWhether inactive session is disconnected after a defined ‎period of inactivity.‎
24Access ControlApplication access ControlDevelopers are provided read access for debugging.
Is the Release manager and Developer role segregated?
25Access ControlPassword Management SystemAre strong passwords required on Information systems?
26Access ControlPassword Management SystemAre new users issued random initial single use passwords and user ID and passwords communicated/distributed via separate media (e-mail and phone)?
27Access ControlCommunication securityaccess to the Organization’s infrastructure shall be highly restricted and controlled to prevent unauthorized access to the Organization’s infrastructure from untrusted networks
28Access ControlCommunication securityIs two factor authentication required for remote access such as VPN?
29Asset ManagementInventory of assetsAre user devices configured to lockout after a defined number of failed logon attempts? Is there a time period set for unlocking locked out accounts?
30Asset ManagementHandling of assetAre critical user data encrypted wherever required based on the criticality of data ?
31Asset ManagementManagement of removable mediaIf the stored data required to retain for a longer time, are the data transferred to new or fresh media?
32Business Continuity ManagementBusiness Continuity RisksIs Business Impact Analysis and Business Continuity Risk Assessment done for the BU / Department / Concept / Corporate in consideration with RTO & RPO?
33Business Continuity ManagementBusiness Continuity RisksWhether Business continuity plans are tested regularly to ensure that they are up to date and effective.
34Business Continuity ManagementBusiness Continuity RisksWhether Business continuity plans were maintained by regular reviews and updates to ensure their continuing effectiveness
35Business Continuity ManagementVerify & review & evaluate information security continuityHas any third party evaluated DR Program in the past 12 months?
36Business Continuity ManagementVerify & review & evaluate information security continuityIs there a DR test plan
37Business Continuity ManagementPlanning of information securityHas Annual management review of the DR program for adequacy of resources (people, technology, facilities, and funding) conducted?
38Business Continuity ManagementAvailability of information processing facilityIs the disaster recovery site located in a different geographical location?
39Business Continuity ManagementImplementing the information continuityIs the incident response personnel identified with necessary responsibility, authority & competence to manage an incident & are the same communicated to the concerned personnel?
40Business Continuity ManagementPlanning of information securityAre there detailed recovery procedures (applications, Infrastructure components) documented for an effective recovery of the business applications ?
41Cloud SecurityDoes the cloud hosting policy ensure that critical business records are maintained within India
42Cloud SecurityDoes the policy cover security requirements for data and systems hosted on cloud services?
43Cloud SecurityDo changes to cloud-based systems follow the change management policy?
44Communication SecurityNetwork Security Management- Network ControlsAre appropriate network controls implemented for the security of information and information in transit?
45Communication SecurityNetwork Security Management - Security of network servicesWhether controls were implemented to ensure the security of the information in networks, and the protection of the connected services from threats, such as unauthorized access.
46ComplianceInformation systems audit considerations - Protection Of Information Systems Audit ToolsAre any information systems audit tools (e.g., software or data files) accessible to any users in any unprotected area?
47ComplianceInformation systems audit considerations - Protection Of Information Systems Audit ToolsWhether access to information system audit tools such ‎as software or data files are protected to prevent any ‎possible misuse or compromise.
48ComplianceTechnical compliance reviewAre Information systems regularly reviewed for compliance with the organization’s information security policies and standards? Has a network penetration test been conducted within the last 12 months?
49Compliance with legal requirementsIdentification of applicable legislationWhether all relevant statutory, regulatory, contractual ‎requirements and organizational approach to meet the ‎requirements were explicitly defined and documented ‎for each information system and organization.
50Compliance with legal requirementsIdentification of applicable legislationWhether specific controls and individual ‎responsibilities to meet these requirements were ‎defined and documented.‎
51cryptographyPolicy on use of cryptographic controlsAre all passwords rendered unreadable during transmission and storage on all system components using strong cryptography for Portals?
52Human resource security Termination and change of employment - Removal of Access RightsWhether access rights of all employees, contractors and third party users, to information and information processing facilities, removed upon termination of their employment, contract or agreement, or will be adjusted upon change.
53Information security in supplier relationshipsAddressing security within supplier agreements - Service deliveryIs there a policy available to address information security requirements for mitigating risks associated with suppliers?
54Information security in supplier relationshipsAddressing security within supplier agreementsAre there processes and procedures established for information security requirements for each type of vendor and type of access based on the organization’s business needs and the risk profile?
55Operations securityChange managementWhether changes to the organisation's business processes, information processing facilities and systems that affect information security are controlled ?
56Operations securityCapacity ManagementIs there procedure for decommissioning of applications, systems, databases or environments etc.?
57Operations securityCapacity ManagementAre capacity requirements monitored to ensure that adequate resources are available?
58Operations securityControl against malwareAre the Anti-virus agents configured to scan all BO servers, store servers and store manager machines ?
59Operations securityControl against malwareIs the Anti-virus software configured to scan all internet and email traffic for viruses or mobile codes ? Is the software configured to scan the system periodically?
60Operations securityControl against malwareIs the Anti-Virus servers configured as per the latest secure configuration document (hardening policy) ?
61Operations securityControl against malwareDo the critical changes regarding the anti-virus application and configuration settings follow the organization's Change Management policy ?
62Operations securityControl against malwareAre the incidents related to anti-virus software non-functioning or virus outbreak reported to appropriate team for taking remedial actions ?
63Operations securityControl against malwareAre appropriate management procedures and responsibilities exist for the reporting of, and recovering from, virus attacks?
64Operations securityInformation backupIs there a documented backup policy and procedure ?
65Operations securityInformation backupIs the Back-up schedule of business applications documented ?
66Operations securityInformation backupIs there a defined retention period of backup to ensure backup data is retained for the period necessary to satisfy business, regulatory and legal requirements ?
67Operations securityInformation backupIs the backup data encrypted ?
68Operations securityInformation backupIs the backup media stored in fire resistant cabinet in line with the OEM specifications and accessible to only authorized personnel ?
69Operations securityInformation backupAre all backup media properly labeled for identification and information classification ?
70Operations securityInformation backupIs a copy of the backup stored offsite, for critical business applications ?
71Operations securityInformation backupIs media transported securely to offsite location and the media is protected from unauthorized tampering or information disclosure during transportation to offsite location ?
72Operations securityInformation backupIf back up sent in any external removable media ? If yes is there an NDA signed with the courier service ? Also is the data in external removable media encrypted ?
73Operations securityInformation backupIs the backup media securely disposed?
74Operations securityInformation backupIs there a tape movement register maintained to track the movement of backup media i.e. incoming and outgoing tapes?
75Operations securityInformation backupAre there any procedures to review the backup tape inventory periodically ?
76Operations securityInformation backupIf backup software is used to take data backup, are there security measures in place to protect the backup software ?
77Operations securityInformation backupIs the access to the backup software and systems restricted only to authorized personnel ?
78Operations securityInformation backupIs recovery testing done periodically for Critical systems where synchronized data backup at DR site is not available to ensure that data can be recovered from the backup media.
79Operations securityInformation backupHow regularly are the data restorations done for the backed up data and its frequency ?
80Operations securityEvent loggingAre Event logs enabled and record the user activities, exceptions, faults and information security events produced, kept and regularly reviewed? (viz. access control devices)
81Operations securityEvent loggingAre Event logs are enable and record the user activities, exceptions, faults and information security events produced, kept and regularly reviewed for all database system servers?
82Operations securityEvent loggingAre Event logs are enable and record the user activities, exceptions, faults and information security events produced, kept and regularly reviewed for network devices?
83Operations securityProtection of log informationAre logging facilities and log information protected against tampering and unauthorized access for access control devices? - Are there mechanism to detect and prevent, - alterations to the message types that are recorded - log files being edited or deleted - storage capacity of the log file media being exceeded
84Operations securityAdministrator and operator logsAre the all Critical systems activities carried out by system administrator and system operator are logged and protected?
85Operations securityAdministrator and operator logsAre the all Critical systems activities carried out by system administrator and system operator reviewed on regular basis?
86Operations securityAdministrator and operator logsDo logs include following information, - the time at which an event (success or failure) occurred - information about the event - which account and which administrator or operator was involved
87Operations securitySeparation of development, testing & operational environmentsAre all critical changes to operational systems and applications tested in a testing or staging environment prior to being applied to operational systems?
88Operations securitySeparation of development, testing & operational environmentsIs there a defined process for source code movement from development, test to production environment ?
89Operations securityChange managementDoes the change management process require identification and recording of significant changes?
90Operations securityChange managementDoes the change management process include planning and testing of changes?
91Operations securityChange managementIs the change management process do an assessment of the potential impacts, including information security impacts, of such changes?
92Operations securityChange managementDo the change management process follow formal approval procedure for proposed changes?
93Operations securityChange managementDo the change management process verify that information security requirements have been met?
94Operations securityChange managementAre change details are communicated to all relevant persons?
95Operations securityChange managementDoes fallback procedures, including procedures and responsibilities for aborting and recovering from unsuccessful changes and unforeseen events?
96Operations securityChange managementIs there a provision of an emergency change process to enable quick and controlled implementation of changes?
97Operations securityChange managementWhether all changes to any system, service, infrastructure and physical location facilities are controlled ?
98Operations securityChange managementWhether procedures were included within the organisations change management programme to ensure that Business continuity matters are appropriately addressed.
99Operations securityInstallation of software on operating systemAre the version control methods implemented for any changes / modification in software?
100Operations securitySeparation of development, testing & operational environmentsWhether the testing of security functionality is carried out during the development ?
101Operations securityManagement of technical vulnerabilitiesAre timeline been defined to react on notifications of potentially relevant technical vulnerabilities?
102Operations securityManagement of technical vulnerabilitiesIs the evaluation of risks relating to the known vulnerability and define appropriate detective and corrective actions?
103Operations securityRestrictions on software installationIs the list of permitted software or type of software which allowed to installed on desktop, laptop or servers is maintain?
104Organization of information securitySegregation of dutiesIs there any authorization required for an Individual to access, modify or use <> information asset?
105Organization of information securitySegregation of dutiesIs the person's activity monitored or maintain any audit trails or logs while accessing the <> information asset?
106Physical Access and Environmental controls Secure areasAre there sufficient controls in place for physical protection against damage from fire, earthquake, explosion, civil unrest and other forms of natural or man-made disaster ?
107Physical Access and Environmental controls Secure areasAre Security perimeter defined and used to protect areas that contain either sensitive or critical information processing facilities.
108Physical Access and Environmental controls Securing the offices, room and facilityAre Smoke detectors and fire alarms installed ? Do they undergo a periodic preventive maintenance @ DC?
109Physical Access and Environmental controls Securing the offices, room and facilityAre the fire extinguishers installed at easily visible and accessible locations? Are they adequate in number for the area to be covered
110Physical Access and Environmental controls Secure areasAre the physical security personnel trained in use of fire extinguishers and basic first aid ?
111Physical Access and Environmental controls Secure areasAre any Mock Fire Evacuation Drills/Emergency Evacuation Drills conducted ?
112Physical Access and Environmental controls Secure areasAre Emergency telephone numbers (Ambulance, Hospital, Police Station, Fire Brigade) put up at critical locations ?
113Physical Access and Environmental controls Working in secure areaIs the overall diagram of the floor layout and safe assembly point kept put up at appropriate places @DC ?
114Physical Access and Environmental controls Secure areasAre the Emergency exits made visible and properly labeled ?
115Physical Access and Environmental controls Secure areasAir conditioning systems shall be implemented to ensure that the operational environmental conforms to the equipment manufacturer’s specifications.
116Physical Access and Environmental controls Secure areasAre there procedures in place to monitor humidity and temperature levels in the data center/server room remain within the limits prescribed by the manufacturer/OEMs etc. ? Ensure that water alarm system is configured to detect water in high risk areas of the data center
117Physical Access and Environmental controls Cabling securityAre cables clearly labeled and documented to minimize handling errors such as accidental patching of wrong network cables or electrical power surges@ DC?
118Physical Access and Environmental controls Secure areasIs Physical access to the datacenter controlled using two-factor authentication ?
119Physical Access and Environmental controls Secure areasAre visitors required to make entry in visitor register ?
120Physical Access and Environmental controls Securing the offices, room and facilityAre continuous monitoring systems (viz. CCTV’s) installed to monitor critical facilities on a 24 x 7 basis ?
121Physical Access and Environmental controls Secure areasAre critical system, service, or infrastructure, or any physical location areas such as Datacenter post a sign to indicate that only authorized personnel are allowed ?
122Physical Access and Environmental controls Physical SecurityIs the access to restricted zone granted on the principle of need-to-access basis ?
123Physical Access and Environmental controls Physical SecurityIs the Periodic access rights review conducted for access granted to employees, contractors and third parties for <>?
124Physical Access and Environmental controls Physical SecurityAre visitors accompanied by organization staff when entering/working in critical systems, service, or infrastructure, or any physical location facilities such as Data Centre ?
125Physical Access and Environmental controls Physical SecurityIs there an access control register maintained at entry point of Data Centre ? Is date and time of entry and departure recorded for all visitors?
126Physical Access and Environmental controls Physical SecurityAre the racks in server room locked and access to these racks restricted to authorized personnel only ?
127Physical Access and Environmental controls Physical SecurityIs identification card for contractors, visitors or temporary employees physically different from regular employees?
128Physical Access and Environmental controls Physical SecurityAre the visitors always escorted @ DC?
129Physical Access and Environmental controls Secure areasAre access rights to secure areas regularly reviewed and updated? Like DC, critical office area
130Physical Access and Environmental controls Secure areasAre Access points such as delivery and loading areas and other points where unauthorised person could enter the premises shall be controlled and if possible isolated from information processing facilities' to avoid unauthorised access.
131Physical Access and Environmental controls Physical SecurityIs there a designated site owner and backup site owner?
132Physical Access and Environmental controls Physical SecurityDo access request require approval of the site owner?
133System acquisition, development and maintenanceSecurity Requirements Analysis And SpecificationDoes information involved in application services passing over public networks are protected from fraudulent activity, contract dispute and unauthorized disclosure and modification? For e.g. authentication, cryptographic controls etc.
134System acquisition, development and maintenanceSecurity Requirements Analysis And SpecificationWhether security requirements for new information ‎systems and enhancement to existing information ‎system specify the requirements at time of implementation/ design for security controls. ‎
135System acquisition, development and maintenanceCorrect processing in applications - Input data validationWhether system requirements for information security and processes for implementing security is integrated in the early stages of information system projects.
136System acquisition, development and maintenanceCorrect processing in applications - Input data validationWhether data input to application system is validated ‎to ensure that it is correct and appropriate. ‎
137System acquisition, development and maintenanceCorrect processing in applications - Control of internal processingWhether the controls such as: Different types of inputs ‎to check for error messages, Procedures for responding ‎to validation errors, defining responsibilities of all ‎personnel involved in data input process etc., are ‎considered.‎
138System acquisition, development and maintenanceCorrect processing in applications - Control of internal processingWhether validation checks are incorporated into ‎applications to detect any corruption of information ‎through processing errors or deliberate acts. ‎
139System acquisition, development and maintenanceCorrect processing in applications - Output data validationWhether an security risk assessment was carried out to ‎determine if message integrity is required, and to ‎identify the most appropriate method of ‎implementation. ‎
140System acquisition, development and maintenanceSecurity In Development And Support ProcessesIs there a formal Software Development Life Cycle (SDLC) process?
141System acquisition, development and maintenanceSecurity In Development And Support ProcessesIs change management process followed for the application changes and are the change records maintained?
142System acquisition, development and maintenanceSecurity In Development And Support ProcessesAre secure system engineering principles followed for development and implementation of software applications ?
143System acquisition, development and maintenanceSecurity In Development And Support ProcessesAre there access controls to protect source code and test data? Does the version management system provide segregation of code, data and environments?
144System acquisition, development and maintenanceSecurity In Development And Support ProcessesDo changes to applications or application code go through a risk assessment including application testing?
145System acquisition, development and maintenanceSystem change control procedures. Whether changes to systems within the development lifecycle are controlled by the use of formal change control procedures.
146System acquisition, development and maintenanceTechnical review of applications after operating platform changes. When operating platforms are changed, whether business critical applications are reviewed and tested to ensure there is no adverse impact to organizational operations or security.
147System acquisition, development and maintenanceOutsourced development. Whether the organization supervise and monitor the activity of out sourced system development.
148System acquisition, development and maintenanceSystem security testing. Whether testing of security functionality are carried out during development.
149System acquisition, development and maintenanceSystem acceptance testing. Whether Acceptance testing programs and related criteria are established for new information systems, upgrades and new versions.