Audit Checklists a Day: MySQL Database Audit Checklists (Week in Review)

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

In our last batch of posts we continued our month of database audit checklists with tweets focusing on MySQL database systems. This month we’ve tried to bring you a series of audit checklist for databases that would help you, regardless of the application system that is the scope of your audit. So many of the business systems we audit utilize databases as backend systems to support the application that we often find ourselves in the situation where we need to audit databases as well. I hope these MySQL checklists help (regardless of what Oracle decides to do with MySQL in the near future).

Also, while many of you on Twitter have already noticed this, we have been using a particular Twitter hashtag when posting our tweets. Each of our daily posts can be found using the hashtag #AuditChecklists.

If you have other similar checklists that you think are better, let us know, we’ll happily tweet them as well. This is a community effort, why not share?

Audit Checklists for Auditing MySQL Database Systems:

From Cert-in.org

From NGS Software

From the SANS Institute

From Webmaster2020.com

From MySQL

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Oracle Database Audit Checklists (Week in Review – April 17, 2010)

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

Last week we continued our month of database system audit checklists with a week of checklists on how to audit Oracle database systems. Like last week most of these checklists focus on the database server itself, and not the application code, database structure, or permission sets in the database. But at least these should serve as starting points for someone who is auditing technical controls on Oracle systems.

Also, while many of you on Twitter have already noticed this, we have been using a particular Twitter hashtag when posting our tweets. Each of our daily posts can be found using the hashtag #AuditChecklists.

If you have other similar checklists that you think are better, let us know, we’ll happily tweet them as well. This is a community effort, why not share?

Audit Checklists for Auditing Oracle Database Systems:

From the SANS Institute

From Oracle

From ISACA

From Vgrigorian

From Pete Finnigan

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Microsoft SQL Server Audit Checklists (Week in Review – April 12, 2010)

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

Last week we tweeted on audit checklists we thought might be useful when auditing a Microsoft SQL Server. There are so many MSSQL servers deployed today that is seems like you can hardly perform an audit without running into one these days. Maybe you audit a full blown instance of a server, or on the other hand maybe you only see SQL Express or the older MSDE installed. But still they seem to multiply like rabbits. So this week we tried to provide you resources to help with those audits. This also begins our month of database checklists. So every day (work day that is – please don’t make us tweet these on the weekends) – we’ll post a new checklist.

If you have other similar checklists that you think are better, let us know, we’ll happily tweet them as well. This is a community effort, why not share?

Audit Checklists for Auditing Microsoft SQL Servers:

Microsoft TechNet Checklist

Microsoft MSDN Checklist

Microsoft MSDN Checklist

TechTarget Checklist

SQLSecurity.com Checklist (Old Link Removed)

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Phone System Audit Checklists (Week in Review – April 5, 2010)

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

We focused this week on checklists to help assist you with your audits of phone systems this week. Some of the checklists focus on general audit techniques for phone systems and some of them are particular to Voice over IP systems. I hope these will assist you as you’re auditing more than just network devices. Enjoy!

Audit Checklists for Auditing Phone Systems / PBX / VoIP:

General PBX Audit

General PBX Audit (Old Link Removed)

General PBX Audit (Old Link Removed)

VoIP Audit

VoIP Audit

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Virtualization Audit Checklists (Week in Review – February 22, 2010)

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

We decided to hit another hot topic this week, so we decided to talk about virtualization. I mean, when you’re not talking about cloud computing security over the family dinner table, you’re probably most likely talking about virtualization security and how it impacts your daily lives (Honey, can you install that new garbage disposal? Of course I can dear, but couldn’t we just virtualize it?). So we’re hoping that these audit checklists will help you as you’re evaluating the controls that protect these environments. You know you’re using them, might as well protect them!

Audit Checklists for Auditing Virtualized Environments: 

DISA (Old Link Removed)

Tripwire (Old Link Removed)

VirtualizationAdmin.com

Microsoft

DarkReading

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Cloud Computing Audit Checklists (Week in Review – February 15, 2010)

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

For this week’s checklists we’re going to be returning to the world of more operational controls. Specifically we’ve been investigating audit checklists for evaluating cloud computing environments. Come on, we know you’ve been thinking about it and talking about it both in your IT departments and in your corporate board rooms. Heck, you’ve probably been chatting up other parents at your kid’s little league and talking with them about it! So this week we’re listing off some helpful checklists we’ve found for auditing cloud computing environments. Enjoy!

Audit Checklists for Auditing Cloud Computing Providers: 

ENISA

Cloud Security Alliance

Grid.org.il

SNIA (Old Link Removed)

FUMSI

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Wireless Network Audit Checklists (Week in Review – February 8, 2010)

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

This week we turned back to a technical topic and posted checklists for auditing wireless 802.11 networks. We know that many of you, whether you approve of your users using wireless or not, know that your organization is using wireless, but you want to make sure that it’s being done responsibly. Or maybe you just don’t know if a particular site you’re supporting is using wireless networks or not. This week’s checklists are meant to give you a list of controls to consider when auditing the wireless side of your infrastructure. I hope it helps!

Audit Checklists for Auditing Wireless 802.11 Networks: 

DISA (Old Link Removed)

20 Critical Controls / CAG

US Department of Justice

The SANS Institute

SmashingPasswords.com

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Change Management Audit Checklists (Week in Review – February 1, 2010)

Welcome back to our weekly archive of audit checklists! We hope these weekly lists will help you as you build your personalized checklist for auditing your own organizations. We know that sometimes it can be difficult to research each of these topics, so hopefully these lists will help save you some time when you are researching your audit scope.

This week’s focus is on audit checklists for change management programs. We are still trying to alternate between technical security controls and operational security controls. Effective change management programs are still essential to properly securing your information systems and we hope these checklists will assist you in your security efforts.

Audit Checklists for Assessing Change Management Programs:

ISACA

Institute for Internal Auditors (Old Link Removed)

UnifiedCompliance.com (Old Link Removed)

Wikipedia

AuditNet

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Web Application Audit Checklists (Week in Review – January 25, 2010)

Last week we returned to the more traditional approach of posting audit checklists that were just that – checklists for auditing controls. We try our best to alternate between postings on how to audit technical controls and how to audit process based controls. Last week we took the technical approach and posted checklists for how to audit web applications that you might encounter.

Of course I always have my biases. I really like the work the people at OWASP have contributed on this topic and I think you’ll find their assessment methodology quite comprehensive. But check them all out as you prepare for your reviews. Smashing magazine especially has a great list of business oriented assessment questions to consider when you’re auditing your applications as well.

In addition to the checklists, I also noticed that Fortify is getting into the SAAS / Cloud / whatever you want to call it space and doing on demand assessments of applications (web applications included). Here’s a link to their Fortify on Demand product suite:

Audit Checklists for Assessing Web Applications:

OWASP

Business Questions

Certified Secure

Microsoft

SANS (Old Link Removed)

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Daily IT audit checklists via Twitter (free)

As a part of our effort to provide resources to the audit community we have been sending everyone free audit checklists daily via Twitter. Simply follow @isaudit on twitter to get the latest free checklists.

We try to focus on one topic every week that we thing will be useful to the community. Last week we covered a technical topic (web application auditing) and this week we’ve moved to process controls (auditing change management programs). We try to pick another interesting topic once per week (and yes, we do take requests).

Or if you’re looking for a more personal touch and want to learn about or discuss information security or audit topics, feel free to send me a notes at @jamestarala.

Using social media to promote good security…