Previous | Table of Contents | Next |
Submitted to file,
__Auditor__
__Title____
WORKPAPER INDEX - PHYSICAL SECURITY B-Index
Prepared by / date ___AUDITOR___ _96/month/day
Approved by / date _________ _96/____/____
B-Memo | Summary memo for this audit area |
B-Point | Audit point(s) for this audit area |
B-1 | Review of questionnaire responses |
B-2 | Physical security testing procedures |
B-3 | |
B-4 | |
B-5 | |
B-6 | |
B-7 | |
B-8 | |
B-9 | |
B-99 | Other facility issues |
REVIEW OF QUESTIONNAIRE RESPONSES B-1.1
Prepared by / date ___AUDITOR___ _96/month/day
Approved by / date _________ _96/____/____
I have reviewed the responses to the questionnaire section dealing with physical security. A copy of that section follows this working paper as 1.2. All of the items requiring further discussion, investigation, or other follow-up are described below, and referenced by the letter (and audit point reference where appropriate) shown in the left column.
Reference | Audit Point | Description |
---|---|---|
| | |
TESTING OF PHYSICAL SECURITY FEATURES B-2
Prepared by / date ___AUDITOR___ _96/month/day
Approved by / date _________ _96/____/____
Note: Review and update as needed based on work performed.
I have tested the following security features that were identified in the internal control questionnaire and identified on the data center diagram included in the carryforward workpapers. The results are summarized below:
Door locks: | I tried 10 combinations on the lock, working with simple sequential combinations, the factory default combination, and other combinations I have seen used in the past. I was not successful in opening the door. |
Fire extinguishers: | I examined all of the extinguishers in the data center and the surrounding area noting that all of them had the appropriate inspection cards attached, that all of them had a current inspection, and that all of the gages were in the green. |
Water detectors | I tested the water detectors by shorting one of them out with an insulated handle screw driver. (Note that the monitoring personnel were notified in advance, and that local management approved the testing before being done. This also applies to tests of the other detector systems with an annunciation feature.) |
Heat/smoke sensors: | I tested these directly using the included test feature/by reviewing the testing documentation from the outside security service responsible for the system. All items functioned as expected. |
Control panel: | I checked the control panel using the test function button included in the system without exception. I also confirmed that a sensor activation will be shown on the monitoring panels with the guards and the third-party security service. |
OTHER PROCEDURES B-99
Prepared by / date ___AUDITOR___ _96/month/day
Approved by / date _________ _96/____/____
SUMMARY MEMO - AREA B-Memo
Prepared by / date ___AUDITOR___ _96/month/day
Approved by / date _________ _96/____/____
OBJECTIVE
The objective in this area was to determine the adequacy of controls over physical security.
CONCLUSION
Based on the work done in this area, my opinion is that: the controls over the physical security of the installation __ protect the personnel and equipment from relevant local risks.
FINDINGS
The conclusion(s) above were made considering the following specific findings:
PROCEDURES
To satisfy the audit program the following procedures were done.
Submitted to file,
__Auditor__
__Title___
WORKPAPER INDEX - LOGICAL SECURITY C-Index
Prepared by / date ___AUDITOR___ _96/month/day
Approved by / date _________ _96/____/____
C-Memo | Summary memo for this audit area |
C-Point | Audit point(s) for this audit area |
C-1 | Review of internal control questionnaire responses |
C-2 | Testing of vendor-supplied profiles/passwords |
C-3 | Testing of password syntax and control parameters |
C-4 | Testing of user profile management procedures |
C-5 | Comparison of user profile setup |
C-6 | Comparison of questionnaire responses and the system value listing |
C-7 | Evaluation of security items from the system history log |
C-8 | |
C-9 | |
C-99 | Other logical access related procedures |
Previous | Table of Contents | Next |