An information systems audit performed by RMAS is a comprehensive examination of a given targeted system. The audit consists of an evaluation of the components which comprise that system, with examination and testing in the following areas:
- High-level systems architecture review
- Business process mapping (e.g. determining information systems dependency with respect to user business processes)
- End user identity management (e.g. authentication mechanisms, password standards, roles limiting or granting systems functionality)
- Operating systems configurations (e.g. services hardening)
- Application security controls
- Database access controls (e.g. database configuration, account access to the database, roles defined in the database)
- Anti-virus/Anti-malware controls
- Network controls (e.g. running configurations on switches and routers, use of Access control lists, and firewall rules)
- Logging and auditing systems and processes
- IT privileged access control (e.g. System Administrator or root access)
- IT processes in support of the system (e.g. user account reviews, change management)
- Backup/Restore procedures
The general mechanics of the audit consist of sampling configuration and log files, with subsequent interviews with key personnel. Additionally, RMAS performs testing with regard to identified key controls, and may require the creation of user accounts such that RMAS auditors may more thoroughly peruse the system and determine the efficacy of implemented controls. Further, a subset of integration testing may be performed against test or staging environments to assure controls that the general user may experience are in place and functioning as described and expected.
While much of the evaluation performed in an information systems audit is heavily focused on the IT general control environment for the given system, interviews with primary the primary users or information owners may be conducted. Inquiry into the user community would be performed to determine general user acceptance of the system and to determine service expectations with regard to the system.