Scribd
Upload
2K views

NIST Audit Checklist

The document is a checklist for auditing an organization's compliance with NIST security standards for administrative, physical, and technical safeguards. It contains 33 questions across these three categories regarding the organization's risk assessment policies and procedures, information security plans, access controls, encryption, backups, and more. The auditor will use this checklist to evaluate the organization's information security practices and safeguards.

Uploaded by

Varinder
Copyright
© © All Rights Reserved
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
2K views

NIST Audit Checklist

The document is a checklist for auditing an organization's compliance with NIST security standards for administrative, physical, and technical safeguards. It contains 33 questions across these three categories regarding the organization's risk assessment policies and procedures, information security plans, access controls, encryption, backups, and more. The auditor will use this checklist to evaluate the organization's information security practices and safeguards.

Uploaded by

Varinder
Copyright
© © All Rights Reserved
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 9

Auditor:

Auditee:

Sr #

NIST Based checklist

Administrative Safeguards

Is there a Risk assessment policy/Procedure defined to


esnure employees are aware of the risks related to
critical information ?

Are all employees trained on Risk assessment policies &


procedures?

What is the frequency of risk assessments & when was


the last one done?

Is information sensitivity classification done to ensure


appropriate controls can be implemented for critical and
non critical information ?

Is the information system configuration documented,


including connections to other systems, both inside and
outside the firewall?

Are all threats to the information systems identified i.e.


Human, natural & environmental?

Are Risk assessment results documented in the security


plan or risk assessment report?

Is there a formal & documented contingency plan?

Are there proper sanctions documented incase of system


misuse, abuse and or any fradulant activities?

10

Is there a network and system monitoring process in


place? And how often are those reviewed?
Physical Safeguards

11

Is there a access control policy/procedure in place?

12

Are there documented procedures to facilitate


implementation
of the physical and environmental protection policy and
associated physical and environmental
controls?

13
14

Are there appropriate CCTV cameras placed in all the


operations area covering the entire operations floor?
Are all workstations protected from public view?

Compliant

15
16

Are there documented records available for all the


changes/modifications done to the physical access points
e.g. access readers etc?
Is there a security plan in place and is it reviewed on a
regular basis?
Is there a plan for security related activity, such as
security assessments, system hardware and software
maintenance, and contingency plan testing/exercises,
affecting the information system before conducting such
activities in order to reduce the impact on organizational
operations assets and individuals?

17

18

Are there policies and procedures in place for controlling


and validating access for employees, workforce
members, visitors, and probationary employees?

19

Are physical access logs reviewed on a regular basis?

20

Are records maintained for all the repairs done to


hardware, doors etc?

21

Are records of maintenance and repairs on information


system components in accordance with manufacturer or
vendor specifications?

22

Is approval sought for removal of the information system


or system components from your organization's facilities
for off-site maintenance or repairs?

23

Is there a workstation use policy/procedure in place?

24

Is there a inventory of all the workstation types and


locations maintained?

25

Are there procedures that will prevent unauthorized


access of unattended workstations, limit the ability of
unauthorized persons to view sensitive information, and
to dispose of sensitive information an needed?

26

Is remote access allowed ? If yes how is it monitored?


Technical Safeguards

27

Are Access control policy: 1. Identity based policies 2.


Roles based policies?

28

Are user roles identified for applications, systems,


servers?

29

Are the following access enforcement mechanisms in


use: 1) access controls lists, 2) access control matrices,
3) cryptography, 4) other, to control access between
users and objects, such as devices, files, processes,
programs, domains with our information systems

30

Are periodic backups conducted of all the information


systems?

31

Are there documented procedures to facilitate the


implementation of the system and information integrity
policy and associated system and information integrity
controls?

32

Does the information system protect the confidentiality


of transmitted information across internal and external
networks?

33

Is encryption implemented to safeguard the information


from unauthorized view - read/copy/modification ?
Visit www.auditGaps.com

Auditor Comments

Owner

Action Plan

Status
No

No
NA

www.auditGaps.com

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy