Download (483K; Member Only)
Purchase the Book
Provide feedback on this document
Visit the Audit Tools and Techniques Knowledge Center community
Visit the Windows Server Knowledge Center community
IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the Certified Information Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the work performed.
The File Server audit/assurance review provides management with an independent assessment of the effectiveness of the configuration and of the security of the enterprise’s file servers.
The file server is the most basic of system servers. As the name implies, its function is to store and manage data. Departmental and organizational folders are established to store and make available data, programs, documents, etc. In the early days of networked office systems, each file server had its individual access configuration; today, all user access rights, including identity management and user access are controlled by a single sign-on system that integrates all servers into a domain. This simplifies user identity and access privilege maintenance.
The review focus is on the configuration, management, and physical security of a cross section of the relevant and high-risk file servers in the enterprise. The selection of specific servers will be based on the risk introduced to the enterprise by these systems.
The review will focus on the configuration controls relating to:
- File server management and administration
- File server configuration settings
- Physical security of the file servers
- Secure administrative practices and logical security