Download (Member Only, 515K)
Purchase the Book
Provide feedback on this document
Visit the Audit Tools and Techniques Knowledge Center community
The audit/assurance program is a tool and template to be used as a road map for the completion of a specific assurance process. ISACA has commissioned audit/assurance programs to be developed for use by IT audit and assurance practitioners. This audit/assurance program is intended to be utilized by IT audit and assurance professionals with the requisite knowledge of the subject matter under review, as described in ITAF section 2200—General Standards. The audit/assurance programs are part of ITAF section 4000—IT Assurance Tools and Techniques.
Objective—The objective of the Apache Web Services Server audit/assurance review is to provide management with an independent assessment relating to the effectiveness of configuration and security of Apache Web Servers within the enterprise’s computing environment.
Scope—The review will focus on configuration of the relevant Apache Web Services Servers within the enterprise. The selection of the applications/functions and specific servers will be based upon the risks introduced to the enterprise by these systems.
Numerous Apache modules exist to provide customised resources and capabilities. Because each installation may use different web programming and support tools, this audit/assurance program is limited in scope to the Apache Web Services Server configuration. Additional software, including databases, dynamic content systems, common gateway interfaces, server-side includes, etc., are excluded from the scope of this review. It is suggested that either separate audits be performed of these products, or this audit program be modified to address these specific extensions to the basic Apache Web Services Server.
Apache Web Services Server relies upon the integrity of the host operating system. Accordingly, the auditor must perform or have access to a recent audit of the host operating system’s configuration and be assured of the integrity and security of the host. If this cannot be assured, the audit of the host operating system should be completed prior to beginning this audit. If the audit has identified significant deficiencies or material weaknesses, the audit should be postponed until these issues are remediated.
IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the Certified Information Systems Auditor (CISA) designation and/or necessary subject matter expertise to adequately review the work performed.