Sample VPN Audit Program
Audit Step Completed By/Date Test Results, Remarks, W/P CONCT & VPN Publication
Ref Reference
A. Prior Audit/Examination
Report Follow-up
Examine any prior reports that
may be related to the previous
phases (pre-implementation
and implementation). Ensure
any agreed-upon corrections
have been followed up or
addressed in a timely manner.
B. Preliminary Audit Steps
Review any management
reports and documents
covering previous stages and
any plans for future
developments.
Review and documents
covering changes and identify
any problems that were
encountered.
Examine performance and
any management reports to
establish whether the
business, financial ad IT
objectives of the VPN have
been met.
Page 1 of 5
� Sample VPN Audit Program
Audit Step Completed By/Date Test Results, CONCT & VPN
Remarks, W/P Ref Publication Reference
C. Detailed Audit Steps
Business Objectives:
Assess progress of the VPN implementation project CONCT
using project management techniques. Obtain user Development
feedback for the post-implementation. Evaluate Management
current delivery against expected deliverables CDI
regarding network access, timelines, availability and
confidentiality. When using the VPN as compared to
what the enterprise had been using, review and
document expenditures (costs) associated with each of
the components input to the operational budget to
ensure integrity, accuracy, completeness and
reliability. These should be assessed against the initial
planned cost savings. (It should be noted that most of
the savings of implementing a VPN will come from
two areas--the first from a reduction in staffing
through outsourcing functions needed while
maintaining dedicated networks, and the second from
network usage and long distance savings. Both of
these may not have been fully realized when the
implementation review is conducted.)
Identify the chosen VPN topology by the enterprise
and determine if it is meeting the needs described by
management in the implementation phase, i.e., Pure
Provider, Hybrid or End-to-end.
Page 2 of 5
� Sample VPN Audit Program
Audit Step Completed By/Date Test Results, CONCT & VPN
Remarks, W/P Ref Publication Reference
Security Management:
Determine if the firewalls and routers have been CONCT
installed in the proper location based on the specific Network
topology chosen by the entity. Configuration
Management
Determine if there are any interoperable or MBI
compatibility problems with business partners or
suppliers of VPN routers, if a router-based VPN
solution was chosen.
Review to determine if processes and procedures for CONCT
the monitoring of message movements exist to protect Network
against unauthorized movements, access and Configuration
modifications. There also should be procedures for Management
reporting and follow-up of any violations. MBI
Ensure that all certificates were validated and that CONCT
they are trusted by some user specific information. Network
Configuration
Management
MBI
Page 3 of 5
� Sample VPN Audit Program
Audit Step Completed Test Results, CONCT & VPN
By/Date Remarks, W/P Ref Publication Reference
Change Control:
Determine if proper processes and procedures are in place to CONCT
control changes to networks, hardware, operating system and Change
database objects including changes made by the ISP. Management
CD3
Assess if hardware change components have been made, CONCT
schedule tests and shut down for post-implementation review Change
(use backup system temporarily). Management
CD3
Establish rollback procedures to the previous release in the CONCT
event the change is not successful. Ensure that all costs have Change
been documented, and automate the control of source and Management
objects while making operating system changes. CD3
Problem (Usage) Management:
Determine if the following are in place: VPN
• Virus protection software Chapter 3
• Firewalls for portables CONCT
• Download and replication procedures User Usage
• Monitoring of resource availability to support user usage Management
• Appropriate hardware and software to support processing C06
efficiency, speed and cost control.
Ensure there is an adequate help desk in place extending not CONCT
only to the traditional end users within the organization but Help Desk
also to the customers or suppliers who may be using an Management
extended intranet (extranet) application. C02
Page 4 of 5
� Sample VPN Audit Program
Audit Step Completed By/Date Test Results, CONCT & VPN
Remarks, W/P Ref Publication Reference
Review: VPN Technology
Determine if the detailed objects and related functions VPN
for meta data objects (MDO) are properly Chapter 5
implemented to satisfy the business requirement. CONCT
MD1
MD4
Determine if the detailed objects and related functions VPN
for management information base objects (MIBO) are Chapter 5
properly implemented to satisfy the business CONCT
requirement. MB1
MB5
Determine if the detailed objects and related functions VPN
for component control base objects (CCBO) are Chapter 5
properly implemented to satisfy the business CONCT
requirement. CD1
CD4
C01
C06
CC1
Page 5 of 5