S 4.428 Audit of the Lotus Notes/Domino environment

Initiation responsibility: Data Protection Officer, Head of IT, IT Security Officer

Implementation responsibility: IT Security Officer, Specialists Responsible, Administrator, Data Protection Officer, Auditor

In order to determine whether the actual security status of the Lotus Notes/Domino environment meets the requirements and in order to identify possible weaknesses, it is necessary to perform periodic audits and security checks of the Lotus Notes/Domino environment.

In so doing, a differentiation between internally initiated and externally initiated audits and security checks is made. Internally initiated audits are normally initiated and processed within the framework of the information security management process or during auditing activities, while externally initiated audits are frequently part of external audits, e.g. performed by regulatory authorities, external auditors, or licensors (see also safeguard S 2.493 Licence management and licencing aspects regarding procurement for Lotus Notes/Domino).

External audits normally aim at checking the compliance with statutory and regulatory requirements or contractual provisions. They can also be prerequisites for participating in electronic data exchange, payment schemes, trading systems, for granting special conditions, or for taking out IT-related insurances.

The particular importance of data protection often justifies concentrated audits focusing on data protection. These may also include a data protection audit of the Lotus Notes/Domino environment, since Lotus Notes/Domino is often used to process and store personal data.

If possible, audits must be planned applying the corresponding lead time. Legal aspects of the audits must be clarified and evaluated in advance. Certain audits may require coordination with the Data Protection Officer and the personnel representative.

As a matter of principle, audits (particularly external audits) must be supported by the information security management department. Scope and content-related organisation of this support must be defined and documented in advance within the information security management department (for supporting licencing audits, certification audits, and audits within the framework of inspections performed by the responsible inspection authority).

It must be ensured that the results of performed audits are incorporated into the optimisation of the information security management process. Weaknesses identified by the audit and the associated IT risks must be communicated immediately to the persons in charge (organisation management, Head of IT, IT Security Officer, Specialists Responsible).

Audits must be performed in a transparent and comprehensible manner. Audits and security checks the implementation of which may entail risks for IT operations or for the information values of the organisation, e.g. penetration tests, must be planned and performed taking into consideration the legal situation and the previously performed risk assessment.

Audits of the Lotus Notes/Domino environment may take a holistic approach or check particularly security-sensitive areas in an isolated manner. For example, the holistic approach may evaluate the security management regarding Lotus Notes/Domino on process level and on a technical level, based on the business processes supported by Notes/Domino. Isolated audits may check configurations and methods in the field of particularly security-sensitive components or services in detail (e.g. certificates management or the configuration of the Lotus Notes/Domino security mechanisms).

Review questions:

• Is there a documented scheme for auditing the Lotus Notes/Domino environment?
• Is there a definition of the responsibility for supporting external audits?
• Is there a content-related definition as to how external audits are supported?