IS Audit Checklist for Router Management Performed by Third-party Viljan Mahnic, 1 Borut Klepec, 2 Natasa Zabkar 3 1 University of Ljubljana Faculty of Computer and Information Science Trzaska 25, SI-1000 Ljubljana, Slovenia viljan.mahnic@fri.uni-lj.si 2 Triglav Insurance Company Ltd, Lendavska 5, SI-9000 Murska Sobota, Slovenia bklepec@attglobal.net; 3 Triglav Insurance Company Ltd Miklosiceva 19, SI-1000 Ljubljana, Slovenia nzabkar@zav-triglav.si Abstract Network management is an important part of business management. Router management is one component of network management. Because of its complexity, router management is often performed by a third-party. In this paper risks involved with such a solution are described as well as guidelines for establishing controls to mitigate these risks. Standard COBIT (Control Objectives for Information Technology) has been used for this purpose and the result has been presented in the form of an IS audit check list. Elements of this checklist are described and conclusions given. 1. Introduction »Businesses are built around networks« [10]. It is in the interest of business to have a secure network, since the cost of network failure can be very high. When the network is down, business is down. Security of a network can be defined as »CIA«: confidentiality, integrity and availability. The key component for ensuring network security is network management. In this paper one part of network management will be discussed - router management. Knowledge about routers is very often not available in the organization. Training of internal staff is one possible solution to this problem. Another solution is contracting a third-party. In this paper router management performed by a third- party will be dealt with. Firstly, router management will be described, and after that common problems with contracting a third-party will be presented. Then an IS audit checklist will be proposed in order to show how these problems can be prevented, detected, and corrected. Finally, the conclusion will be given. 2. Router management A router is a LAN interconnection device which operates at the OSI network layer (layer 3). The function of this layer is to establish, maintain, and terminate links between network nodes. A router is a protocol-dependent device. Examples of protocols are IP, IPX, AppleTalk and DECnet. Routers route packets as defined in the routing table. Routing tables define the selection of protocols that a router can pass through, and statistical data about other routers in the internetwork. Routing is based on logical addresses that are protocol specific [10]. Router management is a part of network management. According to the International Organization for Standardization (ISO), network management has five functional areas [10]: (1) fault management; (2) configuration management; (3) accounting management; (4) performance management and (5) security management. Fault management is dealing with discovery, isolation and resolution of network problems. Configuration management includes the initial setting up of the network and maintaining up-to-date network documentation. Accounting management is the process of recording network usage. Performance management is about measuring the performance and tuning the network. Security management deals with network CIA, defined earlier. All five functional areas are also present in standard CONCT (Control Objectives for Net Centric Technology), developed by ISACA (Information System Audit and Control Association) [6]. Router management will be presented in the IS audit checklist through these five functional areas. 3. Manage Third-party Services Outsourcing is »a formal agreement with a third party to perform an IS function for an organization«. The service provider is the organization providing the outsourced