The process and procedures around Security Auditing
*** Disclaimer, as I'm learning about Information Security I come across a lot of useful information. Truly, its a firehose of facts, tips, etc. that I write on this blog. As it were, I wish to post the following link along with my notes on the following topic - Security Audit. ***
blog.dashlane.com/conduct-internal-security-audit/What is a Security Audit?
At its most basic, a Security Audit is a systematic technical assessment of a system or application. The Security Team will conduct interviews, perform all manner of vulnerability scans, analyze the results, and produce a report detailing areas that require attention.
An audit must be thorough, cost-effective (in both time and money),
and free of bias
and free of bias
A more expansive definition can be found by conducting an online search or visiting your local library or bookstore.
Who is this for?
Audits can be applied to banking, commercial, health care organizations, schools, and just about any other institution where there is an exchange or transmission of sensitive end-user data.
Why am I doing this?
As mentioned, anytime a transmission of sensitive user information is involved, there needs to be precautions taken to secure the data. Think: Banking or Retail Site using banking information to complete a transaction.
The CIA triad comes into play.
An audit guarantees data is kept confidential during processing, its integrity is preserved during transmission, and that it is accessible only to the recipients involved.
Security Audits are performed at the behest of a company about to launch an application employing sensitive user data. Another occasion an audit is conducted is mostly as a result of enforcement intervention (ie, a cyber crime was committed ). An investigation must be conducted to determine culpability by way of negligence, willful or otherwise.
Where will it take place?
More often than not, security audits are conducted on-site under the supervision of a third-party agency. Audits can be done internally or externally, the latter being more thorough but expensive.
External audits are performed by seasoned professionals who have all the appropriate tools and software to conduct a thorough audit
— assuming they receive the requisite data and direction
What is in scope?
Should you decide to conduct an internal audit, and you've educated yourself in the compliance requirements necessary to uphold security protocols. Do the following:
- Define Your Audit
- Define Your Threats
- Assess Current Security Performance
- Prioritize (Risk Scoring)
- Formulate Security Solutions
What is not in scope?
Anything not otherwise agreed-to, as expressed in the contractual agreement, entered into by the auditor at the request of the client
What is to be audited and what is not will be documented in a list - Valued Assets - and divided into segments of what will / will not be audited. The assets declared highest value is where the focus of the audit should be.
How long does it take?
Start-to-finish, a security audit duration is determined by the scope and list of assets, as well as the volume of potential threats. Audits can span days or weeks. Most importantly, security audits are iterative and ought to be conducted regularly.
What are my deliverables?
Based on the outcome of the audit, a comprehensive report is generated detailing the level of tests conducted, any issues requiring action, and a list of potential security solutions. These can cover anything from "Employee Awareness" seminars, defensive counter-measures, better password policies, and network monitoring.
This list can go on and on, but it is reliant mostly on the results of the aforementioned audit.
No comments:
Post a Comment