SlideShare una empresa de Scribd logo

It Security Audit Process

Ram Srivastava
Ram Srivastava
1 de 5
Descargar para leer sin conexión
What is a Security Audit? A security audit is a specified process designed to assess the security risks facing a business and the controls or countermeasures adopted by the business to mitigate those risks. It is typically a human process, managed by a team of “auditors” with technical and business knowledge of the company’s information technology assets and business processes. As part of any audit, these teams will interview key personnel, conduct vulnerability assessments, catalog existing security policies and controls, and examine IT assets covered by the scope of the audit. In most cases, they rely heavily on technology tools to perform the audit. Often, security audits are best understood by focusing on the specific questions they are designed to answer. For example:  How difficult are passwords to crack?  Do network assets have access control lists?  Do access logs exist that record who accesses what data?  Are personal computers regularly scanned for adware or malware?  Who has access to backed-up media in the organization? These are just a small sample of the questions that any security audit should attempt to answer. It is important to understand that a security audit is a continuous process that should deliver continuous improvement to any business. Some commentators have argued that audits should only focus on assessing compliance with existing security policies. Insead, an audit should not only assess compliance, but also assess the very nature and quality of the policies and controls themselves. In many cases, security policies become rapidly obsolete with the release of new technologies or process overhauls. Security audits are the most effective tool for determining the validity of those policies. The Security Audit Process While there are certainly planning and consensus building steps that any team would be wise to take before beginning an audit (for example, making sure that senior management supports the project), the following steps are essential to the audit itself: 1. Define the physical scope of the audit: The audit team should define the security perimeter within which the audit will take place. The perimeter may be physically organized around logical asset groups such as a datacenter specific LAN or around business processes such as financial reporting. Either way, the physical scope of the audit allows the auditors to focus on assets, processes, and policies in a manageable fashion. Copyright © 2007, Tippit, Inc., All Rights Reserved
2. Define the process scope of the audit: This is often where the rubber hits the road on security audits, as overly broad process scoping can stall audits. At the same time, overly narrow scoping can result in an inconclusive assessment of security risks and controls. This document describes how to effectively scope the security processes or areas that should be included in an audit. It is critical that any business, regardless of size, put limits on the security processes or areas that will be the focus of the audit. 3. Conduct historical due diligence: An oft-forgotten step in security audits is pre-audit due diligence. This due diligence should focus on historical events such as known vulnerabilities, damage-causing security incidents, as well as recent changes to IT infrastructure and business processes. It should include an assessment of past audits. Furthermore, auditors should compile a complete inventory of the assets located within the physical scope of the audit and a complete list of specified security controls relevant to those assets. 4. Develop the audit plan: An effective audit is almost always guided by a detailed audit plan that provides a specific project plan for conducting the audit. This should include a specific description of the scope of the audit, critical dates/milestones, participants, and dependencies. 5. Perform security risk assessment: Once the audit team has an effective plan in place, they can begin the core of the audit – the risk assessment. The risk assessment should cover the following steps: A. Identify and locate the exact assets located within the security perimeter and prioritize those assets according to value to the business. For example, a cluster of web servers supporting the order entry application is more important than a web server supporting the IT department’s internal blog. B. Identify potential threats against the assets covered by the audit. The definition of a threat is something that has the potential to exploit a vulnerability in an asset. C. Catalog vulnerabilities or deficiencies for each asset class or type. Vulnerabilities exist for specific types of assets and present opportunities for threats to create risk. D. Identify the security controls currently in place for each asset class. These controls must exist and be used on a regular basis. Anything short of this should be noted and not counted towards existing controls. Controls include technologies such as firewalls, processes such as data backup procedures, and personnel such as the systems administrator that manages the relevant assets. E. Determine probabilities of specific risks. Audit teams must make a qualitative assessment of how likely it is that each threat/vulnerability will occur for a specific asset class. The probability calculation should account for the ability of existing controls to mitigate risk. This probability should be articulated on a numerical scale. F. Determine the potential harm or impact of a threat. Auditors must again make a qualitative assessment of the likely extent of the harm for a specific asset class. Again this qualitative assessment should be represented on a numerical scale. Copyright © 2007, Tippit, Inc., All Rights Reserved
G. Perform the risk calculation. Auditors should use the multiply the two values above (probability x harm) to calculate risk (probability x harm = risk). These calculations should be performed on an asset class by asset class basis and will yield a priority list for risk mitigation efforts and specific security controls that need to be implemented. 6. Document the results of the audit: It should go without saying that the results captured above should be documented in detail and proactively presented to decisionmakers for review. The document should include an executive summary, audit determinations, required updates/corrections, and supporting data in the form of exhibits. The team should also turn the document into a powerpoint presentation. 7. Specify and implement new/updated controls: The ultimate benefit of a security audit is that it should yield specific recommendations for improving business security. These recommendations should take the form of controls that the business can adopt, the deadline for adoption, and the party responsible for adoption. Do not forget to specify deadlines and specific ownership responsibilities. Security Process Scoping Many businesses have an easy time defining the physical security perimeter that encloses the audit. It is relatively easy for an audit team to limit an audit to a physical location (like a datacenter) or logical grouping of assets (all production storage devices). What is more difficult, and frankly more valuable, is scoping the audit around security processes or areas. To do this effectively, it is imperative that businesses prioritize security processes by the amount of risk that they pose to the organization. For example, the process of business continuity may pose a minimal security risk to the business, whereas the process of identity management poses a severe risk. Under this sample scenario, the identity management process would be included in the audit, while business continuity would not. Many industry consultants and analysts have strong opinions on where the majority of security threats will come from in the coming years. Gartner Group estimates that businesses will be able to prevent 80% of all damaging security events by adopting effective policies in four key areas:  Network access controls: This process checks the security of a user or system that is attempting to connect to the network. It is the first security process that any user or system encounters when trying to connect to any IT asset within the business’ network. Network access controls should also track the security of users and systems that are already connected to the network. In some cases, this process will also look to correct or mitigate risk based on detected threats and user or system profiles or identities.  Intrusion prevention: As a process, intrusion prevention covers much more than traditional intrusion detection. In fact, it is more closely in line with access control as it is the first security layer that blocks users and systems from attempting to exploit known vulnerabilities. This process should also enforce policies and controls to minimize the scope of an attack across the network. While intrusion detection systems are an obvious, non- negotiable component of this process so are other technologies such as firewalls. Copyright © 2007, Tippit, Inc., All Rights Reserved
 Identity and access management: This process controls who can access what when. Authentication and authorization are the usual pillars of this process, but robust policy management and storage are also critical components.  Vulnerability management: The vulnerability management process manages baseline security configurations across the full range of asset classes. It also identifies and mitigates risks by performing root cause analysis and taking corrective measures against specific risks. Case Study: Auditing the Network Access Control Process Network access controls are often the first line of defense against security risks. Businesses should focus on the following basic steps when conducting an audit of network access controls: 1. Define and inventory the network, including all devices and protocols used on the network. The most useful tool for doing this is usually an existing network diagram that displays all routes and nodes on the network. Networks often change daily so a security based auto inventory tool can be helpful here. The audit team should also prioritize critical assets or segments of the network and draw a line of demarcation between internal and external network assets if applicable. This step should form the “record of truth” of any NAC audit and should be referred to continuously during the audit process. 2. Identify which systems and users have access to the network, including internal and external parties. Audit teams should also specify where constituent groups access the network from (e.g. the office only, home, remote location). This is an extension of defining the network from an asset perspective and really represents the objects that interact with and use the network. 3. Identify and catalog specific threats that could pose a risk to the network, as well as deficiencies on the network itself. A virus or intrusion is an example of a threat, while a configuration error on a router is a deficiency. 4. Develop specific controls and policies to mitigate the risks identified in step number three. There are a range of security controls that are directly applicable to the network access control process, including but certainly not limited to: authentication mechanisms for all users and systems; access controls that limit access by specific systems or users; and enforced network routing that ensures only specified network routes are used. While most businesses would do well to focus their security audits on these four specific process areas exclusively, some businesses, particularly large enterprises, may choose to make a more extensive investment in their security audit. A good framework for a more extensive audit is the standard encapsulated in ISO 17799. In a nutshell, ISO 17799 focuses on the following security areas:  Security Policy: In a relatively thin portion of the standard, ISO 17799 requires businesses to maintain a written security policy, as well as a process and forum for ongoing review and revision.  Organizational Security: This section focuses on the infrastructure supporting information Copyright © 2007, Tippit, Inc., All Rights Reserved
security; security issues concerning access by third parties; and security issues created by outsourcing of certain tasks.  Asset Classification and Control: Asset classification and control helps businesses classify assets into different classes or types that have appropriate security controls associated with them.  Personnel Security: This portion of the standard addresses human security issues such as training, how personnel respond to specific security incidents, and treating security requirements as a priority in hiring considerations.  Physical and Environmental Security: This section covers the security of physical locations such as datacenters and specifies controls for secure areas, as well as securing equipment.  Communications and Operations Management: One of the more useful sections of ISO 17799, this section specifies a range of processes and controls in areas such as system planning/acceptance; malware protection; data backups; network management; and media management.  Access Control: The access control portion of the standard includes information on controls for user access and responsibilities, network access control, application access control, and mobile computing control.  System Development and Maintenance: This section provides particulars regarding specific security controls that can be used in the following areas: systems; applications; cryptography; file systems; and development/support processes.  Business Continuity Management: This portion of the standard specifies specific measures to prevent the disruption of core business processes due to failures or disasters.  Compliance: The compliance portion of ISO 17799 is somewhat lacking in specificity, but does offer guidance on how organizations can adopt security policies that comply with legal, regulatory, and business requirements. Regardless of the approach, a security audit will yield significant benefits to most businesses by lowering security risks, increasing operational predictability, and reducing classic IT firefighting. Copyright © 2007, Tippit, Inc., All Rights Reserved

Recomendados

The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Security audit
Security auditSecurity audit
Security auditRosaria Dee
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-PracticesMarco Raposo
 
Security Audit View
Security Audit ViewSecurity Audit View
Security Audit ViewPLN9 Security Services Pvt. Ltd.
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 

Recomendados

The information security audit
The information security auditThe information security audit
The information security auditDhani Ahmad
 
Security audit
Security auditSecurity audit
Security auditRosaria Dee
 
Information Security It's All About Compliance
Information Security It's All About ComplianceInformation Security It's All About Compliance
Information Security It's All About ComplianceDinesh O Bareja
 
Security Audit Best-Practices
Security Audit Best-PracticesSecurity Audit Best-Practices
Security Audit Best-PracticesMarco Raposo
 
Security Audit View
Security Audit ViewSecurity Audit View
Security Audit ViewPLN9 Security Services Pvt. Ltd.
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001PECB
 
Domain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementDomain 1 - Security and Risk Management
Domain 1 - Security and Risk ManagementMaganathin Veeraragaloo
 
Security policy
Security policySecurity policy
Security policyDhani Ahmad
 
IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
Information Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaInformation Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaDiscover JKUAT
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemMuhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
The OCTAVE Method
The OCTAVE MethodThe OCTAVE Method
The OCTAVE MethodRaul Calzada
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
NQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANA Putra
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016Hafiz Sheikh Adnan Ahmed
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awarenessÃsħâr Ãâlâm
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001CUNIX INDIA
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)Corporate Registers Forum
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security AuditMufaddal Nullwala
 
ISO 27001
ISO 27001ISO 27001
ISO 27001n|u - The Open Security Community
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 IntroductionAndrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsUppala Anand
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 
Audit presentation
Audit presentationAudit presentation
Audit presentationMetafrique group
 
6. audit techniques
6. audit techniques6. audit techniques
6. audit techniquesSyed Osama Rizvi
 

Más contenido relacionado

La actualidad más candente

IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsEd Tobias
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Edureka!
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditingDamilola Mosaku
 
Information Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaInformation Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaDiscover JKUAT
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overviewJulia Urbina-Pineda
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
NQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANA Putra
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident ResponsePECB
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001CUNIX INDIA
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsUppala Anand
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part Ikhushboo
 

La actualidad más candente (20)

IT Audit For Non-IT Auditors
IT Audit For Non-IT AuditorsIT Audit For Non-IT Auditors
IT Audit For Non-IT Auditors
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Introduction to it auditing
Introduction to it auditingIntroduction to it auditing
Introduction to it auditing
 
Information Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr WafulaInformation Security Management Systems(ISMS) By Dr Wafula
Information Security Management Systems(ISMS) By Dr Wafula
 
ISO 27001 - Information Security Management System
ISO 27001 - Information Security Management SystemISO 27001 - Information Security Management System
ISO 27001 - Information Security Management System
 
Information security management system (isms) overview
Information security management system (isms) overviewInformation security management system (isms) overview
Information security management system (isms) overview
 
The OCTAVE Method
The OCTAVE MethodThe OCTAVE Method
The OCTAVE Method
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
NQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex ANQA ISO 27001 A Guide to Annex A
NQA ISO 27001 A Guide to Annex A
 
Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
 
Iso 27001 awareness
Iso 27001 awarenessIso 27001 awareness
Iso 27001 awareness
 
Structure of iso 27001
Structure of iso 27001Structure of iso 27001
Structure of iso 27001
 
5.4 it security audit (mauritius)
5.4 it security audit (mauritius)5.4 it security audit (mauritius)
5.4 it security audit (mauritius)
 
IT System & Security Audit
IT System & Security AuditIT System & Security Audit
IT System & Security Audit
 
ISO 27001
ISO 27001ISO 27001
ISO 27001
 
ISO 27001:2022 Introduction
ISO 27001:2022 IntroductionISO 27001:2022 Introduction
ISO 27001:2022 Introduction
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Iso 27001 2013 Standard Requirements
Iso 27001 2013 Standard RequirementsIso 27001 2013 Standard Requirements
Iso 27001 2013 Standard Requirements
 
ISMS Part I
ISMS Part IISMS Part I
ISMS Part I
 

Destacado

Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and CryptographyAdam Reagan
 
How to Audit
How to AuditHow to Audit
How to Auditayousif
 
Importance of supplier audits
Importance of supplier auditsImportance of supplier audits
Importance of supplier auditsAQSS-USA
 
September 2012 Security Vulnerability Session
September 2012 Security Vulnerability SessionSeptember 2012 Security Vulnerability Session
September 2012 Security Vulnerability SessionKaseya
 
WINs Process Mapping - Risk Assessment Session
WINs Process Mapping - Risk Assessment SessionWINs Process Mapping - Risk Assessment Session
WINs Process Mapping - Risk Assessment Sessionjohncarrollcanyon
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke PatchlinkBen Rothke
 
Managing System Security
Managing System SecurityManaging System Security
Managing System SecurityPIREH
 
Overview of .Net Framework
Overview of .Net FrameworkOverview of .Net Framework
Overview of .Net FrameworkNeha Singh
 
Ynpn 3.0 data center proposal
Ynpn 3.0 data center proposalYnpn 3.0 data center proposal
Ynpn 3.0 data center proposalynpnnational
 
Need And Importance Of Cyber Law
Need And Importance Of Cyber LawNeed And Importance Of Cyber Law
Need And Importance Of Cyber LawPoonam Bhasin
 
Software Devlopment Life Cycle
Software Devlopment Life CycleSoftware Devlopment Life Cycle
Software Devlopment Life CycleVivek Gupta
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information SecurityGareth Davies
 
Introduction to .NET Programming
Introduction to .NET ProgrammingIntroduction to .NET Programming
Introduction to .NET ProgrammingKarthikeyan Mkr
 
Cyber law In India: its need & importance
Cyber law In India: its need & importanceCyber law In India: its need & importance
Cyber law In India: its need & importanceAditya Shukla
 

Destacado (19)

Audit presentation
Audit presentationAudit presentation
Audit presentation
 
6. audit techniques
6. audit techniques6. audit techniques
6. audit techniques
 
Network Security and Cryptography
Network Security and CryptographyNetwork Security and Cryptography
Network Security and Cryptography
 
How to Audit
How to AuditHow to Audit
How to Audit
 
Importance of supplier audits
Importance of supplier auditsImportance of supplier audits
Importance of supplier audits
 
Accounting Systems
Accounting SystemsAccounting Systems
Accounting Systems
 
September 2012 Security Vulnerability Session
September 2012 Security Vulnerability SessionSeptember 2012 Security Vulnerability Session
September 2012 Security Vulnerability Session
 
WINs Process Mapping - Risk Assessment Session
WINs Process Mapping - Risk Assessment SessionWINs Process Mapping - Risk Assessment Session
WINs Process Mapping - Risk Assessment Session
 
Rothke Patchlink
Rothke PatchlinkRothke Patchlink
Rothke Patchlink
 
Managing System Security
Managing System SecurityManaging System Security
Managing System Security
 
Overview of .Net Framework
Overview of .Net FrameworkOverview of .Net Framework
Overview of .Net Framework
 
Audit process
Audit processAudit process
Audit process
 
An introduction to software
An introduction to softwareAn introduction to software
An introduction to software
 
Ynpn 3.0 data center proposal
Ynpn 3.0 data center proposalYnpn 3.0 data center proposal
Ynpn 3.0 data center proposal
 
Need And Importance Of Cyber Law
Need And Importance Of Cyber LawNeed And Importance Of Cyber Law
Need And Importance Of Cyber Law
 
Software Devlopment Life Cycle
Software Devlopment Life CycleSoftware Devlopment Life Cycle
Software Devlopment Life Cycle
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Introduction to .NET Programming
Introduction to .NET ProgrammingIntroduction to .NET Programming
Introduction to .NET Programming
 
Cyber law In India: its need & importance
Cyber law In India: its need & importanceCyber law In India: its need & importance
Cyber law In India: its need & importance
 

Similar a It Security Audit Process

17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...abhichowdary16
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji JacobBeji Jacob
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operationsPiyush Jain
 
Cyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummaryCyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummarySteve Leventhal
 
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdfCyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdfCyber Security Experts
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentBradley Susser
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxwkyra78
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architectureMubashirAslam5
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptxHardikKundra
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldArun Prabhakar
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security programabdulkhalid murady
 
Exploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity TestingExploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity Testingjatniwalafizza786
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxInfosectrain3
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainInfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsArun Prabhakar
 
Cyber and information security operations and assurance
Cyber and information security operations and assurance Cyber and information security operations and assurance
Cyber and information security operations and assurance EyesOpen Association
 

Similar a It Security Audit Process (20)

Backtrack manual Part1
Backtrack manual Part1Backtrack manual Part1
Backtrack manual Part1
 
ISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochureISACA Cybersecurity Audit course brochure
ISACA Cybersecurity Audit course brochure
 
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
17-MOD 6 Conducting Security Audits & MOD 7 Information Security Audit Prepar...
 
u10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacobu10a1-Risk Assessment Report-Beji Jacob
u10a1-Risk Assessment Report-Beji Jacob
 
Security architecture, engineering and operations
Security architecture, engineering and operationsSecurity architecture, engineering and operations
Security architecture, engineering and operations
 
Cyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive SummaryCyber Security Program Realization in the Mid Market - Executive Summary
Cyber Security Program Realization in the Mid Market - Executive Summary
 
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdfCyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
Cyber Audit | Cyber Crime | Network Security | Cyber Security Audit- 2023.pdf
 
The Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk AssessmentThe Significance of IT Security Management & Risk Assessment
The Significance of IT Security Management & Risk Assessment
 
Project Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docxProject Quality-SIPOCSelect a process of your choice and creat.docx
Project Quality-SIPOCSelect a process of your choice and creat.docx
 
Conceptual security architecture
Conceptual security architectureConceptual security architecture
Conceptual security architecture
 
Controls in Audit.pptx
Controls in Audit.pptxControls in Audit.pptx
Controls in Audit.pptx
 
Building a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps WorldBuilding a Product Security Practice in a DevOps World
Building a Product Security Practice in a DevOps World
 
Managing an enterprise cyber security program
Managing an enterprise cyber security programManaging an enterprise cyber security program
Managing an enterprise cyber security program
 
Exploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity TestingExploring the Key Types of Cybersecurity Testing
Exploring the Key Types of Cybersecurity Testing
 
CompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptxCompTIA CySA Domain 5 Compliance and Assessment.pptx
CompTIA CySA Domain 5 Compliance and Assessment.pptx
 
Information Security
Information SecurityInformation Security
Information Security
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
Designing NextGen Threat Identification Solutions
Designing NextGen Threat Identification SolutionsDesigning NextGen Threat Identification Solutions
Designing NextGen Threat Identification Solutions
 
Cyber and information security operations and assurance
Cyber and information security operations and assurance Cyber and information security operations and assurance
Cyber and information security operations and assurance
 

Más de Ram Srivastava

Michigan enterprise architecture framework
Michigan enterprise architecture frameworkMichigan enterprise architecture framework
Michigan enterprise architecture frameworkRam Srivastava
 
Project audit & review checklist
Project audit & review checklistProject audit & review checklist
Project audit & review checklistRam Srivastava
 
Research Report Future CRM Technology 2010 to 2013
Research Report Future CRM Technology 2010 to 2013Research Report Future CRM Technology 2010 to 2013
Research Report Future CRM Technology 2010 to 2013Ram Srivastava
 
Technological Hpothesis Research Plan In The CRM Future1
Technological Hpothesis Research Plan In The CRM Future1Technological Hpothesis Research Plan In The CRM Future1
Technological Hpothesis Research Plan In The CRM Future1Ram Srivastava
 
Atithi Devo Bhav - Guest is God (Incredible India)
Atithi Devo Bhav - Guest is God (Incredible India)Atithi Devo Bhav - Guest is God (Incredible India)
Atithi Devo Bhav - Guest is God (Incredible India)Ram Srivastava
 
Sprint Backlog Quick Start
Sprint Backlog Quick StartSprint Backlog Quick Start
Sprint Backlog Quick StartRam Srivastava
 
Sprint Backlog Template Multiple Burndowns(2)
Sprint Backlog Template Multiple Burndowns(2)Sprint Backlog Template Multiple Burndowns(2)
Sprint Backlog Template Multiple Burndowns(2)Ram Srivastava
 
Project Initiation Presentation Template
Project Initiation Presentation TemplateProject Initiation Presentation Template
Project Initiation Presentation TemplateRam Srivastava
 
Product Backlog Priority Overview
Product Backlog Priority OverviewProduct Backlog Priority Overview
Product Backlog Priority OverviewRam Srivastava
 
Measuring The Reliability Of An Agile Software Development Team
Measuring The Reliability Of An Agile Software Development TeamMeasuring The Reliability Of An Agile Software Development Team
Measuring The Reliability Of An Agile Software Development TeamRam Srivastava
 
Product Sprint Backlog 0 03
Product Sprint Backlog 0 03Product Sprint Backlog 0 03
Product Sprint Backlog 0 03Ram Srivastava
 
Measuring The Quality Of An Agile Software Development Team
Measuring The Quality Of An Agile Software Development TeamMeasuring The Quality Of An Agile Software Development Team
Measuring The Quality Of An Agile Software Development TeamRam Srivastava
 
Measuring Operational Cost Savings Associated With Going Agile
Measuring Operational Cost Savings Associated With Going AgileMeasuring Operational Cost Savings Associated With Going Agile
Measuring Operational Cost Savings Associated With Going AgileRam Srivastava
 
Introducing Agile User Stories
Introducing Agile User StoriesIntroducing Agile User Stories
Introducing Agile User StoriesRam Srivastava
 
Agile Epic Card Template
Agile Epic Card TemplateAgile Epic Card Template
Agile Epic Card TemplateRam Srivastava
 
Cmmi Ior Agile Why Not Embrace Both
Cmmi Ior Agile Why Not Embrace BothCmmi Ior Agile Why Not Embrace Both
Cmmi Ior Agile Why Not Embrace BothRam Srivastava
 

Más de Ram Srivastava (20)

Michigan enterprise architecture framework
Michigan enterprise architecture frameworkMichigan enterprise architecture framework
Michigan enterprise architecture framework
 
Project audit & review checklist
Project audit & review checklistProject audit & review checklist
Project audit & review checklist
 
Research Report Future CRM Technology 2010 to 2013
Research Report Future CRM Technology 2010 to 2013Research Report Future CRM Technology 2010 to 2013
Research Report Future CRM Technology 2010 to 2013
 
Technological Hpothesis Research Plan In The CRM Future1
Technological Hpothesis Research Plan In The CRM Future1Technological Hpothesis Research Plan In The CRM Future1
Technological Hpothesis Research Plan In The CRM Future1
 
Atithi Devo Bhav - Guest is God (Incredible India)
Atithi Devo Bhav - Guest is God (Incredible India)Atithi Devo Bhav - Guest is God (Incredible India)
Atithi Devo Bhav - Guest is God (Incredible India)
 
Sprint Backlog Quick Start
Sprint Backlog Quick StartSprint Backlog Quick Start
Sprint Backlog Quick Start
 
Template Backlog
Template BacklogTemplate Backlog
Template Backlog
 
Agile User Story
Agile User StoryAgile User Story
Agile User Story
 
Sprint Backlog Template Multiple Burndowns(2)
Sprint Backlog Template Multiple Burndowns(2)Sprint Backlog Template Multiple Burndowns(2)
Sprint Backlog Template Multiple Burndowns(2)
 
Project Initiation Presentation Template
Project Initiation Presentation TemplateProject Initiation Presentation Template
Project Initiation Presentation Template
 
Product Backlog Priority Overview
Product Backlog Priority OverviewProduct Backlog Priority Overview
Product Backlog Priority Overview
 
Measuring The Reliability Of An Agile Software Development Team
Measuring The Reliability Of An Agile Software Development TeamMeasuring The Reliability Of An Agile Software Development Team
Measuring The Reliability Of An Agile Software Development Team
 
Product Sprint Backlog 0 03
Product Sprint Backlog 0 03Product Sprint Backlog 0 03
Product Sprint Backlog 0 03
 
Measuring The Quality Of An Agile Software Development Team
Measuring The Quality Of An Agile Software Development TeamMeasuring The Quality Of An Agile Software Development Team
Measuring The Quality Of An Agile Software Development Team
 
Measuring Operational Cost Savings Associated With Going Agile
Measuring Operational Cost Savings Associated With Going AgileMeasuring Operational Cost Savings Associated With Going Agile
Measuring Operational Cost Savings Associated With Going Agile
 
Introducing Agile User Stories
Introducing Agile User StoriesIntroducing Agile User Stories
Introducing Agile User Stories
 
Lets Talk Agile
Lets Talk AgileLets Talk Agile
Lets Talk Agile
 
Agile Epic Card Template
Agile Epic Card TemplateAgile Epic Card Template
Agile Epic Card Template
 
Forrester Agile
Forrester AgileForrester Agile
Forrester Agile
 
Cmmi Ior Agile Why Not Embrace Both
Cmmi Ior Agile Why Not Embrace BothCmmi Ior Agile Why Not Embrace Both
Cmmi Ior Agile Why Not Embrace Both
 

It Security Audit Process

  • 1. What is a Security Audit? A security audit is a specified process designed to assess the security risks facing a business and the controls or countermeasures adopted by the business to mitigate those risks. It is typically a human process, managed by a team of “auditors” with technical and business knowledge of the company’s information technology assets and business processes. As part of any audit, these teams will interview key personnel, conduct vulnerability assessments, catalog existing security policies and controls, and examine IT assets covered by the scope of the audit. In most cases, they rely heavily on technology tools to perform the audit. Often, security audits are best understood by focusing on the specific questions they are designed to answer. For example:  How difficult are passwords to crack?  Do network assets have access control lists?  Do access logs exist that record who accesses what data?  Are personal computers regularly scanned for adware or malware?  Who has access to backed-up media in the organization? These are just a small sample of the questions that any security audit should attempt to answer. It is important to understand that a security audit is a continuous process that should deliver continuous improvement to any business. Some commentators have argued that audits should only focus on assessing compliance with existing security policies. Insead, an audit should not only assess compliance, but also assess the very nature and quality of the policies and controls themselves. In many cases, security policies become rapidly obsolete with the release of new technologies or process overhauls. Security audits are the most effective tool for determining the validity of those policies. The Security Audit Process While there are certainly planning and consensus building steps that any team would be wise to take before beginning an audit (for example, making sure that senior management supports the project), the following steps are essential to the audit itself: 1. Define the physical scope of the audit: The audit team should define the security perimeter within which the audit will take place. The perimeter may be physically organized around logical asset groups such as a datacenter specific LAN or around business processes such as financial reporting. Either way, the physical scope of the audit allows the auditors to focus on assets, processes, and policies in a manageable fashion. Copyright © 2007, Tippit, Inc., All Rights Reserved
  • 2. 2. Define the process scope of the audit: This is often where the rubber hits the road on security audits, as overly broad process scoping can stall audits. At the same time, overly narrow scoping can result in an inconclusive assessment of security risks and controls. This document describes how to effectively scope the security processes or areas that should be included in an audit. It is critical that any business, regardless of size, put limits on the security processes or areas that will be the focus of the audit. 3. Conduct historical due diligence: An oft-forgotten step in security audits is pre-audit due diligence. This due diligence should focus on historical events such as known vulnerabilities, damage-causing security incidents, as well as recent changes to IT infrastructure and business processes. It should include an assessment of past audits. Furthermore, auditors should compile a complete inventory of the assets located within the physical scope of the audit and a complete list of specified security controls relevant to those assets. 4. Develop the audit plan: An effective audit is almost always guided by a detailed audit plan that provides a specific project plan for conducting the audit. This should include a specific description of the scope of the audit, critical dates/milestones, participants, and dependencies. 5. Perform security risk assessment: Once the audit team has an effective plan in place, they can begin the core of the audit – the risk assessment. The risk assessment should cover the following steps: A. Identify and locate the exact assets located within the security perimeter and prioritize those assets according to value to the business. For example, a cluster of web servers supporting the order entry application is more important than a web server supporting the IT department’s internal blog. B. Identify potential threats against the assets covered by the audit. The definition of a threat is something that has the potential to exploit a vulnerability in an asset. C. Catalog vulnerabilities or deficiencies for each asset class or type. Vulnerabilities exist for specific types of assets and present opportunities for threats to create risk. D. Identify the security controls currently in place for each asset class. These controls must exist and be used on a regular basis. Anything short of this should be noted and not counted towards existing controls. Controls include technologies such as firewalls, processes such as data backup procedures, and personnel such as the systems administrator that manages the relevant assets. E. Determine probabilities of specific risks. Audit teams must make a qualitative assessment of how likely it is that each threat/vulnerability will occur for a specific asset class. The probability calculation should account for the ability of existing controls to mitigate risk. This probability should be articulated on a numerical scale. F. Determine the potential harm or impact of a threat. Auditors must again make a qualitative assessment of the likely extent of the harm for a specific asset class. Again this qualitative assessment should be represented on a numerical scale. Copyright © 2007, Tippit, Inc., All Rights Reserved
  • 3. G. Perform the risk calculation. Auditors should use the multiply the two values above (probability x harm) to calculate risk (probability x harm = risk). These calculations should be performed on an asset class by asset class basis and will yield a priority list for risk mitigation efforts and specific security controls that need to be implemented. 6. Document the results of the audit: It should go without saying that the results captured above should be documented in detail and proactively presented to decisionmakers for review. The document should include an executive summary, audit determinations, required updates/corrections, and supporting data in the form of exhibits. The team should also turn the document into a powerpoint presentation. 7. Specify and implement new/updated controls: The ultimate benefit of a security audit is that it should yield specific recommendations for improving business security. These recommendations should take the form of controls that the business can adopt, the deadline for adoption, and the party responsible for adoption. Do not forget to specify deadlines and specific ownership responsibilities. Security Process Scoping Many businesses have an easy time defining the physical security perimeter that encloses the audit. It is relatively easy for an audit team to limit an audit to a physical location (like a datacenter) or logical grouping of assets (all production storage devices). What is more difficult, and frankly more valuable, is scoping the audit around security processes or areas. To do this effectively, it is imperative that businesses prioritize security processes by the amount of risk that they pose to the organization. For example, the process of business continuity may pose a minimal security risk to the business, whereas the process of identity management poses a severe risk. Under this sample scenario, the identity management process would be included in the audit, while business continuity would not. Many industry consultants and analysts have strong opinions on where the majority of security threats will come from in the coming years. Gartner Group estimates that businesses will be able to prevent 80% of all damaging security events by adopting effective policies in four key areas:  Network access controls: This process checks the security of a user or system that is attempting to connect to the network. It is the first security process that any user or system encounters when trying to connect to any IT asset within the business’ network. Network access controls should also track the security of users and systems that are already connected to the network. In some cases, this process will also look to correct or mitigate risk based on detected threats and user or system profiles or identities.  Intrusion prevention: As a process, intrusion prevention covers much more than traditional intrusion detection. In fact, it is more closely in line with access control as it is the first security layer that blocks users and systems from attempting to exploit known vulnerabilities. This process should also enforce policies and controls to minimize the scope of an attack across the network. While intrusion detection systems are an obvious, non- negotiable component of this process so are other technologies such as firewalls. Copyright © 2007, Tippit, Inc., All Rights Reserved
  • 4. Identity and access management: This process controls who can access what when. Authentication and authorization are the usual pillars of this process, but robust policy management and storage are also critical components.  Vulnerability management: The vulnerability management process manages baseline security configurations across the full range of asset classes. It also identifies and mitigates risks by performing root cause analysis and taking corrective measures against specific risks. Case Study: Auditing the Network Access Control Process Network access controls are often the first line of defense against security risks. Businesses should focus on the following basic steps when conducting an audit of network access controls: 1. Define and inventory the network, including all devices and protocols used on the network. The most useful tool for doing this is usually an existing network diagram that displays all routes and nodes on the network. Networks often change daily so a security based auto inventory tool can be helpful here. The audit team should also prioritize critical assets or segments of the network and draw a line of demarcation between internal and external network assets if applicable. This step should form the “record of truth” of any NAC audit and should be referred to continuously during the audit process. 2. Identify which systems and users have access to the network, including internal and external parties. Audit teams should also specify where constituent groups access the network from (e.g. the office only, home, remote location). This is an extension of defining the network from an asset perspective and really represents the objects that interact with and use the network. 3. Identify and catalog specific threats that could pose a risk to the network, as well as deficiencies on the network itself. A virus or intrusion is an example of a threat, while a configuration error on a router is a deficiency. 4. Develop specific controls and policies to mitigate the risks identified in step number three. There are a range of security controls that are directly applicable to the network access control process, including but certainly not limited to: authentication mechanisms for all users and systems; access controls that limit access by specific systems or users; and enforced network routing that ensures only specified network routes are used. While most businesses would do well to focus their security audits on these four specific process areas exclusively, some businesses, particularly large enterprises, may choose to make a more extensive investment in their security audit. A good framework for a more extensive audit is the standard encapsulated in ISO 17799. In a nutshell, ISO 17799 focuses on the following security areas:  Security Policy: In a relatively thin portion of the standard, ISO 17799 requires businesses to maintain a written security policy, as well as a process and forum for ongoing review and revision.  Organizational Security: This section focuses on the infrastructure supporting information Copyright © 2007, Tippit, Inc., All Rights Reserved
  • 5. security; security issues concerning access by third parties; and security issues created by outsourcing of certain tasks.  Asset Classification and Control: Asset classification and control helps businesses classify assets into different classes or types that have appropriate security controls associated with them.  Personnel Security: This portion of the standard addresses human security issues such as training, how personnel respond to specific security incidents, and treating security requirements as a priority in hiring considerations.  Physical and Environmental Security: This section covers the security of physical locations such as datacenters and specifies controls for secure areas, as well as securing equipment.  Communications and Operations Management: One of the more useful sections of ISO 17799, this section specifies a range of processes and controls in areas such as system planning/acceptance; malware protection; data backups; network management; and media management.  Access Control: The access control portion of the standard includes information on controls for user access and responsibilities, network access control, application access control, and mobile computing control.  System Development and Maintenance: This section provides particulars regarding specific security controls that can be used in the following areas: systems; applications; cryptography; file systems; and development/support processes.  Business Continuity Management: This portion of the standard specifies specific measures to prevent the disruption of core business processes due to failures or disasters.  Compliance: The compliance portion of ISO 17799 is somewhat lacking in specificity, but does offer guidance on how organizations can adopt security policies that comply with legal, regulatory, and business requirements. Regardless of the approach, a security audit will yield significant benefits to most businesses by lowering security risks, increasing operational predictability, and reducing classic IT firefighting. Copyright © 2007, Tippit, Inc., All Rights Reserved