NETKidoos.com - Security Audit

Home : : About Me : : The Site : : Articles & Tutorials : : Source Codes : :Contact Me : : SiteMap

Security Audit - An Introduction

Author : Thomas Kurian Ambattu

Security Audit can be said as an assessment of the organization's security policy. This Audit will assess how effective is the security policy and how far is it implemented.
Computer Security Auditors use various techniques to perform the audit. Some of them are personal interviews, vulnerability scans network share analysis, data analysis etc. The Auditors will check how effective is the implementation of the security policy of the company. Some of the key points that arises in a security audit is

              · Are passwords difficult to crack?
              · Are there access control lists (ACLs) in place on network devices to control who has                 access to shared data?
              · Are there audit logs to record who accesses data?
              · Are the audit logs reviewed?
              · Are the security settings for operating systems in accordance with accepted industry                 security practices?
              · Have all unnecessary applications and computer services been eliminated for each                 system?
              · Are these operating systems and commercial applications patched to current levels?
              · How is backup media stored? Who has access to it? Is it up-to-date?
              · Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed                 the disaster recovery plan?
              · Are there adequate cryptographic tools in place to govern data encryption, and have                 these tools been properly configured?
              · Have custom-built applications been written with security in mind?
              · How have these custom applications been tested for security flaws?
              · How are configuration and code changes documented at every level? How are these                 records reviewed and who conducts the review?
The answers to the above question will tell how secure is the organization's data.

The security Audit assumes that the organization has a Security Policy. A written Security Policy ensures that the employees at all levels understand the security practices and has an idea how to protect the data.Before conducting an Audit the auditor's should do certain work. The first is a security questionnaire. The questionnaire must be clear (should be clear to understand and not confusing) and should be measurable. Internal auditors should make a checklist of the task to be performed so that they can act according to it in further. Internal auditors should read previous audit documents and ensure that previous weak points are rectified and incidents do not repeat.

At the audit site the Auditor will perform the audit according to the Audit Plan which he had made earlier. During the audit they will collect data and will perform interview with staffs. They may perform vulnerability assessment operating system security assessment, application security assessment and other relevant evaluations. The Auditors also should follow a checklist so that they can do the process in a more effective way.

Finally Auditors will give a briefing on the basis of what they have seen and will direct the management to make corrections for the problem if any.
After that the auditors will start putting up the data together to build up a report .The auditor can take the help of his checklist to generate an audit report. It will be nice if the report is arranged in the following way.

The audit finding: The audit findings should be arranged in a simple way so that all the data will be clear and not confusing.
Summary: In the summary you can tell about the strengths and deficiencies of the security strategy followed in the organization. This helps the management to have a clear picture of their current positions and what measures they have to take for going further.

Now the management should go through the report, discuss on it and should supervise each and every deficiency until it is completely rectified.

As the organization evolves the security structure will change. Security Audit is not something that is carried out only once, but it is a continuous process to improve data security.

All what I was saying till now is a general way of Security Audit. According to person it changes. But I'm sure that the organization can really benefit if they follow the above way of audit.