A security analysis and audit is a systematic, measurable technical assessment of how a security policy is employed at a specific site. This process should be performed yearly or after any major infrastructure change, be it at the network or system level.
Unlike a penetration test (black box), computer security auditors work with the full knowledge of the organization (crystal box) at times with considerable inside information, in order to understand the resources to be audited. An analysis or audit, is a more comprehensive assessment of an information system that involves not just a testing of the vulnerabilities, but various other aspects including the overall design of the information system, and perhaps the system's resistance to social engineering tactics. The audit comprises security checklists and questionnaires covering networks/LANs, firewalls, internet access, data access, virus management, etc. In addition it should also review existing security programs and identify gaps as they relate to standards and guidelines provided by the International Standards Organization (ISO 17799) Security Standards.
Phase I - Audit Preparation
In this phase, the auditor should review the existing network documentation, office policies and procedures, previous security audit reports and interview technology staff. This provides an initial picture of how your systems are set up and secured. This will also result in a very specific audit plan.
Phase II - Assessment and Review
The audit will assess and review your systems, policies and procedures. The auditor would expect to begin this phase with a security briefing with management to review with them various aspects of technology security, establish a framework for understanding of the issues and trade-offs associated with technology security and to receive management's overall stance on technology security within the company. This briefing defines the foundation for the type and level of recommendations which will be included in the final report.
This portion of the audit involves a very "hands-on" detailed information-gathering methodology. Consequently, the auditor will need access to your servers, workstations, network and staff.
This includes the following:
Administrative Policies and Practices The auditor should meet with various members of management to discuss the existing policies and procedures already in place, and to refine policies and procedures where appropriate.
Physical security This is an assessment of the physical security of a network including a review of the server room, wiring closets, network access points and workstation areas.
Network Security Review of topology, both the physical and logical components, as well as an assessment of your firewall rules and policies
Vulnerability Scanning Vulnerability scanning is an active scan of your system. Using industry standard tools and tool suites, the auditor will scan your network for known system vulnerabilities using industry standard scanners. For this phase the auditor will need both indirect (via the Internet) and direct access to your network.
Intrusion Detection Snapshot Scan the network for active intrusions over a limited period (typically one or two days). The resulting report provides a reasonable understanding of how effective your current network security measures are. This intrusion detection is passive and looks for known and suspicious network activity and is dependant upon your network environment.
Servers The auditor will review the setup and configuration of each of your main servers including: network cards, protocols, physical location, active services, file shares, server applications and more.
Workstations The auditor will assess a small sample of your typical workstation configuration including network cards, protocols, active services, file shares, main applications and more.
Remote Communications This part of the assessment includes reviewing your current remote communications devices including: RAS, modem lines, VPN, PDA, as well as other remote communication applications.
User/Group/Password Security The auditor reviews your current user and groups and assesses your password policies. With your permission, the auditor will also attempt to crack your user passwords, assess the attempt and include it in our report.
Data Security This includes an assessment of your electronic file sharing security and tape backup practices and procedures.
Phase III - Analysis
Review and analyze all the collected data and reports, including the audit checklists, vulnerability reports, interview notes, etc. This should then be compared to your existing policies to attain the desired level of security.
Phase IV - Reporting
The final phase should include written recommendations and analysis based on the auditors' assessment. This report should include:
The companies current state of information technology security.
Existing vulnerabilities for your network and recommendations for their elimination
Policy Analysis and Recommendations
Network and System Recommendations
Logs/Reports/Paperwork generated by the audit.
There you have it. IT security auditing constitutes an important part of any organizations security policy. What you must keep in mind when an audit is completed is that the policy and procedures will provide the focus for risk assessment and risk management within your corporation. This will then drive what controls are required to manage these risks in compliance with the level of diligence that is required by your company.
To respond to this or previous newsletters or to inquire about an on-site presentation, please feel free to call us at 508-995-4933 or email us at email@example.com.
Got something to add? Send me email.
More Articles by Michael Desrosiers © 2010-09-01 Michael Desrosiers