Link to the home page.
Print from PDF version
Wireless Security Practices PDF Document
 

Security Disciplines for Objective 3: Detection and Recovery

3-3. Security Auditing

Description

A security audit consists of examining and verifying that the security of the information technology system(s) has been properly implemented according to the organization’s security policies, government regulations, and perceived security risks.

Purpose

The audit discipline defines the standards and procedures that need to be implemented to confirm that a security policy has been properly implemented and maintained. The ever-increasing complexity of security policies will require equally complex audit procedures to guarantee that all aspects of the security policies are respected.

Principles

  • Objectivity of auditors must be guaranteed by selecting a team independent from the team who implemented and/or maintains the security infrastructure. When possible, an independent organization from the IT department should be considered.
  • Qualification of auditors must match the level and complexity of the security policy put in place.
  • Audits must be performed on a regular basis to ensure proper maintenance and application of security policies over time. At a minimum, organizations should alternate between internal and external audits every other year.
  • Auditors must look beyond the IT systems and consider also the human interface to the IT system.
  • The security audit must begin with the security policy to assess its relevance and completeness.
  • Previous audits’ findings must be reviewed to ensure that appropriate corrective measures have been applied.
  • Audit trails must be maintained to provide accountability for all security administration activity.
  • The audit organization must provide assurance that it is following applicable auditing standards.
  • Audit reports must contain sufficient information to enable outside parties to ascertain the evidence that supports the auditor’s conclusions.
  • Details of noncompliance should be communicated to the appropriate level of management to allow for the development of a corrective plan of action.

Best Practices

Project Preparation—It is important that auditors have an understanding of the organization under review. They must have the proper security clearance to access the systems holding the data. Auditors must decide how selective the audit must be and how deep it needs to go with each of the system’s components. All security auditing tools must be verified for accuracy and reliability, and the scope of the audit should be clearly defined at the beginning of the project.

It is recommended that auditors have experience with risk analysis and management in order to properly assess the level of exposure created by each noncompliance finding.

Information Gathering—The process for gathering information should include formal and informal interviews with technical staff, end users, and other personnel services.

The auditor must check all documentation related to the system in place, focusing on details with security implication, and determine whether users have seen and read the security policy.

Reporting—The audit report should have a logical structure, including an executive summary, prioritized recommendations, the scope of the audit, more detailed information followed by final conclusions, and detailed recommendations.

All findings must be clearly explained with the facts and information that was gathered during the information-gathering phase.

If previous audits have been done, the new audit should document whether or not the previous findings have been addressed.

Remediation—Once the written report has been presented, all responsible personnel should meet to discuss what action items should arise from the audit. Due dates must be attached to each action item in order to ensure that necessary changes are implemented prior to a security breach.

References