Wednesday, May 28, 2008

Compliance Testing

What is compliance testing?

Its basically an audit of a system carried out against a known criterion. A compliance test may come in many different forms dependant on the request received but basically can be broken down into several different types:

  • Operating Systems and Applications: A verification that an operating system and/or applications are configured appropriately to the companies needs and lockdown requirements, thus providing adequate and robust controls to ensure that the Confidentiality, Integrity and Availability of the system will not be affected in its normal day to day operation.

  • Systems in development: A verification that the intended system under development meets the configuration and lockdown standards requested by the customer.

  • Management of IT and Enterprise Architecture: A verification that the in-place IT management infrastructure encompassing all aspects of system support has been put in place. This is to ensure effective change control, audit, business continuity and security procedures etc. have been formulated, documented and put in place.

  • Interconnection Policy: A verification that adequate security and business continuity controls governing the connection to other systems, be they Telecommunications, Intranets, Extranets and Internet etc. have been put in place, have been fully documented and correspond to the stated customer requirements.

The Australian Computer Emergency Response Team (AusCERT)

The AusCERT and the CERT® Coordination Center (CERT/CC) have produced the UNIX Security Checklist v3.0 which details steps to be taken to improve the security of most Unix Operating Systems. When carrying out compliance checks on most *nix systems I generally tend to quote from this lockdown and also the NSA guide when making recommendations to enhance system security.

This can be found here.

National Security Agency

The NSA has made publicly available a number of lockdown guides in one of its many initiatives to enhance awareness of the security issues effecting today's operating systems, applications etc. These guides I have found are generally easy to read, understand and in most cases give you a step-by-step guide to implement.

They can be found from

1 comment:

Preeti said...

It is very wonderfull center