Monday, October 15, 2012

Tips for IT Security Auditing

How to effectively conduct IT Security Audit?

As an information security professional, it is your responsibility to protect and sustain the enterprise’s information assets from all types of threats. One way to enhance the security posture of your enterprise is to leverage the expertise of a security auditor to help find and fix the worst problems in your security infrastructure.

You may be thinking, “Why would I want to invite a security auditor to help me find my greatest weaknesses?” No one relishes an audit—which often seems to involve people poking around and looking for holes in the network or systems. 

However, a thoroughly conducted audit, with appropriate risk-based scoping, can keep you from having to report to your management or board that a data breach happened on your watch.

In most enterprises, the information security and audit functions are involved with protection and sustainment of important organizational assets. The information security function has the primary responsibility for establishing and maintaining a cost-effective and robust security program.

The audit function, whether internal or external, provides an independent review and analysis of the program. Here are some considerations for participating in and preparing for an IT security audit:

  • Remember that audits are opportunities to improve the security program, not a personal indictment of security practices. Taking the initiative to request a thorough audit of your security shows management that you are willing to do what is best for the enterprise. It can also help you get additional budget to address serious areas of risk.
  • Receive from the audit team an audit plan outlining the purpose, scope and approach to the audit. If you are the requestor of the audit, you have an opportunity to provide input on what areas of focus you think are most at risk.
  • Conduct a review of the current security policies, standards and guidelines, and make sure you understand how those policies are implemented in operation. Often, there are conflicts in the way policies are implemented, especially when relying on technology alone, and an audit can pinpoint the gaps.
  • Collect, document and organize the procedures and processes that your staff follows to perform their duties. You may find that lack of consistency in performing the processes results in unacceptable variance in the way that certain security controls are implemented.

Security audits should not be limited to technology testing, penetration testing or exploiting vulnerabilities, but should provide an accurate analysis of the risk areas that pose the most danger to the enterprise. A thorough security audit is about regular and consistent validation and verification that the security program is effective in doing what it is designed to do: protect and sustain the enterprise’s critical assets.

Source: ISACA

No comments: