Security Auditing

Security auditing is the formal examination and review of actions taken by system users. This process is necessary to determine the effectiveness of existing security controls, watch for system misuse or abuse by users, verify compliance with current security policies, capture evidence of the commission of a crime (computer or non-computer related), validate that documented procedures are followed, and the detection of anomalies or intrusions. Effective auditing requires that the correct data to be recorded and that is undergoes periodic review.

Conducting a Security Audit

Computer security auditors perform their work though a personal interview, vulnerability scans examination of operating system settings, analyses of network shares, and historical data. They are concerned primarily with how security policies - the foundation of any effective organizational security strategy - are actually used. There are a number of key questions that security audits should attempt to answer:

• Are passwords difficult to crack?
• Are there access control lists (ACLs) in place on network devices to control who has access to shared data?
• Are there audit logs to record who accesses data?
• Are the audit logs reviewed?
• Are the security settings for operating systems in accordance with accepted industry security practices?
• Have all unnecessary applications and computer services been eliminated for each system?
• Are these operating systems and commercial applications patched to current levels?
• How is backup media stored? Who has access to it? Is it up-to-date?
• Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the disaster recovery plan?
• Are there adequate cryptographic tools in place to govern data encryption, and have these tools been properly configured?
• Have custom-built applications been written with security in mind?
• How have these custom applications been tested for security flaws?

These are just a few of the kind of questions that can and should be assessed in a security audit. In answering these questions honestly and rigorously, an organization can realistically assess how secure its vital information is.

After the audit is complete, we will conduct an outgoing briefing, ensuring that management is aware of any problems that need immediate correction. It will be stressed that we may not provide definitive answers at this point in time. Any final answers will be provided following the final analysis of all the audit results.