Professional Documents
Culture Documents
Module 6
Module 6
Audit
&
Information Security
Audit
• Information System Audit and Information Security Audit are two tools that are used to
ensure safety and integrity of information and sensitive data.
Information Security Audit
Security audits are a formal process, carried out by certified auditing professionals to
measure an information system's performance against a list of criteria.
Computer security auditors perform their work though personal interviews, reviewing
policies, vulnerability scans, examination of operating system settings, analyses of network
shares, and historical data and logs.
Some of the purposes of audits are listed
a. Build awareness of current practices and risks
b. Reducing risk, by evaluating, planning and supplementing security efforts
c. Strengthening controls including both automated and human
d. Compliance with customer and regulatory requirements and expectations
e. Building awareness and interaction between technology and business teams
f. Improving overall IT governance in the organization
Scope of the Audit
• What does the system landscape look like (number of systems and level of
heterogeneity
of the systems used)?
• How many network gateways are there?
• Which and how many IT applications are used in the organization? Are they used to
support critical business processes?
• Are higher-level procedures used that may affect realms outside of the organization?
• How high is the protection requirement for the infrastructure, systems, and IT
applications?
Is the organization active in areas critical to security (for example, is it a security
agency)?
What makes a good security audit?
• Internal Audit :
• conducted by experts linked to the organization,
• it involves a feedback process where the auditor may not only audit the system but also
potentially provide advice in a limited fashion.
• External audit
• conducted by independent, certified parties in an objective manner
• identifying and reporting any implementation and control gaps based on stated policies and
standards such as the COBIT
• to lead the client to a source of accepted principles and sometimes correlated to current best
practices
• audit types based on standards followed : include SSAE 16 audits (Type I or II), audits of ISO
9001, ISO/IEC 17799, ISO/IEC 27001, ISO 27018 cloud security standard and audits of Industry
specific standards such as HIPPA controls.
Some of the specific audits
• Penetration Test
• Vulnerability Audit
• Web Application Security Audit
• Mobile Application Security Audit
• Audit Overall Concept
• IT-Risk Analyses
• Audit Access Control / Social Engineering
• Architecture, Design and Code Review
• Wireless Systems Audit
• Embedded Systems Audit
• Information Protection Audit
• Roles and Rights Audit
• Endpoint Audit (clients)
• Digital Guard Service
• Configuration Audit (firewalls, servers, etc.)
Phases of Information Security Audit
• security testing methodologies being used today by security auditors for technical control
assessment.
• Four of the most common are as follows:
• Open Source Security Testing Methodology Manual (OSSTMM)
• Information Systems Security Assessment Framework (ISSAF)
• NIST 800-115
• Open Web Application Security Project (OWASP
OSSTMM
NIST 800-115
provides guidance and a methodology for reviewing security that is required for the U.S.
government's various departments to follow
not as detailed as the ISSAF or OSSTMM, but it does provide a repeatable process for the
conduction of security reviews
Document includes guidance of the following:
• Security testing policies
• Management's role in security testing
• Testing methods Security review techniques
• Identification and analysis of systems
• Scanning and vulnerability assessments
• Vulnerability validation (pen testing)
• Information security test planning
• Security test execution
• Post-test activities
OWASP
• created to assist web developers and security practitioners to better secure web
applications.
• created to assist web developers and security practitioners to better secure web
applications.
• The OWASP testing methodology is split as follows:
• Information gathering
• Configuration management
• Authentication testing
• Session management
• Authorization testing
• Business logic testing
• Data validation testing
• Denial of service testing
• Web services testing
• AJAX testing
Audit Process