SECURITY AUDIT

Information System Security Audit

It covers an assessment of security of an organisation's networked infrastructure comprising of computer systems, networks, operating system software, application software, etc.
A security audit is a specified process designed to assess the security risks facing an organisation and the controls or countermeasures adopted by the organisation to mitigate those risks.

PROCEDURE & SCOPE OF AUDIT

the auditors will interview key personnel, conduct vulnerability assessments & penetration testing, catalogue existing security policies and controls, and examine IT assets. The auditors rely heavily on technology, manual efforts & tools to perform the audit.

Audit Practices and Activities

There is no standard security-audit process, but auditors typically accomplish their job though: Personal interviews Vulnerability scans Examination of OS and security-application settings Network analyses Studying historical data such as event logs The business's security policies to determine what they cover, how they are used and whether they are effective

CAAT
(Computer-Assisted Audit Techniques) are often employed to help auditors gain insight into a business's IT infrastructure in order to spot potential security weaknesses. CAATs use system-generated audit reports, as well as monitoring technology, to detect and report changes to a system's files and settings. While CAATs can provide definitive data on business systems, auditors must also keep an eye on activities and practices that are not easily quantifiable.

Key Questions That An Auditor Must Ask

Who is in charge of security, and who does this person report to? Have ACLs (Access Control Lists) been placed on network devices to control who has access to shared data? How are passwords created and managed? Are there audit logs to record who accesses data? Who reviews the audit logs, and how often are they examined? Have unnecessary applications and services been purged from systems? How often does this task take place?

Contd
Are all OSes and applications updated to current levels? How is backup media stored? Who has access to it? Is it up-to-date? How is email security addressed? How is Web security addressed? How is wireless security addressed? Is a disaster-recovery plan in place? Has the plan ever been rehearsed? Have custom applications been tested for security flaws?