The single most important piece of advice that I can offer you is this: Select a solid security audit standard
or set of standards that you will audit against, and advise the auditee of the standard(s) well in advance of the audit. This ensures a level playing field and prevents the subject of the audit from crying foul when you examine something they didn't expect.
As far as overlooked information sources, I normally refer to two sources when preparing materials for a network security audit. The Center for Internet Security has a wonderful selection of security standards that can be adapted to suit the purposes of your audit. Second, the Payment Card Industry Data Security Standard (PCI DSS) offers a great set of general security requirements that can be used for any audit, even if you're not involved in credit card processing.
For more information:
- Read more about efforts to develop a common logging and audit standard.
- Learn best practices for Unix audit settings.
Dig deeper on IT Security Audits
Related Q&A from Mike Chapple, Enterprise Compliance
Should companies obtain U.S. security clearance to join the Enhanced Cybersecurity Services program? Mike Chapple offers his perspective.continue reading
Does a Web application security assessment termed 'compliance ready' seem too good to be true? Learn its role in an enterprise compliance program.continue reading
Learn how hiring the right PCI DSS-compliant service providers, especially payment services providers, can reduce your compliance burden.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.