This tip is excerpted from Chapter 3 of The Definitive Guide to Security Inside the Perimeter, written by Rebecca Herold and published by Realtimepublishers.com. Read the entire e-book for free.
Security audits and compliance validation reviews provide an in-depth examination of an organization's security infrastructure, policies, people, and procedures. When performed effectively and successfully, they will identify areas of weakness within the infrastructure. The auditor or reviewer can then provide recommendations for appropriate actions to address the weaknesses and reduce the accompanying risks.
Audits need to be performed to provide individuals who are responsible for particular IT environments, as well as executive management, with an independent assessment of the security condition of those environments and to validate that necessary controls are indeed in place and functioning as they should. The information security status of the enterprise environments should be subjected to thorough, independent, and regular security audits and control validation reviews.
Security audits and compliance validation reviews must include consideration of the business risks associated with the particular environment (the security clouds described earlier) under review and should be performed for critical business applications, information processing environments, communications networks, system development activities, and manual administrative and operational tasks.
Security audits and compliance validation reviews should be:
- Agreed upon and supported by the individual responsible for the environment under review
- Performed by qualified individuals who have sufficient technical skills and knowledge of information security
- Conducted frequently and thoroughly enough to provide assurance that security controls function as required
- Complemented by reviews conducted by independent third parties
Recommendations for improvement resulting from the audits should be discussed and agreed upon with the individuals responsible for the environment under review and should be implemented and reported to executive management.
Audit requirements and activities involving checks on operational systems must be carefully planned and communicated to the audited area's management to minimize the risk of disruptions to business processes. You want information security to be viewed as a business enabler not as an obstacle to achieving business goals. To help enable the success of an audit, keep the following guidelines in mind:
- Obtain agreement with the audited area's management for the activities being performed
- Determine and document the scope of the activities
- Limit the audit checks to read-only access to software and data; if necessary for the audit, allow access other than read-only for isolated copies of system files
- Explicitly identify the resources that will be used to perform the checks
- Identify and agree upon with management the requirements for special or additional processing
- Monitor and log all access to produce a time-stamped reference trail for all critical data or systems
- Document all procedures, requirements, and responsibilities for the audit activities
- Ensure the person(s) carrying out the audit are independent of the activities audited
MULTI-DIMENSIONAL ENTERPRISE-WIDE SECURITY
Risk assessment and analysis methodologies
The goal of an information security policy
Audit and validation
Divide and conquer
An action plan
Rebecca Herold is currently an information privacy, security and compliance consultant, author and instructor with her own company, Rebecca Herold, LLC. Rebecca has provided information security, privacy and regulatory services to organizations from a wide range of industries. She has over 15 years of information privacy, security and compliance experience. Rebecca was instrumental in building the information security and privacy program while at Principal Financial Group, which was awarded the 1998 CSI Information Security Program of the Year Award.