Home > Risk management audit
Learning Guide:
EMAIL THIS

Risk management audit

30 Aug 2006 | SearchSecurity.com

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

An risk management audit function is required to ensure sensitive data and valuable assets are appropriately safeguarded. Take a hard look at who has access to sensitive data and whether those accesses are appropriate. The audit function should also monitor systems and insiders to detect illicit activity. Review audit trails searching for security events and abuse of privileges. Verify directory permissions, payroll controls and accounting system configurations. Confirm backup software is appropriately configured and backups complete without error. Review network shares for sensitive information stored with wide-open permissions. Conduct office space reviews to determine if security policies and procedures are followed in practice (e.g. sensitive material is not left unattended, workstation screens are locked and laptops are secured).

Ensure accesses are systematically rescinded when personnel leave the organization or their role changes. Obtain a list of current personnel from human resources and compare it to active accounts (e.g. network accounts, remote access and local accounts on servers). Stand-alone applications must be checked as well (e.g. voicemail and company directories).

Review physical security access logs. Pay particular attention to employee visits after-hours and on the weekends. If suspicious activity is detected, cross reference video surveillance feed and system audit trials.

Conduct the assessments identified above at least quarterly. Automate auditing as much as possible to conserve resources and detect security violations as they occur. For more information, see the IIA GTAG Continuous Auditing Guide.

This article scratches the surface of insider threat mitigation. For more information, see the US-CERT Common Sense Guide to Prevention and Detection of Insider Threats. The ACM Occupational Fraud & Abuse Report provides examples of how fraud is committed and guidance for preventing and detecting it. The Yahoo insider-threat group is a good resource to keep up with current events and new developments.

As you can see the threat from within is very real. Trust is necessary but it must be controlled and monitored.


INSIDER THREAT MANAGEMENT GUIDE

  Introduction: Insider threat management
  Data organization and impact analysis
  Baseline management and control
  Implementation of baseline control
  Risk management audit
  Risk management references


BROWSE BY TAG
Security Audit, Compliance and Standards,   IT Security Audits,   Security Awareness Training and Internal Threats,   Information Security Management,   Enterprise Risk Management: Metrics and Assessments,   VIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED CONTENT
IT Security Audits
Compliance strategy: How to become an internal IT auditor
A guide to internal and external network security auditing
Standards compliance does not equal sound information security risk management
Tony Spinelli: Prioritize Information Security over Compliance
How to prepare for a FERPA audit
MasterCard increases PCI compliance requirements for some merchants
How to select a set of network security audit guidelines
How to write a risk methodology that blends business, security needs
PCI compliance requirement 11: Testing
Using IAM tools to improve compliance

Security Awareness Training and Internal Threats
Information security book excerpts and reviews
Schneier-Ranum face-off, part 2: Social networking
Health Net breach failure of security policy, technology
Health Net healthcare data breach affects1.5 million
Massive T-Mobile UK security breach involves insiders
Secure your remote users in 2010
Layoffs prompt insider threat fears, cybersecurity survey finds
How to use Internet security threat reports
Creating a HIPAA employee training program
Successful rogue antivirus hinges on social engineering

Enterprise Risk Management: Metrics and Assessments
Perspectives: Pet information security risks
Cloud computing in 2010: Be ready for risk management challenges
Security risk factors: Business partner security and pandemic planning
GRC customers point to better efficiency, convergence and consistency
Schneier-Ranum face-off part 5: Security metrics
How to detect and respond to money laundering
How to justify information security spending on cloud computing
Layoffs prompt insider threat fears, cybersecurity survey finds
How to avoid Internet liability lawsuits
Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way
Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
dumpster diving  (SearchSecurity.com)
Honeynet Project  (SearchSecurity.com)
insider threat  (SearchSecurity.com)
National Computer Security Center  (SearchSecurity.com)
pretexting  (SearchCIO.com)
shoulder surfing  (SearchSecurity.com)
single-factor authentication (SFA)  (SearchSecurity.com)
social engineering  (SearchSecurity.com)
Total Information Awareness  (SearchSecurity.com)
trusted computing  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary




Search Additional Security Research and Solutions
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2010, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts