Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

How to select a set of network security audit guidelines

A network security audit can be a daunting task, but there are resources that can help. Mike Chapple, network security expert, weighs in on why and how to choose a security audit standard.

Are there certain types of information or sources of information I should look for when I do a network security audit that most people overlook?

The single most important piece of advice that I can offer you is this: Select a solid security audit standard or set of standards that you will audit against, and advise the auditee of the standard(s) well in advance of the audit. This ensures a level playing field and prevents the subject of the audit from crying foul when you examine something they didn't expect.

As far as overlooked information sources, I normally refer to two sources when preparing materials for a network security audit. The Center for Internet Security has a wonderful selection of security standards that can be adapted to suit the purposes of your audit. Second, the Payment Card Industry Data Security Standard (PCI DSS) offers a great set of general security requirements that can be used for any audit, even if you're not involved in credit card processing.

For more information:

This was last published in June 2009

Dig Deeper on IT security audits and audit frameworks

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

A problem that may occur with this approach is that the organization you are auditing may have designed, built, and implemented the GSS, MA, or mA to a set of standards other than what you select. Although controls from the disparate control sets may map to one another at some level (and with some effort/imagination) that mapping may differ in your mind and your client's mind. Another approach would be to review the client's A&A documentation to identify the standards/controls to which the designed, built, tested, and implemented the systems, systems, application, or applications subject to the audit, and plan your audit accordingly. One other thing, in your pre-site survey, you should identify areas of potential miscommunication and misunderstanding. For example, If you are conducting an audit, ensure that your idea of what comprises an audit matches that of your client and the staff/stakeholders with whom you will interact. Everyone involved should be "reading from the same as it were. Don't arrive on site to conduct an audit when your client thinks you are conducting a control assessment. control assessmentpage"