Step 2: Preparation (Time Allotment 10%)
Audits are systematic in nature. Therefore, they require careful planning to ensure seamless execution and comprehensive coverage. The preparation stage of the audit is where you must:
Prioritize audit targets.
Decide on the objectives, depth, and scope of your audit.
Identify and verify the resources (time, people, tools, information) you will need to conduct your audit.
Plan your audit procedure.
Communicate your plans to others in your organization.
From your risk analysis, you should already have a fairly good idea of your audit priorities as far as systems and data are concerned. However, each asset will need to be approached from several angles. These angles include:
The virtual security of the asset;
The physical security of the asset; and
Security maintenance procedures for that asset.
Given the size of a full-scale audit, you may choose to focus on one or two areas at a time. However, most systems are interrelated. Be sure to include assessment of the interconnections between these systems in your plans.
When planning your audit, follow these steps:
1. Identify systems to which you will need to restrict access during your tests.
2. Pick appropriate times for performing your audit, such as after regular business hours, to minimize disruptions to the business.
3. Identify key personnel data owners, department managers, security administrators, tech support workers, and typical business users for information gathering interviews. Get your hands on an organizational chart to help you out.
4. Prepare a series of questions to ask staff, end users, and other individuals who are exposed to your systems and who you have identified for interviews. Focus your questioning on how personnel interact with the system, to what they can gain access, and how they perform security procedures (if at all).
5. Collect and review the manuals for all security packages. They may contain helpful auditing checklists or even an audit program that you can use.
6. Assess and acquire established automated audit and utility programs. Conducting an audit manually can be a painstaking process, and may lead to errors. See the "Auditing Tools and Services" section in this paper for some well-known and proven auditing tools and service providers.
7. Pick and prepare your auditing platform.
The operating system you choose will affect the auditing tools you can use, and vice versa. Choose wisely.
Opt for a notebook computer for your auditing command center due to its portability.
Ensure your auditing platform runs no network services and is configured much like any other secure host, such as a firewall.
8. Verify your audit and testing environment to ensure that they have not been tampered with. Burn a copy of your secure platform to a CD and store it in a secure location to ensure that you have a "tamper-proofed" version at hand.
9. Develop a prioritized plan. This plan should itemize all tests, evaluations, and inquiries you intend to make. It should also list time lines and all resources required to perform your evaluations. Attach step-by-step procedures for all tests you intend to perform. When setting timeliness, leave adequate room for contingencies you may run across unexpected elements or problems, or may have an insight into a new way to approach a specific test.
10. Communicate your plans to perform an audit to whoever needs to know. This would include executives, department heads, your staff, and others who you wish to interview. Explain why an audit is necessary, and specify the times and dates of any required system downtimes.
Remember that the quality of your findings is important because it will form a comparative benchmark for future audits.
If you do not have the appropriate training for conducting a security audit, or have not experienced one first hand, it may be wise to get some training through self-education or a course.
Another alternative is to outsource to a professional auditing firm. One of the benefits of opting for the latter is that you can ensure an unbiased approach. In-house staff members may have their pride (or perhaps something more sinister) to protect, or may be unable to approach the system being audited with an objective eye. See the section "Auditing Tools and Services" section for a list of auditing firms.
Step 3: Review Policy Documents and Reports (Time Allotment 10%)
The fundamental question answered by an audit is: Are your systems and procedures in compliance with your policy? Without a clear and comprehensive policy, you cant be entirely sure of what security problems youre looking for. A policy provides an important baseline against which your IT systems and practices will be measured.
If you dont have a security policy in place prior to conducting an audit, you should make some effort to build a policy that addresses the following:
The overall security goals of your IT installation.
The scope of security protection offered by your department.
Ownership over various IT resources, including systems and data.
Categorization of data according to sensitivity.
Responsibility for the integrity of these resources.
Requirements to access resources (passwords, permissions).
Descriptions of all security system access rules.
Descriptions of all security procedures, including security maintenance, password handling, violation handling, backup and recovery, and emergency and troubleshooting procedures.
User rights and accountabilities.
Remote access procedures.
Account protection requirements.
Responsibility for support and enforcement of security direction (i.e. rights and accountabilities of the security administrator).
Consequences for non-compliance with the policy.
Having a security policy alone isnt enough. An unclear, out-of-date, unenforceable, or meager policy is a security problem in itself and should be treated as a threat. It is also a threat if it has not been properly disseminated and explained to end users. Consider your policy an extension of your risk management practices.
Perform the following steps in regards to your policies and reports:
1. Gather and review all existing security policies and procedures. Key security procedures you should look at are:
Security maintenance, including patching and logging.
Password handling.
Access add/change/delete.
Violation handling.
Backup and recovery.
Emergency and troubleshooting.
2. Identify weakness or gaps in your security documentation and policy, and rewrite or expand areas that do not accurately reflect your organizations current security priorities or views, or are generally unclear.
3. Gather and review all documentation on fixes installed or performed so that you better understand the current status of your systems.
4. Gather copies of all system and data access rules, access changes, and violation files.
5. Gather and review all prior audit reports.
Step 4: Gathering "People" Information (Time Allotment 10%)
People, not technologies, are the number one barrier to effective enterprise security. In a recent survey conducted jointly by the FBI and Computer Security Institute, 81 percent of respondents said the most likely source of a security attack was from within a company.
Conducting both formal and informal interviews with those who have access to your systems is an often overlooked, but critical, step. Interviews will help you discover how well personnel understand and adhere to security policies and procedures, as well as uncover what access people actually have to systems beyond what is documented or "sanctioned".
1. Talk to your IT staff. Find out how they actually go about handling security procedures. Next, quiz them about their understanding of documented security procedure, controls, and responsibilities. Compare what they actually do with what is documented, and itemize the gaps.
2. Interview end users. Start with data owners and department heads, but also talk to general end users. Find out what they can and cannot do (such as accessing certain resources). Get a take on their understanding of security practices and loopholes. Ask them to show you their copies of security policies and procedures, or have them point out where they can be found (online, in a centralized binder). This will help you determine if theyve ever even seen them in the first place.
3. Talk to any other workers that have access to your physical building, such as maintenance and janitorial staff. They have access to more than you may think, including passwords (written on sticky notes), desktop "comings and goings" of staff, what sensitive material ends up in the garbage instead of the shredder, and the overall physical security of the building.
Step 5: Testing (Time Allotment 15%)
Running a full battery of tests on your network may be too time consuming to be practical. Prioritize the components that youd like to test, and choose the most important areas. These could include major routers and servers, platforms, applications, data files, and interconnects.
Be very cautious in pursuing active testing of live applications using real data you could inadvertently cause damage. Such tests could include mock denial of service attacks or exploits. If you decide to run active tests, do a full backup of the system to be tested and run your tests after hours. If youre not completely familiar with the testing tools and cannot implement full controls, consider not doing these types of tests at all. There are several types of tests that can be performed within or outside an IT Infrastructure. These types of tests should only be performed by a qualified technician.
Step 6: Evaluating Your Data (Time Allotment 20%)
The testing phase will have generated a lot of data and observations. Be sure youve left yourself enough time to adequately organize and assess your results.
1. Analyze all data collected by the automated tools you used. Look for trends and irregularities. Separate and analyze your findings by system.
2. Itemize all application backdoors and loopholes.
3. Itemize all areas where security practice does not comply with policy or procedure. A good dividing line to impose is by staff type and/or levels (i.e. separate IT staff procedures from general end user procedures).
4. Label each of your security components (systems, procedures, etc.) in two ways:
Indicate level of security compliance: green (compliant), yellow (minor non-compliance), red (major non-compliance).
Indicate urgency of action required to bring non-compliant components into compliance, prioritized by risk factor: green (not urgent), yellow (moderately urgent), red (urgent).
5. Create a prioritized list of fixes to be made.
6. Finally, assess the time and resources it will take to make each required change.
Step 7: Reporting Your Findings (Time Allotment 25%)
As you may have noticed, the reporting phase has the highest time allotment. Not only do you have to assemble your findings and build a clear report, but also you need to meet with the appropriate people to review and explain your findings, decide on a course of action, and develop a work plan.
The purpose of your report is to drive business decisions to invest in securing your IT assets. Aim to create a report that is clear, jargon-free, and speaks to business objectives.
Include the following in your report:
An executive summary stating the purpose of the audit and high priority action recommendations.
An explanation of the scope of the audit.
Details on any changes from the last audit (if prior audits have been conducted).
A statement of overall compliance of current security with policies, including an overall grade of total system security.
An explanation of what wasnt tested and why.
A detailed, prioritized list of recommended actions, with full justifications and costs to make each fix.
Once youve completed your report, book time to discuss your findings with key executives and decision makers. The outcome of this meeting should be decisions on final prioritized action items.
Step 8: Post-Audit Actions (Time Allotment 10%)
Your audit is complete, your report is in, and the hopefully recommendations on fixes to be made have been approved by senior management. What next?
1. First, follow up with your staff to discuss your course of action, resources required, and appropriate due dates for all fixes and changes. This will form the basis for your work plan.
2. Make copies of all your test data for future reference. Store these copies securely they qualify as sensitive information about your companys vulnerabilities and should be kept away from prying eyes. Preferably, store encrypted copies off site as you would with any other important company data.
3. Redraft your security policy and procedures, if necessary, in light of your findings. Make sure they are well communicated to end users and your staff.
4. Assess your audit tools and procedures. Write a debriefing report that includes answers to the following questions:
Did you engage in too many manual processes that could have been sped up by using automated tools?
What automated tools did you use and why?
How effective and easy to use were the tools you selected?
Which tools would you use again, which would you replace, and why?
Did you have any problems in getting affected parties to comply with your audit requirements, such as participating in interviews or disclosing information?
Did you allocate sufficient time and resources to performing your audit?
What were the major challenges of conducting your audit?
What were the major surprises that surfaced in conducting your audit?
What do you plan to audit next time that you didnt audit this time?
What changes would you make to future audit procedures?
(Source: Info-Tech Free Security Audit Brochure)
At this point, the only thing that remains is making the actual fixes. Plan to repeat your audit on at least an annual basis. Ensure that whoever handles your security administration reports directly to you or to someone in top management. They must have the ear of key decision makers, have access to key players in other departments, and be aware of organizational priorities.
