January 27, 2014

2.2.5 Perform routine audits

Perform routine audits

An audit is a formal and systematic assessment of how closely the organization's policies and procedures are being deployed against the organization’s assets. There are various types of audits including information security and financial audits.

With respect to information security, it is important to perform routine audits periodically in order to maintain a secure environment. An information security audit is the formal review of how the confidentiality, availability and integrity of the organization’s information is secured.

Formal security audits are typically conducted by outside agents with the full permission and cooperation of the organization. Security audits are formal and systematic. The scope of the security audit should be pre-defined and include all assets related to the organization’s information security including:
  • personnel
  • databases
  • email
  • servers
  • cloud
  • passwords
  • storage
  • access control lists
  • security policy
  • network
  • industry and government regulations
  • log files
As the user base and security threats are constantly evolving, security audits should be considered a process (not an event) and should be carried out on a periodic basis. The security auditor’s toolbox includes penetration tests and vulnerability scans, one-on-one interviews, event log reviews, analysis of configuration settings, review of security policy and procedure documents, etc.
References:

No comments:

Post a Comment