Increase your chances of passing a security audit
Takeaway: Security audits are a way of life—especially if your company is subject to complying with specific regulations. By better understanding how the audit process works and how auditors operate, however, you can create and operate a network that's compliant and secure—and easy to audit. Mike Mullins details what you can expect in this edition of Security Solutions.
If your network is subject to complying with any regulations or standards—such as the Sarbanes-Oxley Act, the European Union Data Protection Directive, or the National Institute of Standards and Technology (NIST) guidelines—audits are a critical element to your organization's regulatory compliance. It's the auditors' responsibility to determine whether your organization has effectively complied with such regulations or standards.
By better understanding how the audit process works and how auditors operate, you can create and operate a network that's compliant and secure—not to mention, easy to audit. Let's examine the different phases of a security audit and detail what you can expect.
Planning
During the planning phase, the auditor collects information on both the organization's network and the security controls it has implemented. Make sure you've fully documented the network, and describe how each control addresses risk and compliance.
The auditor will use the documentation to decide whether your security design is adequate for compliance. During the planning phase, the auditor should also define the scope of the audit and specify areas of that network that require special emphasis (such as financial systems), areas that failed previous audits, and/or areas considered high risk.
Testing
Once the auditor has gathered all of the required documentation, testing begins. The goals of the testing are to confirm compliance, validate internal documentation, and verify effective organizational policy.
Testing can cover a wide range of both automatic programs (such as firewalls and intrusion detection systems) and manual processes (such as network account approval). However, while organizations always hope to pass with flying colors, the testing process usually identifies some deficiencies or shortcomings.
Deficiencies
Unfortunately, deficiencies are inevitable—I've never seen a perfect network. Based on the results gathered during the testing phase, the auditor will identify deficiencies and classify them according to risk.
While some of the deficiencies will be easy to address, others may involve budgeting for hardware/personnel, training, etc. In addition, how your organization addresses the deficiencies and the processes it uses for remediation are also an integral part of the audit.
Remediation
After you've addressed all of the deficiencies, which could be as simple as applying a patch or adjusting a policy, the auditor should conduct additional tests to verify that you've fixed the problem—and created no new deficiencies in the process. After you've addressed all of the problems found by the auditor, you'll get a chance to review the auditor's complete findings.
Findings
While the initial report will detail any operational or organizational deficiencies, this isn't the end of the auditing process. Actually, it's the beginning of the bargaining phase for your final score on compliance.
During this time, you'll get a chance to respond to the report by detailing your mitigation efforts to reduce the severity of a risk. In addition, don't forget to outline plans to address those deficiencies that you can't immediately fix. An auditor should only issue the final report after your organization has added its input.
Report
All relevant parties should receive the final report. This scorecard should list how the organization addressed and implemented the regulations and standards that govern the operation of your network.
But don't just read it and forget it—this report is a great resource for your next audit. The auditors will undoubtedly use it, and so should you.
Final thoughts
Security audits are a way of life. Understanding the process can help your organization better prepare for them. Make sure to use regulations and standards to justify the security controls you've implemented, and document everything.
Miss a column?
Check out the Security Solutions Archive, and catch up on the most recent editions of Mike Mullins' column.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
Mike Mullins has served as an assistant network administrator and a network security administrator for the U.S. Secret Service and the Defense Information Systems Agency. He is currently the director of operations for the Southern Theater Network Operations and Security Center.
SponsoredWhite Papers, Webcasts, and Downloads
- Microsoft SQL Server and Dell EqualLogic PS Series Solution Brief Dell EqualLogic
- Live Webcast: Simplified IT with Software-as-a-Service (SaaS) ZDNet
- Live Webcast: Web Threats Don't Discriminate - Large and Small IT Departments Need to be Equally Prepared IronPort Systems
- Software Development's Classic Mistakes 2008 Construx Software Builders
- 10 Deadly Sins of Software Estimation Construx Software Builders
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
