[ISN] Watching the Watchers

From: InfoSec News (isnat_private)
Date: Wed Mar 26 2003 - 00:02:58 PST

  • Next message: InfoSec News: "[ISN] Study: War could crimp IT spending"

    http://www.infosecuritymag.com/2003/mar/watchingwatchers.shtml
    
    By Carole Fennelly
    March 2003
    
    None of us relishes an audit--outsiders poking around for the holes in 
    my system? When someone says "audit," you probably think of the 
    surprise inspections your company's auditors pull to try to expose IT 
    weaknesses (see "Incomplete Audits").
    
    But you're the one on the hot seat if your organization gets hacked. 
    If you're responsible for information security, you should want--you 
    should insist--on thorough annual audits. In some cases, you may have 
    no choice. Financial institutions, for example, are required to have 
    external auditors certify compliance with regulations such as the 
    Gramm-Leach-Bliley Act (GLBA). Your own organization's audit 
    department may require it. Or potential partners or customers may 
    insist on seeing the results of a security audit before they do 
    business with your company and put their own assets at risk.
    
    So you bring the auditors in. But what if the auditors fail to do 
    their job correctly? You're still the one feeling the heat after an 
    attacker brings your Web site down or steals your customers' financial 
    information.
    
    Don't let this happen to you. And it won't, if you know how to:
    
    * Choose a good auditor.
    * Spell out your requirements.
    * Make sure the audit is conducted properly.
    * Intelligently evaluate the ultimate deliverable--the auditor's 
      report.
    
    An audit can be anything from a full-scale analysis of business 
    practices to a sysadmin monitoring log files. The scope of an audit 
    depends on the goals. The basic approach to performing a security 
    assessment is to gather information about the targeted organization, 
    research security recommendations and alerts for the platform, test to 
    confirm exposures and write a risk analysis report. Sounds pretty 
    simple, but it can become quite complex.
    
    
    Establish a Security Baseline
    
    Your security policies are your foundation. Without established 
    policies and standards, there's no guideline to determine the level of 
    risk. But technology changes much more rapidly than business policies 
    and must be reviewed more often. Software vulnerabilities are 
    discovered daily. A yearly security assessment by an objective third 
    party is necessary to ensure that security guidelines are followed.
    
    
    [...]
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Wed Mar 26 2003 - 02:27:20 PST