http://www.infosecuritymag.com/2003/mar/watchingwatchers.shtml By Carole Fennelly March 2003 None of us relishes an audit--outsiders poking around for the holes in my system? When someone says "audit," you probably think of the surprise inspections your company's auditors pull to try to expose IT weaknesses (see "Incomplete Audits"). But you're the one on the hot seat if your organization gets hacked. If you're responsible for information security, you should want--you should insist--on thorough annual audits. In some cases, you may have no choice. Financial institutions, for example, are required to have external auditors certify compliance with regulations such as the Gramm-Leach-Bliley Act (GLBA). Your own organization's audit department may require it. Or potential partners or customers may insist on seeing the results of a security audit before they do business with your company and put their own assets at risk. So you bring the auditors in. But what if the auditors fail to do their job correctly? You're still the one feeling the heat after an attacker brings your Web site down or steals your customers' financial information. Don't let this happen to you. And it won't, if you know how to: * Choose a good auditor. * Spell out your requirements. * Make sure the audit is conducted properly. * Intelligently evaluate the ultimate deliverable--the auditor's report. An audit can be anything from a full-scale analysis of business practices to a sysadmin monitoring log files. The scope of an audit depends on the goals. The basic approach to performing a security assessment is to gather information about the targeted organization, research security recommendations and alerts for the platform, test to confirm exposures and write a risk analysis report. Sounds pretty simple, but it can become quite complex. Establish a Security Baseline Your security policies are your foundation. Without established policies and standards, there's no guideline to determine the level of risk. But technology changes much more rapidly than business policies and must be reviewed more often. Software vulnerabilities are discovered daily. A yearly security assessment by an objective third party is necessary to ensure that security guidelines are followed. [...] - ISN is currently hosted by Attrition.org To unsubscribe email email@example.com with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Mar 26 2003 - 02:27:20 PST