Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Watching the Watchers

From: InfoSec News <isn () c4i org>
Date: Wed, 26 Mar 2003 02:02:58 -0600 (CST)
http://www.infosecuritymag.com/2003/mar/watchingwatchers.shtml

By Carole Fennelly
March 2003

None of us relishes an audit--outsiders poking around for the holes in 
my system? When someone says "audit," you probably think of the 
surprise inspections your company's auditors pull to try to expose IT 
weaknesses (see "Incomplete Audits").

But you're the one on the hot seat if your organization gets hacked. 
If you're responsible for information security, you should want--you 
should insist--on thorough annual audits. In some cases, you may have 
no choice. Financial institutions, for example, are required to have 
external auditors certify compliance with regulations such as the 
Gramm-Leach-Bliley Act (GLBA). Your own organization's audit 
department may require it. Or potential partners or customers may 
insist on seeing the results of a security audit before they do 
business with your company and put their own assets at risk.

So you bring the auditors in. But what if the auditors fail to do 
their job correctly? You're still the one feeling the heat after an 
attacker brings your Web site down or steals your customers' financial 
information.

Don't let this happen to you. And it won't, if you know how to:

* Choose a good auditor.
* Spell out your requirements.
* Make sure the audit is conducted properly.
* Intelligently evaluate the ultimate deliverable--the auditor's 
  report.

An audit can be anything from a full-scale analysis of business 
practices to a sysadmin monitoring log files. The scope of an audit 
depends on the goals. The basic approach to performing a security 
assessment is to gather information about the targeted organization, 
research security recommendations and alerts for the platform, test to 
confirm exposures and write a risk analysis report. Sounds pretty 
simple, but it can become quite complex.


Establish a Security Baseline

Your security policies are your foundation. Without established 
policies and standards, there's no guideline to determine the level of 
risk. But technology changes much more rapidly than business policies 
and must be reviewed more often. Software vulnerabilities are 
discovered daily. A yearly security assessment by an objective third 
party is necessary to ensure that security guidelines are followed.


[...]



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: