SECURITY AUDIT

WHAT IS SECURITY AUDIT?

A security audit is a specified process designed to assess the security risks
facing a business and the controls or countermeasures adopted by the
business to mitigate those risks.
It is typically a human process, managed by a team of auditors with
technical and business knowledge of the companys information technology
assets and business processes.
As part of any audit, these teams will interview key personnel, conduct
vulnerability assessments, catalog existing security policies and controls, and
examine IT assets covered by the scope of the audit. In most cases, they rely
heavily on technology tools to perform the audit.
 SECURITY AUDITS ARE BEST UNDERSTOOD BY
FOCUSING ON THE SPECIFIC QUESTIONS THEY
ARE DESIGNED TO ANSWER SUCH AS:
How difficult are passwords to crack?
Do network assets have access control lists?
Do access logs exist that record who accesses what data?
Are personal computers regularly scanned for adware or malware?
Who has access to backed-up media in the organization?
 AUDIT OBJECTIVES
1. The main objective of the audit is to assess the adequacy and effectiveness of
ECs security measures and management controls, through four specific
objectives focusing on high-risk areas.
2. To assess the adequacy of the physical security threat identification and risk
management process, with a focus on activities performed at the facility level.
3. To determine whether roles and responsibilities of all parties involved in
departmental physical security are clearly defined, performed by the
appropriate party, and cover the span of security activity, as defined by the TB
Policy on Government Security
 THE SECURITY AUDIT PROCESS
1. Define the physical scope of the audit: The audit team
should define the security perimeter within which the
audit will take place.
The perimeter may be physically organized around logical asset
groups such as a datacenter specific LAN or around business
processes such as financial reporting. Either way, the physical
scope of the audit allows the auditors to focus on assets,
processes, and policies in a manageable fashion.
2. Define the process scope of the audit: This is often
where the rubber hits the road on security audits, as
overly broad process scoping can stall audits.
At the same time, overly narrow scoping can result in an
inconclusive assessment of security risks and controls.
This document describes how to effectively scope the
security processes or areas that should be included in an
audit.
It is critical that any business, regardless of size, put limits
on the security processes or areas that will be the focus of
the audit
3. Conduct historical due diligence: An oft-forgotten step in
security audits is pre-audit due diligence.
This due diligence should focus on historical events such as
known vulnerabilities, damage-causing security incidents, as
well as recent changes to IT infrastructure and business
processes.
It should include an assessment of past audits.
Furthermore, auditors should compile a complete inventory of
the assets located within the physical scope of the audit and a
complete list of specified security controls relevant to those
assets.
4. Develop the audit plan:
An effective audit is almost always guided by a
detailed audit plan that provides a specific project plan
for conducting the audit.
This should include a specific description of the scope
of the audit, critical dates/milestones, participants, and
dependencies
5. Perform security risk assessment: Once the audit team has an effective plan in
place, they can begin the core of the audit the risk assessment. The risk
assessment should cover the following steps:
A. Identify and locate the exact assets located within the security
perimeter and prioritize those assets according to value to the business.
For example, a cluster of web servers supporting the order entry
application is more important than a web server supporting the IT
departments internal blog.
B. Identify potential threats against the assets covered by the audit.
The definition of a threat is something that has the potential to
exploit a vulnerability in an asset.
C. Catalog vulnerabilities or deficiencies for each asset class or
type. Vulnerabilities exist for specific types of assets and present
opportunities for threats to create risk.
D. Identify the security controls currently in place for each asset class. These controls must
exist and be used on a regular basis. Anything short of this should be noted and not
counted towards existing controls. Controls include technologies such as firewalls,
processes such as data backup procedures, and personnel such as the systems
administrator that manages the relevant assets.
E. Determine probabilities of specific risks. Audit teams must make a qualitative
assessment of how likely it is that each threat/vulnerability will occur for a specific asset
class. The probability calculation should account for the ability of existing controls to
mitigate risk. This probability should be articulated on a numerical scale.
F. Determine the potential harm or impact of a threat. Auditors must again make a
qualitative assessment of the likely extent of the harm for a specific asset class. Again this
qualitative assessment should be represented on a numerical scale.
G. Perform the risk calculation. Auditors should use the multiply the two values above
(probability x harm) to calculate risk (probability x harm = risk). These calculations
should be performed on an asset class by asset class basis and will yield a priority list for
risk mitigation efforts and specific security controls that need to be implemented
6. Document the results of the audit:
It should go without saying that the results captured
above should be documented in detail and proactively
presented to decision makers for review.
The document should include an executive summary,
audit determinations, required updates/corrections,
and supporting data in the form of exhibits.
The team should also turn the document into a
PowerPoint presentation.
7. Specify and implement new/updated controls:
The ultimate benefit of a security audit is that it should
yield specific recommendations for improving
business security.
These recommendations should take the form of
controls that the business can adopt, the deadline for
adoption, and the party responsible for adoption.
Do not forget to specify deadlines and specific
ownership responsibilities.