Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Management
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Audit Programs Management for Security Teams

from [Maarten Van Horenbeeck] Network Security [Permanent Link]
Subject: Re: Audit Programs Management for Security Teams
Date: Fri, 24 Sep 2004 21:39:29 +0000 (GMT) 
Dear Brad,

If you have a close look at each of the audits going on in your
organisation, you should be able to identify the items which are requested
in a recurrent manner.  Most likely you will see that multiple units
within your organization need to be contacted to obtain information
required by an audit.  If you can start to focus on making this
information easier to reach, that should offer the biggest improvement.
As you will see, centralization is the key to easily providing information
(not only to audit teams, but to your IT security staff as well).
Unfortunately, this truly is a business decision to make, over which it is
difficult to get control.

An additional item to investigate is making sure that you have some type
of "control" over the auditors.  The plan here should be to make sure that
all these audits are oriented in the same way.  This will make it easier
for both your team as well as the audit team.  The best way to start would
be to closely follow up one particular audit.  Write down the process in a
document, and together with your team, turn it into a guideline.  Next
time you are warned of an upcoming audit, provide the new audit team with
your guideline, and describe it as the way audits are best conducted
within your business entity.  Recognize that the audit process is
important, and good auditors will also understand you have significant
business needs next to their interests.  When you are the one controlling
the audit process, instead of an audit process suddenly occuring within
your business, it is much easier too manage a number of them
simultaneously.  Repeatability is the key to succes.  Some of the
guidelines you should define could be:

- How much time in advance should an upcoming audit be announced ?
- To whom should requests for information be sent ?
- What is the expected timeframe for this information to be provided?
- Which are the restrictions to the delivered information (confidentiality
restraints?)

These are questions which will usually pop up indirectly throughout each
audit.  Getting these facts straight from the beginning, and agreeing on
time limitations for certain processes, is very useful.  After guidelines
have been made, you can start to define processes within an audit, and
define each of them in a work package, assigning it to different teams.
The teams who receive e.g. the work package "provide procedure A", should
have some type of flow on how to easily retrieve the most recent version.

When an auditor requests information, you will very often see internal
units respond with too little information to actually be useful.  This is
a point where you should put on the "audit mask" yourselves.  Have your
team member review the information which is provided during an audit.  If
questions come back from the auditors -- take note of these questions.

At the end of the audit, review which groups had to be contacted
repeatedly for additional information.  Develop some type of workflow
which your people can use to make sure that they have answered each
question.

While audit is a business activity, it is drenched in emotion... People
are afraid to be judged, and some people do like to judge.  However, make
your people realise they are all working towards a common goal.  Trick to
making it work is to use "lean communication".  Make communication
flexible & short, but make sure it responds to all types of requests in
the original question.  When the original question is technical, such as
"Are you using PFS in VPN tunnels", the answer can be quite simple.  If
the question is more in the direction of "How does your business process
work.  Does it take into account that...  What is the reason you are
using...", the question is posed within a multiple layer context.  Each of
these needs to be responded too.  Make sure your people respond to the
emotional part of the question (We agree that this...), the indirect
question within the request (This is covered by...) , the direct
information requested for (We use ...), as well as on a relational level.
Only if all of these are addressed correctly, your answer will not only be
registered in the audit results, but also appreciated.

Hope these ideas are useful in your situation.  Good luck!

Yours sincerely,
Maarten

--
Maarten Van Horenbeeck, GCIA <maarten@daemon.be>
http://www.daemon.be/maarten
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Project Plan for Assessments, James Baird
Next by Date:  Note to Vendors Using This Forum, Bemis, Brad
Previous by Thread:  Audit Programs Management for Security Teams, Bemis, Brad
Next by Thread:  Project Plan for Assessments, Alt, Brandon C.
Indexes:  [Date] [Thread] [Top] [All Lists]