Initial Site Survey

• Are passwords difficult to crack?
• Are there access control lists (ACLs) in place on network devices to control who has access to shared data?
• Are there audit logs to record who accesses data?
• Are the audit logs reviewed?
• Are the security settings for operating systems in accordance with accepted industry security practices?
• Have all unnecessary applications and computer services been eliminated for each system?
• Are these operating systems and commercial applications patched to current levels?
• How is backup media stored? Who has access to it? Is it up-to-date?
• Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the disaster recovery plan?
• Are there adequate cryptographic tools in place to govern data encryption, and have these tools been properly configured?
• Have custom-built applications been written with security in mind?
• How have these custom applications been tested for security flaws?
• How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?

Pre-Audit Homework

Before the computer security auditors even begin an organizational audit, there’s a fair amount of homework that should be done. Auditors need to know what they’re auditing. In addition to reviewing the results of any previous audits that may have been conducted, there may be several tools they will use or refer to before. The first is a site survey. This is a technical description of the system’s hosts. It also includes management and user demographics. This information may be out of date, but it can still provide a general framework. Security questionnaires may be used as to follow up the site survey. These questionnaires are, by nature, subjective measurements, but they are useful because they provide a framework of agreed-upon security practices. The respondents are usually asked to rate the controls used to govern access to IT assets. These controls include: management controls, authentication/access controls, physical security, outsider access to systems, system administration controls and procedures, connections to external networks, remote access, incident response, and contingency planning.

Site surveys and security questionnaires should be clearly written with quantifiable responses of specific requirements. They should offer a numerical scale from least desired (does not meet requirements) to most desired (meets requirements and has supporting documentation). Both should include electronic commerce considerations if appropriate to the client organization. For instance, credit card companies have compliance templates listing specific security considerations for their products. These measure network, operating system, and application security as well as physical security.

Auditors, especially internal auditors, should review previous security incidents at the client organization to gain an idea of historical weak points in the organization’s security profile. It should also examine current conditions to ensure that repeat incidents cannot occur. If auditors are asked to examine a system that allows Internet connections, they may also want to know about IDS/Firewall log trends. Do these logs show any trends in attempts to exploit weaknesses? Could there be an underlying reason (such as faulty firewall rules) that such attempts are taking place on an ongoing basis. How can this be tested?

Because of the breadth of data to be examined, auditors will want to work with the client to determine the scope of the audit. Factors to consider include: the site business plan, the type of data being protected and the value/importance of that data to the client organization, previous security incidents, the time available to complete the audit and the talent/expertise of the auditors. Good auditors will want to have the scope of the audit clearly defined, understood and agreed to by the client.

Next, the auditors will develop audit plan. This plan will cover how will audit be executed, with which personnel, and using what tools. They will then discuss the plan with the requesting agency. Next they discuss the objective of the audit with site personnel along with some of the logistical details, such as the time of the audit, which site staff may be involved and how the audit will affect daily operations. Next, the auditors should ensure audit objectives are understood.

http://www.securityfocus.com/infocus/1697