Security Basics mailing list archives
Re: Security Audits
From: "Cesar Osorio" <COsorio () awb com au>
Date: Tue, 12 Aug 2003 09:58:13 +1000
Sebastian, This is what I can think of right now I hope it helps.. Security Auditing cover a few things, POLICIES and PROCEDURES In order to be able to audit an enterprise Policies and procedures should exist if not, then part of your report should include best practices Policies and procedures to ensure the enterprise is secured or at least aware of the risk. Infrastructure auditing: Networks Design, routers and switches, dialup modems if any (HOPE NOT) Change Management control Firewalls Rules and Validation of the rules log analysis to reflect rules and any discrepancy Change Management Control Physical Server Room access Server\Workstations security policies APPLICATIONS Application Database access IDs Who's got adminitrator access How many peoply has got administrator access Passwords How often they change How complex are they Is there a central repository which is encrypted and password protected WEB Is there a WEB site is it patched is it properly configured Is there a managed change control Vulnerability management Whos got access to the code My personnal oppinion" Secuity is about Mitigating Risk" as it is extemelly difficult to depend on the security if applications and software that an enterprise uses. Cesar Security Engineer. Sebastian Schneider To: security-basics () securityfocus com <ses@straightlin cc: ers.de> Subject: Security Audits 12/08/2003 02:16 Hi, is there a common approach to plan security audits? Which ways are most fitting to security and business needs? In which way do I have to take account of the characteristics ? Thanks a lot, Sebastian --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Security Audits Sebastian Schneider (Aug 11)
- RE: Security Audits Roland Venter (Aug 12)
- Re: Security Audits Dustin Howard (Aug 16)
- <Possible follow-ups>
- Re: Security Audits Cesar Osorio (Aug 12)