Security Basics mailing list archives
Re: Security Audits
From: Dustin Howard <dwhoward () cableaz com>
Date: Sat, 16 Aug 2003 06:35:55 -0700
Of course, everything I state is my opinion only. If there was a book written on this, does that make it gospel? :-) While a Security Assessment is a probing\testing\identification of vulnerabilities, a Security Audit is an audit of what someone SHOULD have and what someone DOES have. Policy is always the best place to start. Policy is the perfect example of the SHOULD have part. Standards are another of what they SHOULD have. Process and procedure as well (change management inparticular, but many others that cross the Policy -> Process realms). However, it's a good idea when doing a Security Audit to also assess the security of the environment. I would recommend a "leveled" security assessment approach (as not all organziations or customers want to jump in to a full security assessment). The levels could be 1, 2, and 3, 3 being the most granular in detail. May security practitioners focus too much on smaller things: host security, firewall, application, etc. While including these as they are CRITICAL, don't forget the basic parts of security: confidentiality, integrity, and availability. The network itself plays a large part in availability...don't forget to assess that part (most\many people do). As a part of my Security Offerings, I offered both assessment and audits. Some people really focus on an assessment, some really liked and wanted the audit piece as well. Hope this helps... At 06:16 PM 8/11/2003 +0200, Sebastian Schneider wrote:
Hi, is there a common approach to plan security audits? Which ways are most fitting to security and business needs? In which way do I have to take account of the characteristics ? Thanks a lot, Sebastian --------------------------------------------------------------------------- ----------------------------------------------------------------------------
--------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Security Audits Sebastian Schneider (Aug 11)
- RE: Security Audits Roland Venter (Aug 12)
- Re: Security Audits Dustin Howard (Aug 16)
- <Possible follow-ups>
- Re: Security Audits Cesar Osorio (Aug 12)