Security Basics mailing list archives

Re: Security Audits

From: "Cesar Osorio" <COsorio () awb com au>
Date: Tue, 12 Aug 2003 09:58:13 +1000


Sebastian,
This is what I can think of right now I hope it helps..

Security Auditing cover  a few things,
      POLICIES and PROCEDURES
      In order to be able to audit an enterprise
      Policies and procedures should exist if not, then part of your report
should include best practices Policies          and procedures to ensure
the enterprise is secured or at least aware of the risk.

      Infrastructure auditing:
            Networks
                  Design, routers and switches, dialup modems if any (HOPE
NOT)
                  Change Management control
            Firewalls
                  Rules and Validation of the rules
                  log analysis to reflect rules and any discrepancy
                  Change Management Control
            Physical
                  Server Room access
                  Server\Workstations security policies
      APPLICATIONS
            Application
                  Database access
                  IDs
                  Who's got adminitrator access
                  How many peoply has got administrator access
            Passwords
                  How often they change
                  How complex are they
                  Is there a central repository which is encrypted and
password protected
            WEB
                  Is there a WEB site
                  is it patched
                  is it properly configured
                  Is there a managed change control
                  Vulnerability management
                  Whos got access to the code

My personnal oppinion" Secuity is about Mitigating Risk" as it is extemelly
difficult to depend on the security if applications and software that an
enterprise uses.



Cesar
Security Engineer.


                                                                                                      
                      Sebastian                                                                       
                      Schneider                To:      security-basics () securityfocus com             
                      <ses@straightlin         cc:                                                    
                      ers.de>                  Subject: Security Audits                               
                                                                                                      
                      12/08/2003 02:16                                                                
                                                                                                      
                                                                                                      




Hi,

is there a common approach to plan security audits?
Which ways are most fitting to security and business needs?
In which way do I have to take account of the characteristics ?

Thanks a lot,
Sebastian


---------------------------------------------------------------------------
----------------------------------------------------------------------------








---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Security Audits Sebastian Schneider (Aug 11)
- RE: Security Audits Roland Venter (Aug 12)
- Re: Security Audits Dustin Howard (Aug 16)
- <Possible follow-ups>
- Re: Security Audits Cesar Osorio (Aug 12)