Security Basics mailing list archives

Re: Security Audits

From: Dustin Howard <dwhoward () cableaz com>
Date: Sat, 16 Aug 2003 06:35:55 -0700

Of course, everything I state is my opinion only.  If there was a book
written on this, does that make it gospel?  :-)

While a Security Assessment is a probing\testing\identification of
vulnerabilities, a Security Audit is an audit of what someone SHOULD have
and what someone DOES have.  Policy is always the best place to start.
Policy is the perfect example of the SHOULD have part.  Standards are
another of what they SHOULD have.  Process and procedure as well (change
management inparticular, but many others that cross the Policy -> Process
realms). However, it's a good idea when doing a Security Audit to also
assess the security of the environment.  I would recommend a "leveled"
security assessment approach (as not all organziations or customers want to
jump in to a full security assessment).  The levels could be 1, 2, and 3, 3
being the most granular in detail.  May security practitioners focus too
much on smaller things:  host security, firewall, application, etc.  While
including these as they are CRITICAL, don't forget the basic parts of
security:  confidentiality, integrity, and availability.  The network
itself plays a large part in availability...don't forget to assess that
part (most\many people do).

As a part of my Security Offerings, I offered both assessment and audits.
Some people really focus on an assessment, some really liked and wanted the
audit piece as well.  

Hope this helps...


At 06:16 PM 8/11/2003 +0200, Sebastian Schneider wrote:

Hi,

is there a common approach to plan security audits?
Which ways are most fitting to security and business needs?
In which way do I have to take account of the characteristics ?

Thanks a lot,
Sebastian


---------------------------------------------------------------------------
----------------------------------------------------------------------------



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

Security Audits Sebastian Schneider (Aug 11)
- RE: Security Audits Roland Venter (Aug 12)
- Re: Security Audits Dustin Howard (Aug 16)
- <Possible follow-ups>
- Re: Security Audits Cesar Osorio (Aug 12)