Auditing Security Practices
The first step for evaluating security controls is to examine the organization's policies, security governance structure, and security objectives because these three areas encompass the business practices of security. Security controls are selected and implemented because of security policies or security requirements mandated by law. Security is a service provided by IT to the business, so measuring it as such enables you to see many of the connections to the various functions of the business. As discussed in Chapter 3, "Information Security Governance, Frameworks, and Standards," there are standards, laws, and benchmarks that you can use as your baseline to compare against. Normally, you include content from multiple areas, as businesses may have more than one regulation with which they must comply. It is easiest to start with the organization's policies and build your security auditing plan from there. Some criteria you can use to compare the service of security against are:
- Evaluation against the organization's own security policy and security baselines
- Regulatory/industry compliance—Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), Grahmm-Leach-Bliley Act (GLBA), and Payment Card Industry (PCI)
- Evaluation against standards such as NIST 800 or ISO 27002
- Governance frameworks such as COBIT or Coso
After you have identified the security audit criteria that the organization needs to comply with, the next phase is to perform assessments to determine how well they achieve their goals. A number of assessments are usually required to determine appropriate means for referring back to the scope, which defines the boundaries of the audit. The following are types of assessments that might be preformed to test security controls:
- Risk assessments: This type of assessment examines potential threats to the organization by listing areas that could be sources of loss such as corporate espionage, service outages, disasters, and data theft. Each is prioritized by severity, matched to the identified vulnerabilities, and used to determine whether the organization has adequate controls to minimize the impact.
- Policy assessment: This assessment reviews policy to determine whether the policy meets best practices, is unambiguous, and accomplishes the business objectives of the organization.
- Social engineering: This involves penetration testing against people to identify whether security awareness training, physical security, and facilities are properly protected.
- Security design review: The security design review is conducted to assess the deployment of technology for compliance with policy and best practices. These types of tests involve reviewing network architecture and design and monitoring and alerting capabilities.
Security process review: The security process review identifies weaknesses in the execution of security procedures and activities. All security activities should have written processes that are communicated and consistently followed. The two most common methods for assessing security processes are through interviews and observation:
- Interviews: Talking to the actual people responsible for maintaining security, from users to systems administrators, provides a wealth of evidence about the people aspect of security. How do they feel about corporate security methods? Can they answer basic security policy questions? Do they feel that security is effective? The kind of information gathered helps identify any weakness in training and the organization's commitment to adhering to policy.
- Observation: Physical security can be tested by walking around the office and observing how employees conduct themselves from a security perspective. Do they walk away without locking their workstations or have sensitive documents sitting on their desks? Do they leave the data center door propped open, or do they not have a sign-out procedure for taking equipment out of the building? It is amazing what a stroll through the cubicles of a company can reveal about the security posture of an organization.
- Document review: Checking the effectiveness and compliance of the policy, procedure, and standards documents is one of the primary ways an auditor can gather evidence. Checking logs, incident reports, and trouble tickets can also provide data about how IT operates on a daily basis.
- Technical review: This is where penetration testing and technical vulnerability testing come into play. One of the most important services an auditor offers is to evaluate the competence and effectiveness of the technologies relied upon to protect a corporation's assets.
This section covered evaluation techniques for auditing security practices within an organization. Many of the security practices used to protect a company are process- and policy-focused. They represent the primary drivers for technology purchases and deployment. Technology can automate many of these processes and policies and needs a different approach to testing effectiveness. The remainder of this chapter covers tools that can be used to test security technologies.