- Define the physical scope of the audit: Our security audit team will work with your management to define the security perimeter within which the audit will take place. The perimeter may be physically organized around logical asset groups such as a datacenter specific LAN or around business processes such as financial reporting. Either way, the physical scope of the audit allows the auditors to focus on assets, processes, and policies in a manageable fashion.
- Define the process scope of the audit: This is often where the rubber hits the road on security audits, as overly broad process scoping can stall audits. At the same time, overly narrow scoping can result in an inconclusive assessment of security risks and controls. Its important that we document areas that should be included or excluded in an audit. It is critical that any business, regardless of size, put limits on the security processes or areas that will be the focus of the audit.
- Conduct historical due diligence: An oft-forgotten step in security audits is pre-audit due diligence. Our due diligence will also focus on historical events such as known vulnerabilities, damage-causing security incidents, as well as recent changes to IT infrastructure and business processes. If there were past audits, we will examine those. Furthermore, we will compile a complete inventory of the assets located within the physical scope of the audit and a complete list of specified security controls relevant to those assets.
- Develop the audit plan: An effective audit is almost always guided by a detailed audit plan that provides a specific project plan for conducting the audit. Our team will include a specific description of the scope of the audit, critical dates/milestones, participants, and dependencies.
- Perform security risk assessment: Once the audit team has an effective plan in place, they can begin the core of the audit – the risk assessment. The risk assessment will cover the following steps:
- Identify and locate the exact assets located within the security perimeter and prioritize those assets according to value to the business. For example, a cluster of web servers supporting the order entry application is more important than a web server supporting the IT department's internal blog.
- Identify potential threats against the assets covered by the audit. The definition of a threat is something that has the potential to exploit a vulnerability in an asset.
- Catalog vulnerabilities or deficiencies for each asset class or type. Vulnerabilities exist for specific types of assets and present opportunities for threats to create risk.
- Identify the security controls currently in place for each asset class. These controls must exist and be used on a regular basis. Anything short of this will be noted and not counted towards existing controls. Controls include technologies such as firewalls, processes such as data backup procedures, and personnel such as the systems administrator that manages the relevant assets.
- Determine probabilities of specific risks. Our teams must make a qualitative assessment of how likely it is that each threat/vulnerability will occur for a specific asset class. The probability calculation should account for the ability of existing controls to mitigate risk. This probability will be articulated on a numerical scale.
- Determine the potential harm or impact of a threat. Our auditors must again make a qualitative assessment of the likely extent of the harm for a specific asset class. Again this qualitative assessment will be represented on a numerical scale.
- Perform the risk calculation. Our auditors will use the multiply the two values above (probability x harm) to calculate risk (probability x harm = risk). These calculations will be performed on an asset class by asset class basis and will yield a priority list for risk mitigation efforts and specific security controls that need to be implemented.
Document the results of the audit: It goes without saying that the results captured above will be documented in detail and proactively presented to your decision makers for review. The document will include an executive summary, audit determinations, required updates/corrections, and supporting data in the form of exhibits. The team will also turn the document into a presentation.
Specify and implement new/updated controls: The ultimate benefit of a security audit is that it should yield specific recommendations for improving business security. These recommendations take the form of controls that the business can adopt, the deadline for adoption, and the party responsible for adoption.
Security Process Scoping
Many businesses have an easy time defining the physical security perimeter that encloses the audit. It is relatively easy for our audit team to limit an audit to a physical location (like a datacenter) or logical grouping of assets (all production storage devices). What is more difficult, and frankly more valuable, is scoping the audit around security processes or areas. To do this effectively, it is imperative that your businesses prioritize security processes by the amount of risk that they pose to the organization. For example, the process of business continuity may pose a minimal security risk to the business, whereas the process of identity management poses a severe risk. Under this sample scenario, the identity management process would be included in the audit, while business continuity would not.
Typically, the majority of security threats will come from these four key areas:
- Network access controls: This process checks the security of a user or system that is attempting to connect to the network. It is the first security process that any user or system encounters when trying to connect to any IT asset within the business' network. Network access controls should also track the security of users and systems that are already connected to the network. In some cases, this process will also look to correct or mitigate risk based on detected threats and user or system profiles or identities.
- Intrusion prevention: As a process, intrusion prevention covers much more than traditional intrusion detection. In fact, it is more closely in line with access control as it is the first security layer that blocks users and systems from attempting to exploit known vulnerabilities. This process should also enforce policies and controls to minimize the scope of an attack across the network. While intrusion detection systems are an obvious, nonnegotiable component of this process so are other technologies such as firewalls.
- Identity and access management: This process controls who can access what when. Authentication and authorization are the usual pillars of this process, but robust policy management and storage are also critical components.
- Vulnerability management: The vulnerability management process manages baseline security configurations across the full range of asset classes. It also identifies and mitigates risks by performing root cause analysis and taking corrective measures against specific risks.