?
Solved

Using audits and auditors to your advantage

Posted on 2011-02-24
3
Medium Priority
?
283 Views
Last Modified: 2012-05-11
It seems to me 3rd party security audits / pen tests do nothing but upset the internal security guy and typically cost a fair few $$ to address the weaknesses. Whereas they are crucial, I suspect not all directors of companies love to see a pen test  in their diary.

But, in terms of infrastructure, operations, policy, apps - if you were a network admin or director of It for a company, where could you use your auditors to look at areas that could save the business money, or to benefit the company as opposed to find flaws that will cost money? What types of audits save companies money as opposed to cost companies money? Any pointers?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 42

Accepted Solution

by:
Adam Brown earned 1000 total points
ID: 34974641
As one of the guys who has performed IT audits, there are a lot of areas that can use a lot of improvement in most organizations. One of the things that always seems to be lacking is documentation. IT guys tend to keep key processes and procedures in their heads rather than writing them down. That can cause a lot of trouble if one of those guys gets sacked or, worse, dies (I've seen that one happen before a couple times. It wasn't pretty). I don't know any companies that perform procedural reviews and such, but it is required of DoD networks (DIACAP auditing deals a lot with documentation). Having all your processes and procedures documented can save you a lot of money in training and a lot of work when the guy who knows everything isn't available. But that's just one. For the most part, even pen tests can result in a MAJOR cost savings in the long run if the audits find major holes that could be used to a hacker's benefit. Yes, you have to put money into closing holes, but that cost is usually small in comparison to what the results are if someone takes advantage of that hole. That said, a good risk analysis of weaknesses that are found is important, because there are security holes that are not worth the expense of closing. Risk analysis will help you identify those holes and find ways to mitigate the problem if outright eliminating it is too costly.
0
 
LVL 3

Author Comment

by:pma111
ID: 35004989
Thanks acbrown, what kinds of audits did you undertake? Were they predominantly security audits / pen tests, if not what other areas? Was it internal audits you did or for various customers?
0
 
LVL 42

Expert Comment

by:Adam Brown
ID: 35007246
I performed DIACAP audits on US Army installations. DIACAP is the DoD accreditation system for Information technology and it covers pretty much every angle of the CIA triad (Confidentiality, Integrity, Availability). If an installation does not meet the requirements of a DIACAP audit, the DoD ISP has the authority to basically cut their Internet connection to protect the rest of the government networks. The focus was on security, but in a broader sense than just avoiding malicious attacks. IT Security (or more correctly, Information Assurance) tries to help organizations plan for and avoid, or at the very least lessen, the impact of everything from security breeches to hardware failures. The idea is that anything that can cause an information system to fail in any way is a security incident. I was not authorized to perform pen tests, as that was managed by a different organization than I worked for, but I did perform vulnerability scans and tests to ensure systems were configured correctly. The process also required an in depth review of documentation to ensure that everything was up to date and accurate (and that it existed). DOD Instruction 8500.2 goes over most of what is involved. It's available here: http://www.diacap.net/Documents/DODI%2085002p-signed.pdf 
I suggest a good dose of caffeine before you attempt to read that, though. It's pretty boring stuff :D
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

During and after that shift to cloud, one area that still poses a struggle for many organizations is what to do with their department file shares.
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month15 days, 10 hours left to enroll

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question