Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

Using audits and auditors to your advantage

It seems to me 3rd party security audits / pen tests do nothing but upset the internal security guy and typically cost a fair few $$ to address the weaknesses. Whereas they are crucial, I suspect not all directors of companies love to see a pen test  in their diary.

But, in terms of infrastructure, operations, policy, apps - if you were a network admin or director of It for a company, where could you use your auditors to look at areas that could save the business money, or to benefit the company as opposed to find flaws that will cost money? What types of audits save companies money as opposed to cost companies money? Any pointers?
ASKER CERTIFIED SOLUTION
Avatar of Adam Brown
Adam Brown
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pau Lo
Pau Lo

ASKER

Thanks acbrown, what kinds of audits did you undertake? Were they predominantly security audits / pen tests, if not what other areas? Was it internal audits you did or for various customers?
I performed DIACAP audits on US Army installations. DIACAP is the DoD accreditation system for Information technology and it covers pretty much every angle of the CIA triad (Confidentiality, Integrity, Availability). If an installation does not meet the requirements of a DIACAP audit, the DoD ISP has the authority to basically cut their Internet connection to protect the rest of the government networks. The focus was on security, but in a broader sense than just avoiding malicious attacks. IT Security (or more correctly, Information Assurance) tries to help organizations plan for and avoid, or at the very least lessen, the impact of everything from security breeches to hardware failures. The idea is that anything that can cause an information system to fail in any way is a security incident. I was not authorized to perform pen tests, as that was managed by a different organization than I worked for, but I did perform vulnerability scans and tests to ensure systems were configured correctly. The process also required an in depth review of documentation to ensure that everything was up to date and accurate (and that it existed). DOD Instruction 8500.2 goes over most of what is involved. It's available here: http://www.diacap.net/Documents/DODI%2085002p-signed.pdf 
I suggest a good dose of caffeine before you attempt to read that, though. It's pretty boring stuff :D