Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Using audits and auditors to your advantage

Posted on 2011-02-24
3
Medium Priority
?
288 Views
Last Modified: 2012-05-11
It seems to me 3rd party security audits / pen tests do nothing but upset the internal security guy and typically cost a fair few $$ to address the weaknesses. Whereas they are crucial, I suspect not all directors of companies love to see a pen test  in their diary.

But, in terms of infrastructure, operations, policy, apps - if you were a network admin or director of It for a company, where could you use your auditors to look at areas that could save the business money, or to benefit the company as opposed to find flaws that will cost money? What types of audits save companies money as opposed to cost companies money? Any pointers?
0
Comment
Question by:pma111
  • 2
3 Comments
 
LVL 44

Accepted Solution

by:
Adam Brown earned 1000 total points
ID: 34974641
As one of the guys who has performed IT audits, there are a lot of areas that can use a lot of improvement in most organizations. One of the things that always seems to be lacking is documentation. IT guys tend to keep key processes and procedures in their heads rather than writing them down. That can cause a lot of trouble if one of those guys gets sacked or, worse, dies (I've seen that one happen before a couple times. It wasn't pretty). I don't know any companies that perform procedural reviews and such, but it is required of DoD networks (DIACAP auditing deals a lot with documentation). Having all your processes and procedures documented can save you a lot of money in training and a lot of work when the guy who knows everything isn't available. But that's just one. For the most part, even pen tests can result in a MAJOR cost savings in the long run if the audits find major holes that could be used to a hacker's benefit. Yes, you have to put money into closing holes, but that cost is usually small in comparison to what the results are if someone takes advantage of that hole. That said, a good risk analysis of weaknesses that are found is important, because there are security holes that are not worth the expense of closing. Risk analysis will help you identify those holes and find ways to mitigate the problem if outright eliminating it is too costly.
0
 
LVL 3

Author Comment

by:pma111
ID: 35004989
Thanks acbrown, what kinds of audits did you undertake? Were they predominantly security audits / pen tests, if not what other areas? Was it internal audits you did or for various customers?
0
 
LVL 44

Expert Comment

by:Adam Brown
ID: 35007246
I performed DIACAP audits on US Army installations. DIACAP is the DoD accreditation system for Information technology and it covers pretty much every angle of the CIA triad (Confidentiality, Integrity, Availability). If an installation does not meet the requirements of a DIACAP audit, the DoD ISP has the authority to basically cut their Internet connection to protect the rest of the government networks. The focus was on security, but in a broader sense than just avoiding malicious attacks. IT Security (or more correctly, Information Assurance) tries to help organizations plan for and avoid, or at the very least lessen, the impact of everything from security breeches to hardware failures. The idea is that anything that can cause an information system to fail in any way is a security incident. I was not authorized to perform pen tests, as that was managed by a different organization than I worked for, but I did perform vulnerability scans and tests to ensure systems were configured correctly. The process also required an in depth review of documentation to ensure that everything was up to date and accurate (and that it existed). DOD Instruction 8500.2 goes over most of what is involved. It's available here: http://www.diacap.net/Documents/DODI%2085002p-signed.pdf 
I suggest a good dose of caffeine before you attempt to read that, though. It's pretty boring stuff :D
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
If you try to migrate from Elastix to Issabel, you will face a lot of issues. These problems are inevitable but fortunately, you can fix them. In the guide below, I will explain how I performed the migration while keeping all data and successfully t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question