Solved

Using audits and auditors to your advantage

Posted on 2011-02-24
3
280 Views
Last Modified: 2012-05-11
It seems to me 3rd party security audits / pen tests do nothing but upset the internal security guy and typically cost a fair few $$ to address the weaknesses. Whereas they are crucial, I suspect not all directors of companies love to see a pen test  in their diary.

But, in terms of infrastructure, operations, policy, apps - if you were a network admin or director of It for a company, where could you use your auditors to look at areas that could save the business money, or to benefit the company as opposed to find flaws that will cost money? What types of audits save companies money as opposed to cost companies money? Any pointers?
0
Comment
Question by:pma111
  • 2
3 Comments
 
LVL 39

Accepted Solution

by:
Adam Brown earned 250 total points
ID: 34974641
As one of the guys who has performed IT audits, there are a lot of areas that can use a lot of improvement in most organizations. One of the things that always seems to be lacking is documentation. IT guys tend to keep key processes and procedures in their heads rather than writing them down. That can cause a lot of trouble if one of those guys gets sacked or, worse, dies (I've seen that one happen before a couple times. It wasn't pretty). I don't know any companies that perform procedural reviews and such, but it is required of DoD networks (DIACAP auditing deals a lot with documentation). Having all your processes and procedures documented can save you a lot of money in training and a lot of work when the guy who knows everything isn't available. But that's just one. For the most part, even pen tests can result in a MAJOR cost savings in the long run if the audits find major holes that could be used to a hacker's benefit. Yes, you have to put money into closing holes, but that cost is usually small in comparison to what the results are if someone takes advantage of that hole. That said, a good risk analysis of weaknesses that are found is important, because there are security holes that are not worth the expense of closing. Risk analysis will help you identify those holes and find ways to mitigate the problem if outright eliminating it is too costly.
0
 
LVL 3

Author Comment

by:pma111
ID: 35004989
Thanks acbrown, what kinds of audits did you undertake? Were they predominantly security audits / pen tests, if not what other areas? Was it internal audits you did or for various customers?
0
 
LVL 39

Expert Comment

by:Adam Brown
ID: 35007246
I performed DIACAP audits on US Army installations. DIACAP is the DoD accreditation system for Information technology and it covers pretty much every angle of the CIA triad (Confidentiality, Integrity, Availability). If an installation does not meet the requirements of a DIACAP audit, the DoD ISP has the authority to basically cut their Internet connection to protect the rest of the government networks. The focus was on security, but in a broader sense than just avoiding malicious attacks. IT Security (or more correctly, Information Assurance) tries to help organizations plan for and avoid, or at the very least lessen, the impact of everything from security breeches to hardware failures. The idea is that anything that can cause an information system to fail in any way is a security incident. I was not authorized to perform pen tests, as that was managed by a different organization than I worked for, but I did perform vulnerability scans and tests to ensure systems were configured correctly. The process also required an in depth review of documentation to ensure that everything was up to date and accurate (and that it existed). DOD Instruction 8500.2 goes over most of what is involved. It's available here: http://www.diacap.net/Documents/DODI%2085002p-signed.pdf 
I suggest a good dose of caffeine before you attempt to read that, though. It's pretty boring stuff :D
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now