Solved

Using audits and auditors to your advantage

Posted on 2011-02-24
3
279 Views
Last Modified: 2012-05-11
It seems to me 3rd party security audits / pen tests do nothing but upset the internal security guy and typically cost a fair few $$ to address the weaknesses. Whereas they are crucial, I suspect not all directors of companies love to see a pen test  in their diary.

But, in terms of infrastructure, operations, policy, apps - if you were a network admin or director of It for a company, where could you use your auditors to look at areas that could save the business money, or to benefit the company as opposed to find flaws that will cost money? What types of audits save companies money as opposed to cost companies money? Any pointers?
0
Comment
Question by:pma111
  • 2
3 Comments
 
LVL 38

Accepted Solution

by:
Adam Brown earned 250 total points
Comment Utility
As one of the guys who has performed IT audits, there are a lot of areas that can use a lot of improvement in most organizations. One of the things that always seems to be lacking is documentation. IT guys tend to keep key processes and procedures in their heads rather than writing them down. That can cause a lot of trouble if one of those guys gets sacked or, worse, dies (I've seen that one happen before a couple times. It wasn't pretty). I don't know any companies that perform procedural reviews and such, but it is required of DoD networks (DIACAP auditing deals a lot with documentation). Having all your processes and procedures documented can save you a lot of money in training and a lot of work when the guy who knows everything isn't available. But that's just one. For the most part, even pen tests can result in a MAJOR cost savings in the long run if the audits find major holes that could be used to a hacker's benefit. Yes, you have to put money into closing holes, but that cost is usually small in comparison to what the results are if someone takes advantage of that hole. That said, a good risk analysis of weaknesses that are found is important, because there are security holes that are not worth the expense of closing. Risk analysis will help you identify those holes and find ways to mitigate the problem if outright eliminating it is too costly.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Thanks acbrown, what kinds of audits did you undertake? Were they predominantly security audits / pen tests, if not what other areas? Was it internal audits you did or for various customers?
0
 
LVL 38

Expert Comment

by:Adam Brown
Comment Utility
I performed DIACAP audits on US Army installations. DIACAP is the DoD accreditation system for Information technology and it covers pretty much every angle of the CIA triad (Confidentiality, Integrity, Availability). If an installation does not meet the requirements of a DIACAP audit, the DoD ISP has the authority to basically cut their Internet connection to protect the rest of the government networks. The focus was on security, but in a broader sense than just avoiding malicious attacks. IT Security (or more correctly, Information Assurance) tries to help organizations plan for and avoid, or at the very least lessen, the impact of everything from security breeches to hardware failures. The idea is that anything that can cause an information system to fail in any way is a security incident. I was not authorized to perform pen tests, as that was managed by a different organization than I worked for, but I did perform vulnerability scans and tests to ensure systems were configured correctly. The process also required an in depth review of documentation to ensure that everything was up to date and accurate (and that it existed). DOD Instruction 8500.2 goes over most of what is involved. It's available here: http://www.diacap.net/Documents/DODI%2085002p-signed.pdf
I suggest a good dose of caffeine before you attempt to read that, though. It's pretty boring stuff :D
0

Featured Post

Network it in WD Red

There's an industry-leading WD Red drive for every compatible NAS system to help fulfill your data storage needs. With drives up to 8TB, WD Red offers a wide array of solutions for customers looking to build the biggest, best-performing NAS storage solution.  

Join & Write a Comment

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now