Pau Lo
asked on
Using audits and auditors to your advantage
It seems to me 3rd party security audits / pen tests do nothing but upset the internal security guy and typically cost a fair few $$ to address the weaknesses. Whereas they are crucial, I suspect not all directors of companies love to see a pen test in their diary.
But, in terms of infrastructure, operations, policy, apps - if you were a network admin or director of It for a company, where could you use your auditors to look at areas that could save the business money, or to benefit the company as opposed to find flaws that will cost money? What types of audits save companies money as opposed to cost companies money? Any pointers?
But, in terms of infrastructure, operations, policy, apps - if you were a network admin or director of It for a company, where could you use your auditors to look at areas that could save the business money, or to benefit the company as opposed to find flaws that will cost money? What types of audits save companies money as opposed to cost companies money? Any pointers?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I performed DIACAP audits on US Army installations. DIACAP is the DoD accreditation system for Information technology and it covers pretty much every angle of the CIA triad (Confidentiality, Integrity, Availability). If an installation does not meet the requirements of a DIACAP audit, the DoD ISP has the authority to basically cut their Internet connection to protect the rest of the government networks. The focus was on security, but in a broader sense than just avoiding malicious attacks. IT Security (or more correctly, Information Assurance) tries to help organizations plan for and avoid, or at the very least lessen, the impact of everything from security breeches to hardware failures. The idea is that anything that can cause an information system to fail in any way is a security incident. I was not authorized to perform pen tests, as that was managed by a different organization than I worked for, but I did perform vulnerability scans and tests to ensure systems were configured correctly. The process also required an in depth review of documentation to ensure that everything was up to date and accurate (and that it existed). DOD Instruction 8500.2 goes over most of what is involved. It's available here: http://www.diacap.net/Documents/DODI%2085002p-signed.pdf
I suggest a good dose of caffeine before you attempt to read that, though. It's pretty boring stuff :D
I suggest a good dose of caffeine before you attempt to read that, though. It's pretty boring stuff :D
ASKER