Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Using audits and auditors to your advantage

Posted on 2011-02-24
3
Medium Priority
?
286 Views
Last Modified: 2012-05-11
It seems to me 3rd party security audits / pen tests do nothing but upset the internal security guy and typically cost a fair few $$ to address the weaknesses. Whereas they are crucial, I suspect not all directors of companies love to see a pen test  in their diary.

But, in terms of infrastructure, operations, policy, apps - if you were a network admin or director of It for a company, where could you use your auditors to look at areas that could save the business money, or to benefit the company as opposed to find flaws that will cost money? What types of audits save companies money as opposed to cost companies money? Any pointers?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 43

Accepted Solution

by:
Adam Brown earned 1000 total points
ID: 34974641
As one of the guys who has performed IT audits, there are a lot of areas that can use a lot of improvement in most organizations. One of the things that always seems to be lacking is documentation. IT guys tend to keep key processes and procedures in their heads rather than writing them down. That can cause a lot of trouble if one of those guys gets sacked or, worse, dies (I've seen that one happen before a couple times. It wasn't pretty). I don't know any companies that perform procedural reviews and such, but it is required of DoD networks (DIACAP auditing deals a lot with documentation). Having all your processes and procedures documented can save you a lot of money in training and a lot of work when the guy who knows everything isn't available. But that's just one. For the most part, even pen tests can result in a MAJOR cost savings in the long run if the audits find major holes that could be used to a hacker's benefit. Yes, you have to put money into closing holes, but that cost is usually small in comparison to what the results are if someone takes advantage of that hole. That said, a good risk analysis of weaknesses that are found is important, because there are security holes that are not worth the expense of closing. Risk analysis will help you identify those holes and find ways to mitigate the problem if outright eliminating it is too costly.
0
 
LVL 3

Author Comment

by:pma111
ID: 35004989
Thanks acbrown, what kinds of audits did you undertake? Were they predominantly security audits / pen tests, if not what other areas? Was it internal audits you did or for various customers?
0
 
LVL 43

Expert Comment

by:Adam Brown
ID: 35007246
I performed DIACAP audits on US Army installations. DIACAP is the DoD accreditation system for Information technology and it covers pretty much every angle of the CIA triad (Confidentiality, Integrity, Availability). If an installation does not meet the requirements of a DIACAP audit, the DoD ISP has the authority to basically cut their Internet connection to protect the rest of the government networks. The focus was on security, but in a broader sense than just avoiding malicious attacks. IT Security (or more correctly, Information Assurance) tries to help organizations plan for and avoid, or at the very least lessen, the impact of everything from security breeches to hardware failures. The idea is that anything that can cause an information system to fail in any way is a security incident. I was not authorized to perform pen tests, as that was managed by a different organization than I worked for, but I did perform vulnerability scans and tests to ensure systems were configured correctly. The process also required an in depth review of documentation to ensure that everything was up to date and accurate (and that it existed). DOD Instruction 8500.2 goes over most of what is involved. It's available here: http://www.diacap.net/Documents/DODI%2085002p-signed.pdf 
I suggest a good dose of caffeine before you attempt to read that, though. It's pretty boring stuff :D
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question