It Auditing & Penetration Testing

Hi i want to start IT Business in IT Auditing & Penetration Testing field, i need guideline, like which service i can start in this field, what type of service i can provide, how many team members i need, is there any kind of license i need, i know question sound very ridiculous to ask here, but any kind of help will be appreciated.
Rahul Dev SinghAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Fadi SODAH (aka madunix)Connect With a Mentor Chief Information Security Officer, CISA, CISSP, CFR, ICATE, MCSE, CCNA, CCNP, CCIP, SCSC and SCECommented:
IT audits is really wide, however the COBIT 5 framework is a nice starting point for IT auditing.

I would suggest that you include essential areas in your document:
(1) Network configuration;
(2) Current operations procedures;
(3) Offsite data storage.
(4) Disaster recovery program..
Also, you should ask a manager about the Disaster Recovery objectives and the business continuity plan. if she/he's unable to provide you that, there isn't a plan for BCP and DR. The Management should look at business risks and technical risks and should be able to make the main BCP, take the following points/questions inconsideration:

1) During the course of a disaster or significant disruption, does your organization have written plans for business continuity and IT disaster recovery?

2) If you answered “Yes” to question (1) do the established plans cover critical business functions with recovery priorities?

3) Have you performed a business impact analysis including Recovery Time Objective and Recovery Point Objective?

4) Does your Business Impact Analysis calculate and classify the financial risk of disturbances to all vital functions?

5) Have you taken actions to mitigate known risks and single points of failure (e.g. power loss, physical access, etc.)?

6) Do you have a dedicated team of professionals focused on business continuity and/or IT disaster recovery?

7) If you answered “No” to question (6), is there an established external business continuity and disaster recovery service provider to handle your planning needs?

8) Is senior management fully committed to disaster recovery and business continuity?

9) Are your disaster recovery costs, options, and disaster declaration procedures understandable?

10) Do you have a sufficient budget to support your disaster recovery program?

11) Is your business continuity plan updated regularly to keep it current with hardware, software, business and staffing changes?

12) Is there an organized training and awareness program for your employees?

13) Does your disaster recovery centre have an operation centre?

14) Is there remote accessibility to your disaster recovery centre?

15) If you answered “Yes” to question (1), is the plan periodically tested?

16) If you answered “Yes” to question (15), how often is the plan tested?
Annually                        -----------------------
Semi-annually           -----------------------
Other (Please specify)  -----------------------

17) Did you test the plan in 2008 and first half of 2009?

18) If you answered “Yes” to question (17), please specify the test dates and whether the tests were satisfactory or not?
Test Dates                              Yes                             No

(1) ------------------                  ……                              ……

(2) -------------                      ……                              …...

(3) ----------------                      ……                              …...

(4) ---------------                      ……                              ……

(5) ----------                      ……                              ……

(6) ---------                      ……                              ……

18.1) Who rates the success criteria of the executed tests?
Internally Rated

19) Do the tests include market participants who have direct or indirect relations with your organizations?

19.1) Do you practice spontaneous tests to recover from a Disaster Recovery Site and resume the day from that location?

20) Have you tested your plan using a worst-case scenario?

21) Has your plan been tested for the possibility of facility loss?

22) If you answered “Yes” to questions (20) or (21), did testing prove that you can follow all Recovery Time Objective and Recovery Point Objective?

23) In the event of any disaster case how long does it take for you to stand up your system? (Please specify)


24) Does your organization have a documented crisis management process?

25) If you answered “Yes” to question (24), during the event of a crisis does the process cover internal and external communications?

26) In the case of a disaster are you prepared to address liabilities and responsibilities?

27) In the event of an outage or emergency do you provide detailed contact information?

28) Do you have a recovery strategy?

29) If you answered “Yes” to question (28), what is your organization recovery strategy?

 Hot Sites
 Warm Sites
 Cold sites
 Duplicate information processing facilities
 Mobile sites
 Reciprocal arrangements with other organizations

30) Where is your disaster recovery centre and please specify how many kilometers further away is it from your organization?


31) Do you have a backup strategy?

32) Do you have written backup and archive procedures?

33) Do you have industry-standard back-up solutions? (media, tape drives, library, software etc.)

34) To ensure sufficient permanent access do you have a migration policy to "refresh" tape technology and data formats every three to five years to?

35) Do you always use the "verify" option to ensure that your system backups are working?

36) Do you periodically test your back-up media?

37) Can you access to your past data with your back-up strategy?

38) Are backups fully automated for unattended operation (autoloaders, etc.)?

39) If your backups are manual, do you follow a sound process and written procedures?

40) If your backups are not manual, do you have online backup?

41) Does your current backup and recovery methodology fulfill management’s business uptime needs?

42) Do you regularly send your backup copy to a safe, off-site archive?

43) Do you have retention period on backup data for legal obligations?

44) Is media properly taken care of when shipped, handled, stored, and used?

45) Is your archive system designed to facilitate data format standards and an archive tape tracking method?

Links for reading:
Fadi SODAH (aka madunix)Connect With a Mentor Chief Information Security Officer, CISA, CISSP, CFR, ICATE, MCSE, CCNA, CCNP, CCIP, SCSC and SCECommented:
Just a few things:

SLA Service-level agreement
Change management procedures
Source code/document version control procedures
Software development life cycle standards
Logical access policies, standards and processes
Incident management policies and procedures
Problem management policies and procedures
Technical support policies and procedures
Hardware/software configuration
Disaster recovery/backup and recovery procedures,

Commitment and understanding (general):
Senior management’s commitment to information security initiatives. Management’s understanding of information security issues. Alignment of information security with the enterprise’s objectives. Executive and line management’s ownership and accountability for implementing, monitoring and reporting on information security.

Organizational structure:
Obtain an organizational diagram and establish there is sufficient segregation of duties, role and responsibilities. (not only departemental).
Who is granting access to what and how is this being done? Who is revoking access and how is this done?
(not only to systems but also Physical access).

Classification of data and assets. Through classification of data, the security measurements taken will be in line with the importance of the data /assets. (if correctly implemented)

Physical access
Physical access (in general), factor in who has access to what and why?

Training in general
Security awareness training for all involved. Not only for sys admin but also for users in general. Users are the key in security. (not once or twice a year but frequently).

For IT Auditing I would recommend taking ISACA as a frame work.

Read my document:
btanConnect With a Mentor Exec ConsultantCommented:
First need to really identify the different from audit and pentest (short form), and in quick summary, the former check for policy/standard compliance and the  latter check for security control effectiveness (which sometimes can be confused with vulnerability scanning which is passive verification and does not really associate closely with business context and impact. Pentest is more active validation and kind of no hold bar out to sieve out gap and further penetrate. It is to proof business risk is real and exposure need to be address holistically rather than just many cycles of find and patch. It should links multiple vulnerabilities to explore real business risk.

With this understanding, I believe you already see that audit has to really fully be apprise and well verse in the sort of policies and standard  such as PCI-DSS, ISO/IEC 27001, SOX and others that you will want the audit to be lay with. It doesn't mean you need to be the policy owner or be digesting and memorising those material but must be able to ascertain what each clause meant and why each policy clause exist and how each clause are demonstrated and fulfilled to meet the rationale. It can be manual, paper based and walkthrough which mostly can be checklist driven.

However, pentest is set to drill into verify the scope of target to be assessed are duly protected and validate how effective the protection is able to prevent the penetration from a internal and external threat perspective. It also include the assessment how impactful and severe the risk involved upon vulnerability exposed. Those low hanging fruits can be surfaced straightforward and used to further "exploit" into the company to get the crown jewel to demonstrate the seriousness. It is kind of no hold bar but with set of rule of engagement that is concurred by the owner and senior executive before the whole activity starts.

The processes and team involved for both can be same or different but definitely the core set of ethics, project deliverable and competency with right skillset are required to run through and lead user in the activities throughut the cycle. The communication aspects to the end user and owner is the final piece to the whole puzzle as your team has to get all pieces in place and present the final picture to the company.

Also for any business, there should be a well established plan for long term goal and short term milestones. The small wins earns credibility especially in this line of business of security assessment and testing. It will be best get experienced folks and already have good relationship with the security community and know the works of Law enforcement  on the legislative aspects for the conduct. This helps if they are in partnership or one of your core team. This needs time to nurture and not an one night efforts to establish security trustworthiness of the company. Going to security seminar and even trying out to present your know how in this area can kick start the awareness of you and company...

But one important point to note that such audit and pentest assessment is point in time assessment. They are never a continual analysis or monitoring aspects. Hence look into checking and advising the regime and period of these conduct. It is really very close to doing health check up. You do not only check your health when you sense (or already hit by) something wrong as it can be too late and an afterthought.

Below are some good sources that you can further check out and expect no lesser from your potential customers that this can be their baseline demands and expectation.

SANS - there are related training courses but I will say the networking with the folks and community is a good source and community to further your connection and sharing. SANS also has a reputable 20 critical controls which you may likely to see in the testing and auditing phases. Some materials include

Training (pentest) @ & &
Conducting a Penetration Test on an Organization @
An Overview of Threat and Risk Assessment @
20 Critical controls @
Good to know from the methodology put up by public services on security audit and risk assessment (appendix and the checklist and guidelines) to minimally know the expectations too

NIST - it came up with  (SP) 800-115, which is a Technical Guide to Information Security Testing and Assessment that scope (or should I say most company into such service has this as baseline offering) and list out the hows and whats in the conduct for this testing and assessment. Also the SP800-53 rev4 is a must know as the security control will be the answer or guidance to the measures to comply each policy clause and effective control in place to withstand penetration.
(check out the Rules of Engagement Template in app B)
Various good links @

CESG - initiative to help build up industry to be readily and capable for the public service to tap expertise to perform the security activities such as pentest and audit. Being a CHECK provider will open opportunities and gain more worthy queries on your services... @

Penetration testing standard which provide the technical mindmap and detailed activities involved. It also covers the key phases of Pre-engagement Interactions, Intelligence Gathering, Threat Modeling, Vulnerability Analysis, Exploitation,
Post Exploitation and Reporting. These are pretty standard for most provider.

Also you can catch my article about the activities and question asking in such security activities
Cyber playbook @
Savvy qns @
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

Fadi SODAH (aka madunix)Chief Information Security Officer, CISA, CISSP, CFR, ICATE, MCSE, CCNA, CCNP, CCIP, SCSC and SCECommented:
In Google search box write down:   "  What IT Auditor should know"
You will be able to get lot of useful documents.
Rahul Dev SinghAuthor Commented:
i have already checked that @madunix
btanConnect With a Mentor Exec ConsultantCommented:
You may want to also know about Information Assurance Support Environment (IASE) from US which stated in its DoD Directive 8570.01that drive the policy for the right skill set for Information assurance workforce. It came out with the summary of IA Workforce Qualification Requirements @
This may be relevant and it mapped to certification recognised to meet each level @

Specific to Auditor - CISA, GSNA and CISSP are likely ones expected by customers..but certification not necessary means there is experience and skillsets for individual. Experience in past assignment in the credential will be more creditable.

I also find relevance and importance that service will need to ascertain compliance to standard. For PCI-DSS, below are necessary for qualification to perform the security assessment  
- Qualified Security Assessor (QSA)
- Approved Scanning Vendors (ASVs)
- Internal Security Assessor (ISA)

Likewise another well recognised standard based is ISO2700. Typically you will expect ISO/IEC 27001 Lead Auditor certificated individual that is able to audti wrt to this standard. Look at the various seniority level@ 

In UK there is CESG Certified Professional (CCP) scheme is the UK Government’s approved standard of competence for cyber security professionals and provides an independent assessment and verification process for those working in Information Assurance (IA). The various roles and qualification is also stated in below and do see IA Auditor and Pen Tester roles @

As a whole the team (for a start) is likely to be 2-3 pax with a lead and others being SME domain and specialised on their core competence in scripting, tool usage, scenario test plan and system/application specific test case. The team may varied based on the size of customer environment and scope of work (from global MNC network to specific website or policy check)
Fadi SODAH (aka madunix)Connect With a Mentor Chief Information Security Officer, CISA, CISSP, CFR, ICATE, MCSE, CCNA, CCNP, CCIP, SCSC and SCECommented:
You need to obtain an understanding of the entity's Information Technology environment and a preliminary understanding of the IT general controls and IT applications in place, so as to be able to evaluate the effectiveness of the Information Systems to address the IT risks and consider whether there are any implications; find attached a sample document that I use for Auditing
btanConnect With a Mentor Exec ConsultantCommented:
nice one from madunix. You can also check out the ISO 27001/2 implementation and guidelines (docx) that covers all 39 control objectives @
- Risk assessment and treatment,
- Security policy,
- Organizing information security,
- Asset management,
- Physical and environmental security,
- Communications and operations management,
- Access control,
- Information systems acquisition,
- development and maintenance,
- Information security incident management,
- Business continuity management,
- Compliance

Also do take a look at the SP800-115 pdf (2nd Link) in prev posting, which is useful in various section. The section 6 on Security Assessment Planning covers such approach
A- minimizing risk from the assessment from identified vulnerabilities
> Step 1. Documentation Review
> Step 2. Ruleset and Security Configuration Review. I
> Step 3. Wireless Scanning.
> Step 4. Network Discovery and Vulnerability Scanning

B- validating controls that include attempts to exploit selected vulnerabilities
> Step 1. Ruleset and Security Configuration Review. I
> Step 2. Network Discovery and Vulnerability Scanning.
> Step 3. Penetration Test with Social Engineering.

C -  evaluating effectiveness of the organization’s audit capabilities for
attacks against the system.
> Step 1. External Penetration Testing.
> Step 2. Log Review. R

Assessor skill set (as also in the section) include
significant security and networking knowledge, including expertise in network security, firewalls, intrusion detection systems, operating systems, programming, and networking protocols (such as TCP/IP)
Operational experience is preferred to classroom or laboratory training. Allowing inexperienced or untrained staff to conduct technical tests can negatively affect an organization’s systems and networks, potentially hindering its mission and damaging the credibility of its security program management office and assessors. It is also beneficial to have a technical writer or other individual on the team with strong technical writing skills.
Likewise the key lead in the team should note this
The team’s leader should be selected based on overall technical knowledge and experience with the type of techniques being executed, and knowledge of the assets being assessed. Team leaders should also have strong communication, organization, planning, and conflict resolution skills.
btanConnect With a Mentor Exec ConsultantCommented:
also Mehari documentation has rich info in 27001 compliance which the checklist is useful for security auditor too. it serves the purpose of reviewing the questionaire in each of the domains in ISO/IEC 27002 controls, including its suggested measures and streamline into the risk assessment methodology (align to ISO/IEC 27005:2008) to identify, classify severity, suggest mitigation/remediation to complete the whole picture of assessment. I tend to see risk assessment is one worthy value add that you can consider in term of the assessment you are conducting. It should align to business context of your client and not generalised.

Check out its knowledge base and documentation.
They stated 2010 but the assessment basis and scope will not change much

It covers the theme in the questionnaire which is applicable also for IT audit as a whole.
Roles and organization
Security awareness and training, Human resources management
Physical access control (sites, buildings and premises)
Miscellaneous Risks
Networks and Systems Architecture
Control of the exchanges
Logical access control
Security of data
Operational procedures
Management of data containers
Protection of documents and written information
Recovery Plans
Projects and developments
Incident management
Audit management
Compliance management
Information security management system
btanConnect With a Mentor Exec ConsultantCommented:
You may also want to be aware of the Statement on Standards for Attestation Engagements (SSAE) No. 16. It supersedes Statement on Auditing Standards (SAS) No. 70 with the professional guidance on performing the service auditor's examination.  The main deliverable also widely used and required include SSAE 16 SOC report I and II. Likewise the controls and their effectiveness are evaluated and audited.

There is another worthy mention on International Standard on Assurance Engagements (ISAE) No. 3402, Assurance Reports on Controls at a Service Organization. It provides an international assurance standard for allowing public accountants to issue a report for use by user organizations and their auditors (user auditors). Primarily focus on Financial reporting and associated support ICT systems in a service organization. Specifically, you may want to note this which covered Trust Services Principles and Criteria
Public accounting firms and practitioners, who obtain a WebTrust business license from the AICPA or CICA, can provide assurance services to evaluate and test whether a particular eCommerce service meets the selected Trust Services principles and criteria. The WebTrust seal of assurance is placed on the organization's web site following the engagement and signifies the practitioner's unqualified opinion.

A SysTrust engagement allows public accounting firms and practitioners to provide assurance on the reliability of a system using any of the Trust Services Principles and Criteria with the exception of the Online Privacy Principle and Criteria. The Online Privacy Principle and Criteria can only be used for a WebTrust engagement.

For your case, I believe the SOC II report is  more relevant and the latter is based upon the Trust Services Principles, specific drilling into controls relevant from the operations and compliance. SOC I is audit of a user entity’s financial statements mainly.
Rahul Dev SinghAuthor Commented:
Thank you guys... it was really helpful
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.