Home page logo
/

basics logo Security Basics mailing list archives

Defining a long-term audit plan
From: Joe <bitshield () gmail com>
Date: Fri, 17 Aug 2007 23:04:31 +0200

Hello

In order to review my employer's information security I would like to
set up a long-term audit plan. This plan should define the audits for
the following 3-5 years, so that ideally every information security
area is covered at least once within this time frame.

What do you think is the best approach to do that?

Would it for example make sense to make an initial enterprise-wide
audit in order to identify areas that should receive the highest
priority so that the following years can be planned according the
identified deficits?

Or would it make sense to define 3-5 information security areas so
that each of these are will be tested once within the predefined time
frame? If such a solution makes sense, then what should be the general
areas? My current idea is to audit the following areas:
-       Operational security
-       Organizational security
-       Business continuity
-       Physical security
-       Personnel security

Do these areas provide a good coverage of the information security area?

There are various audit standards and methodology but I didn't find
anything useful for long-term audit plans. What are your experiences?
Are there good sources available?

Thanks for participating in this discussion
Joe


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]