Re: Audit Framework

["cta () hcsin net" <cta () hcsin net>]

On 8 Oct 2005 at 10:57, JSZ wrote:

> Hello all-
>
> My company has recently asked me to perform a high-level security audit of
> a potential ASP partner. If we were to outsource to this provider they
> would be responsible for a large amount of proprietary customer and
> associated data.
>
> I was wondering if anyone has pointers to an audit methodology and
> associated risk rankings from which I can base my audit.
>
> The following is a list of items that I plan to cover during the audit:
>
> - Network Access Control
>
> - OWASP top 10 and associated development practices
>
> - Firewall / IDS configuration
>
> - Source code mgmt
>
> - Change management
>
> - General policies and procedures
>
> - Employee Term Process
>
> - Remote access process
>
> - Password management
>
> - Security training
>
> - Proper use of encryption
>
> - Wireless use (WEP/WPA etc..)
>
> - Scanning for rouge AP's
>
> - Patch mgmt
>
> - Log correlation
>
> - Server config / lockdown
>
> - Desktop policy
>
>
>
> Any help is appreciated…
>
>
>
> JSZ
If your company is serious about protecting it's assets, and effectively
identifying and controlling security risks, vulnerabilities and potential
threats, then, in my opinion, the following tasks should be included in
your audit:

General background check on vendor, e.g., Better Business Bureau, customer
complaints and recommendations, lawsuits, etc. This task is not out of the
scope of IT security auditing when one is charged with doing a true high
level security audit of an ASP vendor/partner. Should be done first.

Request and Review of:

SLA (Service Level Agreement), uptime and security incident summary
reports

Network Architecture and Infrastructure documentation and drawings

Data Management Controls and the Policies, Practices and Procedures that
ensure data integrity, confidentiality and availability.

Problem and Incident Management Policies, Practices and Procedures

Disaster Recovery and Business Continuity, Policies, Practices and
Procedures

Facilities Management Controls, (e.g. Physical Security and Access
Control, Visitor Escort, Personal H/S, Protection against environmental
factors, UPS) and related Policies, Practices and Procedures.

--
****************************************************
Bernie, CISM
cta () hcsin net
Chief Technology Architect / Chief Security Officer
Euclidean Systems
*******************************************************
// "There is no expedient to which a man will not go
//    to avoid the pure labor of honest thinking."
//     Honest thought, the real business capital.
//      Observe> Think> Plan> Think> Do> Think>
*******************************************************