security audit - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 13 of 13

Thread: security audit

  1. #11
    Senior Member
    Join Date
    Jul 2004
    Posts
    131
    Originally posted here by catch
    Not sure what that "real world" comment means, as if polices don't exist there...

    What is you job as the auditor if not to audit and report non-compliance issues with regard to the policy? Just because other people are messing up doesn't mean that you need to change the way you are doing things. Determine what standards if any, are mentioned in the policy. The result of your audit should be a red flag to senior management that either the policy needs to change or the organization does... however unless you measure against something, the audit is useless. (No audit can exist in a vacuum. )

    Also the reason why knowning what standards are applicable is because many have predefined audit report schemes and this will save you a lot of time from trying to reinvent the wheel.

    cheers,

    catch
    "my real world" comment is this...

    maybe for you guys out there working in banking, gov., military, e.t.c.. - places where secuirty is paramount, the "security 101" stuff does get followed to the dot and you as IT/Info Sec. dept. are able to implement changes. but, not all places are military, gov., banks. business units are seeing "security" all over the media, and are buying into it. *as long* as they don't have to move a finger or be put out by the inconvenience.

    the only time security gets a big push around here is when a web server gets hacked by a kid who just uses it to distribure warez & moviez. the server gets rebuilt and security becomes a big topic at the meetings; but after a week or 2, things go right back to the way they were.

    this audit ain't gonna change squat! i am doing it because it's good experience. I have always wanted to creep out of "sys admin" and into "info. sec.", and this is an opportunity to put something relevent under my belt and on the resume.

    IMHO, things are going to change when a major thing happens that burns everyone. meaning, something malicious will infiltrate the system and nuke a lot of data. the restore from backups are going to fail and a few years worth of data will be lost. thats probably when the manglers will burst a blood valve and implement chang recommened by IT.
    More cowbell! We need more cowbell!
    http://www.geocities.com/secure_lockdown/
    - - -
    \"Is the firewall there to protect you from the outside world or is it there to protect the outside world from *YOU*?\"

  2. #12
    Banned
    Join Date
    May 2003
    Posts
    1,004
    What is done with the audit isn't your concern. It is Sr. Managment's concern.

    Your concern is audit report templates, as such it is important to look over the corporate policy to determine which standards are applicable (if not outright called for) then see if said standards have a defined audit procedure.

    It doesn't matter if you find a zillion instances of non-complaince that never get fixed, your original question was: "does anyone know of where one can go to see what a security audit report looks like?" and the answer is, as I stated above... review the applicable standards.

    cheers,

    catch

  3. #13
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Anyone interested? Look for me in the bar after 5 pm.

    Audit strategy, templates , business planning and remediation is the MO.

    http://www.icba.org/education/education_fr.html
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides