does anyone know of where one can go to see what a security audit report looks like?
the format of the reports.
perhaps even some templates of different types of security audit reports.
i search tech republic, not much there of use.
Printable View
does anyone know of where one can go to see what a security audit report looks like?
the format of the reports.
perhaps even some templates of different types of security audit reports.
i search tech republic, not much there of use.
What kind of audit are you speaking of?
Overall security (IT I presume) of a company or a portion?
External or Internal or Both.
Does it include social engineering aspects or just pen testing and configuration audits?
How about policy and proceedure audits?
Or are you just looking for all of the above?
If you are speaking of Pen Testing and or exploit auditing, the nessus reporting is a good starting point.
Most of the scanner sites have sample reports.
http://www.hackerwhacker.com used to have a sample report. URL is not working now so not sure if ther are still around. It's been a while.
Some more detail about what you are looking for will help narrow down results.
www.wildpackets.com/elements/ whitepapers/Security_Audit.pdf
PDF File !
This may or may not help.
http://www.isecom.org/osstmm/
It's the Open Source Security Testing Methodology Manual
Or this.. http://www.sans.org/resources/policies/#template
thanks to all for reply.Quote:
Originally posted here by ss2chef
What kind of audit are you speaking of?
Overall security (IT I presume) of a company or a portion?
External or Internal or Both.
Does it include social engineering aspects or just pen testing and configuration audits?
How about policy and proceedure audits?
Or are you just looking for all of the above?
If you are speaking of Pen Testing and or exploit auditing, the nessus reporting is a good starting point.
Most of the scanner sites have sample reports.
http://www.hackerwhacker.com used to have a sample report. URL is not working now so not sure if ther are still around. It's been a while.
Some more detail about what you are looking for will help narrow down results.
audit to be internal departmental. i am auditing a network site. the are located seperate from my main network site, but they all connect to my F&P serverz.
we never done one before - so this is a first.
I was gonna look at:
* backup procedures.
* installs of non approved apps/servers
* licensing tracking
* network scan to see what is viewable to outsiders. there is a FW
i was also gonna borrow their key and go in on a weekend and note how many staff wrote their users name & password on yellow stickys in & around their desks.
penetration testing was not going to be minimal for now.
we run central managed AV/FW on all clients. unless the users actually uninstall them they are fairly secure. we got the odd smart ass who thinks he's too good for a managed desktop. those guy i will flag as unsercue host regardless.
Is there a written and approved security policy?
If there is one, verify if they've followed the rules.
You need to have a target to audit against.
As SirDice said, the corporate policy, however this is likely to be too vauge for this type of audit. There should be a standard these systems were developed against and then procedures based on those standards. If this documentation does not exist... might be high time to chose a few appropriate standards and treat this audit as a baseline for a migration project.
cheers,
catch
When writing the report, make sure you consider the audience.
Who will you be writing the report for? A tech type? A bean counter? A bar graph lover?
Some managers will break down in tears when trying to understand that although you are running a version of software known to be insecure, there is no need to worry because the vendor actually backports changes without changing version numbers...:)
The personal visit is a good idea.
Just the other day, at one of my clients we found a password sheet of another employee under the
keyboard of an executive secretary. Let the fireworks begin.
a written sec. policy does exists. no one follows it. they couldn't care less about it.Quote:
Originally posted here by SirDice
Is there a written and approved security policy?
If there is one, verify if they've followed the rules.
it's a great idea, but easier said than done to implement when you are functioning in a *heavily* segmented IT environment.
the business units will go out and buy their own servers and hire their own IT guys if they think you are stepping on their toes.
what can you do? you can't ban them from dealing with vendors of hiring n00b IT guys.
*welcome to the real world.* my world. :-)
Not sure what that "real world" comment means, as if polices don't exist there...
What is you job as the auditor if not to audit and report non-compliance issues with regard to the policy? Just because other people are messing up doesn't mean that you need to change the way you are doing things. Determine what standards if any, are mentioned in the policy. The result of your audit should be a red flag to senior management that either the policy needs to change or the organization does... however unless you measure against something, the audit is useless. (No audit can exist in a vacuum. ;) )
Also the reason why knowning what standards are applicable is because many have predefined audit report schemes and this will save you a lot of time from trying to reinvent the wheel.
cheers,
catch
"my real world" comment is this...Quote:
Originally posted here by catch
Not sure what that "real world" comment means, as if polices don't exist there...
What is you job as the auditor if not to audit and report non-compliance issues with regard to the policy? Just because other people are messing up doesn't mean that you need to change the way you are doing things. Determine what standards if any, are mentioned in the policy. The result of your audit should be a red flag to senior management that either the policy needs to change or the organization does... however unless you measure against something, the audit is useless. (No audit can exist in a vacuum. ;) )
Also the reason why knowning what standards are applicable is because many have predefined audit report schemes and this will save you a lot of time from trying to reinvent the wheel.
cheers,
catch
maybe for you guys out there working in banking, gov., military, e.t.c.. - places where secuirty is paramount, the "security 101" stuff does get followed to the dot and you as IT/Info Sec. dept. are able to implement changes. but, not all places are military, gov., banks. business units are seeing "security" all over the media, and are buying into it. *as long* as they don't have to move a finger or be put out by the inconvenience.
the only time security gets a big push around here is when a web server gets hacked by a kid who just uses it to distribure warez & moviez. the server gets rebuilt and security becomes a big topic at the meetings; but after a week or 2, things go right back to the way they were.
this audit ain't gonna change squat! i am doing it because it's good experience. I have always wanted to creep out of "sys admin" and into "info. sec.", and this is an opportunity to put something relevent under my belt and on the resume.
IMHO, things are going to change when a major thing happens that burns everyone. meaning, something malicious will infiltrate the system and nuke a lot of data. the restore from backups are going to fail and a few years worth of data will be lost. thats probably when the manglers will burst a blood valve and implement chang recommened by IT.
What is done with the audit isn't your concern. It is Sr. Managment's concern.
Your concern is audit report templates, as such it is important to look over the corporate policy to determine which standards are applicable (if not outright called for) then see if said standards have a defined audit procedure.
It doesn't matter if you find a zillion instances of non-complaince that never get fixed, your original question was: "does anyone know of where one can go to see what a security audit report looks like?" and the answer is, as I stated above... review the applicable standards.
cheers,
catch
Anyone interested? Look for me in the bar after 5 pm.
Audit strategy, templates , business planning and remediation is the MO.
http://www.icba.org/education/education_fr.html