When we talk about the security audit we need to understand the aspect of the audit and what it involves, its various stages and developments.
The first and foremost stage for an audit is the requirements to carry out the audit function for a system.
Lets take a look at some points :-
-> What system to audit ?
-> Is the system being used 24X7 ?
-> What is the state of the system ?
-> What critical functions and processes it carries ?
-> What data it processes ?
-> What is the peak time of access and how many users/processes on an average use the systems ?
-> Legal responsibilities attached to the data if any ?
-> How to carry out the audit process ?
The above mentioned points are just some basic points or requirements to know before audit process starts. These points refer to a point called WHAT TO AUDIT
The next step towards auditing is HOW TO AUDIT
Here comes another point as Information Security Risk Assessment
Auditing is not only done to see if things and proper controls are in place but to perform risk assessment to ensure the controls which are in place are appropriate or not and are justified.
The various steps in information security risk assessment could be defined as
-> Asset Classification
-> Threat and Vulnerability Assessment
-> Checking of Controls in place to mitigate risks
-> Analysis of Controls, Feasibility study, Decisions and Recommendations
-> Complete documentation and summary report.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment