A security audit is a specified process designed to assess the security risks facing a business and the controls or countermeasures adopted by the business to mitigate those risks. It is typically a human process, managed by a team of auditors with technical and business knowledge of the companys information technology assets and business processes. As part of any audit, these teams will interview key personnel, conduct vulnerability assessments, catalog existing security policies and controls, and examine IT assets covered by the scope of the audit. In most cases, they rely heavily on technology tools to perform the audit. SECURITY AUDITS ARE BEST UNDERSTOOD BY FOCUSING ON THE SPECIFIC QUESTIONS THEY ARE DESIGNED TO ANSWER SUCH AS: How difficult are passwords to crack? Do network assets have access control lists? Do access logs exist that record who accesses what data? Are personal computers regularly scanned for adware or malware? Who has access to backed-up media in the organization? AUDIT OBJECTIVES 1. The main objective of the audit is to assess the adequacy and effectiveness of ECs security measures and management controls, through four specific objectives focusing on high-risk areas. 2. To assess the adequacy of the physical security threat identification and risk management process, with a focus on activities performed at the facility level. 3. To determine whether roles and responsibilities of all parties involved in departmental physical security are clearly defined, performed by the appropriate party, and cover the span of security activity, as defined by the TB Policy on Government Security THE SECURITY AUDIT PROCESS 1. Define the physical scope of the audit: The audit team should define the security perimeter within which the audit will take place. The perimeter may be physically organized around logical asset groups such as a datacenter specific LAN or around business processes such as financial reporting. Either way, the physical scope of the audit allows the auditors to focus on assets, processes, and policies in a manageable fashion. 2. Define the process scope of the audit: This is often where the rubber hits the road on security audits, as overly broad process scoping can stall audits. At the same time, overly narrow scoping can result in an inconclusive assessment of security risks and controls. This document describes how to effectively scope the security processes or areas that should be included in an audit. It is critical that any business, regardless of size, put limits on the security processes or areas that will be the focus of the audit 3. Conduct historical due diligence: An oft-forgotten step in security audits is pre-audit due diligence. This due diligence should focus on historical events such as known vulnerabilities, damage-causing security incidents, as well as recent changes to IT infrastructure and business processes. It should include an assessment of past audits. Furthermore, auditors should compile a complete inventory of the assets located within the physical scope of the audit and a complete list of specified security controls relevant to those assets. 4. Develop the audit plan: An effective audit is almost always guided by a detailed audit plan that provides a specific project plan for conducting the audit. This should include a specific description of the scope of the audit, critical dates/milestones, participants, and dependencies 5. Perform security risk assessment: Once the audit team has an effective plan in place, they can begin the core of the audit the risk assessment. The risk assessment should cover the following steps: A. Identify and locate the exact assets located within the security perimeter and prioritize those assets according to value to the business. For example, a cluster of web servers supporting the order entry application is more important than a web server supporting the IT departments internal blog. B. Identify potential threats against the assets covered by the audit. The definition of a threat is something that has the potential to exploit a vulnerability in an asset. C. Catalog vulnerabilities or deficiencies for each asset class or type. Vulnerabilities exist for specific types of assets and present opportunities for threats to create risk. D. Identify the security controls currently in place for each asset class. These controls must exist and be used on a regular basis. Anything short of this should be noted and not counted towards existing controls. Controls include technologies such as firewalls, processes such as data backup procedures, and personnel such as the systems administrator that manages the relevant assets. E. Determine probabilities of specific risks. Audit teams must make a qualitative assessment of how likely it is that each threat/vulnerability will occur for a specific asset class. The probability calculation should account for the ability of existing controls to mitigate risk. This probability should be articulated on a numerical scale. F. Determine the potential harm or impact of a threat. Auditors must again make a qualitative assessment of the likely extent of the harm for a specific asset class. Again this qualitative assessment should be represented on a numerical scale. G. Perform the risk calculation. Auditors should use the multiply the two values above (probability x harm) to calculate risk (probability x harm = risk). These calculations should be performed on an asset class by asset class basis and will yield a priority list for risk mitigation efforts and specific security controls that need to be implemented 6. Document the results of the audit: It should go without saying that the results captured above should be documented in detail and proactively presented to decision makers for review. The document should include an executive summary, audit determinations, required updates/corrections, and supporting data in the form of exhibits. The team should also turn the document into a PowerPoint presentation. 7. Specify and implement new/updated controls: The ultimate benefit of a security audit is that it should yield specific recommendations for improving business security. These recommendations should take the form of controls that the business can adopt, the deadline for adoption, and the party responsible for adoption. Do not forget to specify deadlines and specific ownership responsibilities.