Audit Process: A successful audit will minimally: 1. Establish a prioritized list of risks to an organization.  2. Delineate a plan to alleviate those risks.  3. Validate that the risks have been mitigated. 4. Develop an ongoing process to minimize risk. 5. Establish a cycle of reviews to validate the process on a perpetual basis. Every successful audit has common properties:  Define the security perimeter – what is being examined?§  Describe the components – and be detailed about it.§  Delineate the available tools – what documents and tools are in use or need to be created?§ Determine threats – what kinds of damage could be done to the systems §  Reporting mechanism – how will you show progress and achieve validation in all areas?§  Prioritize risk – calculate risk as Risk = probability * harm§ Determine Network Access Control list – who really needs access to this? § Review history – is there institutional knowledge about existing threats? §  Implement procedures – start making changes.§ Delineate mitigation plan – what are the exact steps required to minimize the threats? §  Review results – perform an AAR on the audit process.§  Rinse and repeat – schedule the next iteration of the process. Auditing Security Practices (Reference) The first step for evaluating security controls is to examine the organization’s policies, security governance structure, and security objectives because these three areas encompass the business practices of security. Security controls are selected and implemented because of security policies or security requirements mandated by law.§ Regulatory/industry compliance—Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act (SOX), Grahmm-Leach-Bliley Act (GLBA), and Payment Card Industry (PCI)§ Evaluation against the organization’s own security policy and security baselines §Some criteria you can use to compare the service of security against are:   Governance frameworks such as COBIT or COSO After you have identified the security audit criteria that the organization needs to comply with, the next phase is to perform assessments to determine how well they achieve their goals. A number of assessments are usually required to determine appropriate means for referring back to the scope, which defines the boundaries of the audit. The following are types of assessments that might be performed to test security controls: • Risk assessments: This type of assessment examines potential threats to the organization by listing areas that could be sources of loss such as corporate espionage, service outages, disasters, and data theft. Each is prioritized by severity, matched to the identified vulnerabilities, and used to determine whether the organization has adequate controls to minimize the impact. • Policy assessment: This assessment reviews policy to determine whether the policy meets best practices, is unambiguous, and accomplishes the business objectives of the organization. • Social engineering: This involves penetration testing against people to identify whether security awareness training, physical security, and facilities are properly protected. • Security design review: The security design review is conducted to assess the deployment of technology for compliance with policy and best practices.