Auditing Security Practices (Reference)
The first step for evaluating security controls is to examine the organization’s policies, security governance structure,
and security objectives because these three areas encompass the business practices of security.
Security controls are selected and implemented because of security policies or security requirements mandated by
Some criteria you can use to compare the service of security against are:
 Evaluation against the organization’s own security policy and security baselines
 Regulatory/industry compliance—Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley
Act (SOX), Grahmm-Leach-Bliley Act (GLBA), and Payment Card Industry (PCI)
 Evaluation against standards such as NIST 800 or ISO 27002
 Governance frameworks such as COBIT or COSO
After you have identified the security audit criteria that the organization needs to comply with, the next phase is to
perform assessments to determine how well they achieve their goals. A number of assessments are usually required
to determine appropriate means for referring back to the scope, which defines the boundaries of the audit.
The following are types of assessments that might be performed to test security controls:
• Risk assessments: This type of assessment examines potential threats to the organization by listing areas that
could be sources of loss such as corporate espionage, service outages, disasters, and data theft. Each is prioritized
by severity, matched to the identified vulnerabilities, and used to determine whether the organization has adequate
controls to minimize the impact.
• Policy assessment: This assessment reviews policy to determine whether the policy meets best practices, is
unambiguous, and accomplishes the business objectives of the organization.
• Social engineering: This involves penetration testing against people to identify whether security awareness
training, physical security, and facilities are properly protected.
• Security design review: The security design review is conducted to assess the deployment of technology for
compliance with policy and best practices. These types of tests involve reviewing network architecture and design
and monitoring and alerting capabilities.
• Security process review: The security process review identifies weaknesses in the execution of security
procedures and activities. All security activities should have written processes that are communicated and
consistently followed. The two most common methods for assessing security processes are through interviews and
• Interviews: Talking to the actual people responsible for maintaining security, from users to systems
administrators, provides a wealth of evidence about the people aspect of security. How do they feel about corporate
security methods? Can they answer basic security policy questions? Do they feel that security is effective? The kind
of information gathered helps identify any weakness in training and the organization’s commitment to adhering to
• Observation: Physical security can be tested by walking around the office and observing how employees conduct
themselves from a security perspective. Do they walk away without locking their workstations or have sensitive
documents sitting on their desks? Do they leave the data centre door propped open, or do they not have a sign-out
procedure for taking equipment out of the building? It is amazing what a stroll through the cubicles of a company
can reveal about the security posture of an organization.
• Document review: Checking the effectiveness and compliance of the policy, procedure, and standards
documents is one of the primary ways an auditor can gather evidence. Checking logs, incident reports, and trouble
tickets can also provide data about how IT operates on a daily basis.
• Technical review: This is where penetration testing and technical vulnerability testing come into play. One of the
most important services an auditor offers is to evaluate the competence and effectiveness of the technologies relied
upon to protect a corporation’s assets.