Constraints,Information Security Methodologies and its needs.
1.3.5 Constraints of a security audit: Technology tools constraints§ Scope of audit engagement § Business operations continuity constraints § Third party access constraints §Time constraints 1.4 Information Security Methodologies (Black-box, White-box, Grey-box) 1.4.1 Need for a Methodology Audits need to be planned and have a certain methodology to cover the total material risks of an organisation. A planned methodology is also important as this clarifies the way forward to all in the organisation and the audit teams. Which methodology and techniques is used is less important than having all the participants within the audit approach the subject in the same manner. Audit methodologies There are two primary methods by which audits are performed. Start with the overall view of the corporate structure and drill down to the minutiae; or begin with a discovery process that builds up a view of the organization. Audit methods may also be classified according to type of activity. These include three types A. Testing – Pen tests and other testing methodologies are used to explore vulnerabilities. In other words, exercising one or more assessment objects to compare actual and expected behaviours. B. Examination and Review – This include reviewing policies, processes, logs, other documents, practices, briefings, situation handling, etc. In other words checking, inspecting, reviewing, observing, studying, or analysing assessment objects C. Interviews and Discussion – This involves group discussions, individual interviews, etc. The three methods combine together to form an effective methodology for an overall audit. 1.4.2 Auditing techniques: There are various Auditing techniques used: Examination Techniques Examination techniques, generally conducted manually to evaluate systems, applications, networks, policies, and procedures to discover vulnerabilities. These techniques include: • Documentation review • Log review • Ruleset and system configuration review • Network sniffing • File integrity checking Target Identification and Analysis Techniques Testing techniques generally performed using automated tools used to identify systems, ports, services, and potential vulnerabilities. They techniques include • Network discovery • Network port and service identification • Vulnerability scanning • Wireless scanning • Application security examination Page | 5 Target Vulnerability Validation Techniques Testing techniques that corroborate the existence of vulnerabilities, these may be performed manually or with automated tools. These techniques include • Password cracking • Penetration testing • Social engineering • Application security testing Organisations use a combination of these techniques to ensure effectiveness and meeting the objectives of the audit.