These types of tests involve reviewing network architecture and design and monitoring and alerting capabilities.

• Security process review: The security process review identifies weaknesses in the execution of security procedures and activities. All security activities should have written processes that are communicated and consistently followed. The two most common methods for assessing security processes are through interviews and observation: • Interviews: Talking to the actual people responsible for maintaining security, from users to systems administrators, provides a wealth of evidence about the people aspect of security. How do they feel about corporate security methods? Can they answer basic security policy questions? Do they feel that security is effective? The kind of information gathered helps identify any weakness in training and the organization’s commitment to adhering to policy.

• Observation: Physical security can be tested by walking around the office and observing how employees conduct themselves from a security perspective. Do they walk away without locking their workstations or have sensitive documents sitting on their desks? Do they leave the data centre door propped open, or do they not have a sign-out procedure for taking equipment out of the building? It is amazing what a stroll through the cubicles of a company can reveal about the security posture of an organization.

• Document review: Checking the effectiveness and compliance of the policy, procedure, and standards documents is one of the primary ways an auditor can gather evidence. Checking logs, incident reports, and trouble tickets can also provide data about how IT operates on a daily basis.

• Technical review: This is where penetration testing and technical vulnerability testing come into play. One of the most important services an auditor offers is to evaluate the competence and effectiveness of the technologies relied upon to protect a corporation’s assets.§ Evaluation against standards such as NIST 800 or ISO 27002 §Page | 6   Running vulnerability scanning software can result in hundreds of pages of items being flagged as vulnerable when in reality they are not exploitable. Penetration test: The penetration test is intended to assess the prevention, detection, and correction controls of a network by attempting to exploit vulnerabilities and gain control of systems and services. Penetration testers (also known as pentesters) scan for vulnerabilities as part of the process just like a vulnerability assessment, but the primary difference between the two is that a pentester also attempts to exploit those vulnerabilities as a method of validating that there is an exploitable weakness. Successfully taking over a system does not show all possible vectors of entry into the network, but can identify where key controls fail. If someone is able to exploit a device without triggering any alarms, then detective controls need to be strengthened so that the organization can better monitor for anomalies. Security control testing is an art form in addition to a technical security discipline. It takes a certain type of individual and mind-set to figure out new vulnerabilities and exploits. Penetration testers usually fit this mould, and they must constantly research new attack techniques and tools. Auditors, on the other hand, might not test to that degree and will more than likely work with a penetration tester or team if a significant level of§ Configurations, policies, and best practices are all used to identify potential weaknesses in the deployment or design of the entity being tested. These types of assessments are notorious for finding an enormous amount of potential problems that require a security expert to prioritize and validate real issues that need to be addressed. § This technical assessment is intended to identify as many potential weaknesses in a host, application, or entire network as possible based on the scope of the engagement.

 Implement procedures – start making
changes.§
Delineate mitigation plan – what are the exact steps required to minimize the
threats? §

 Review results – perform an AAR on
the audit process.§

 Rinse and repeat – schedule the next iteration
of the process. Auditing Security Practices (Reference) The first step for
evaluating security controls is to examine the organization’s policies,
security governance structure, and security objectives because these three
areas encompass the business practices of security. Security controls are
selected and implemented because of security policies or security requirements
mandated by law.