Audits and Assessments
Internal Audits
Internal Audits are systematic evaluations of the effectiveness of internal controls, compliance, and integrity of information systems and processes.
- Focuses on data protection, network security, access controls, and incident response.
- Example: Internal review of password policies, user access controls
How it works
- Internal audit team checks control policies and procedures agains best practices and regulatory requirements.
- User access rights is examined ensure each employee's access is align with their responsibilities.
- Audit team verifies user access rights processes, including approvals and timely revocation.
- Finally, they test the effectiveness of access controls using accounts with limited permissions.
- Findings are documented and used as basis for recommendation for procedure improvements
Compliance
Compliance ensures that information systems and security practices meet established standards, regulations, and laws.
- Crucial for protecting sensitive data and avoiding legal penalties.
- Involves implementing specific security controls and maintaining policies and procedures.
- Regularly auditing and assessing the organization's security posture.
For more information, please see Compliance as a Governance Element.
Audit Committee
A group of people responsible for supervising the organization's audit and compliance functions.
- Typically members of the company's board of directors.
- Reviews the organization's financial reporting processes and internal controls.
- Ensures the organization is in compliance with legal regulatory requirements.
- Addresses any issues raised by auditors.
Assessment Techniques
Baseline Reporting
Baseline reporting involves establishing a standard for system performance and security, which serves as a reference for identifying deviations and potential issues.
- Provides an initial review of a system's security status.
- Helps in tracking changes and detecting anomalies.
- Used to ensure compliance with security policies and standards.
For more information, please Security Baselines
Attack Surface Review
An attack surface review assesses all potential entry points that an attacker could exploit within a system.
- Identifies and evaluates all possible vulnerabilities and exposure points.
- Helps in prioritizing security measures based on risk.
- Aims to reduce the number of potential attack vectors.
These reviews make heavy use of port, vulnerability, and application scanners. They adopt the mindset of an attacker, seeking possible ways to exploit the system.
Code Reviews
Code reviews involve examining the source code to identify and address security vulnerabilities and coding errors.
- Ensures that code adheres to security best practices and standards.
- Detects potential vulnerabilities before the code is deployed.
- Improves code quality and reduces the risk of security flaws.
For more information, please see Code Reviews
Architecture Reviews
Architecture reviews assess the design and structure of a system to identify potential security weaknesses.
- Evaluates the overall system design for security gaps and risks.
- Ensures that security principles are integrated into the architecture.
- Helps in identifying and addressing potential issues early in the design phase.