SafeBits by Luci

Security Auditing

Defence in depth is considered best practice for a reason – security measures may not always achieve the desired result.

A security audit can be considered a component of defence in depth, reviewing intentions, as well as implementations, with the ultimate goal of providing an evaluation of the state of an information system’s security against a standard.

Security Auditing

When to do this

An audit is a great way to improve an organisation’s security posture, by providing a level of assurance that policies, standards, baselines, guidelines and procedures are followed in practice. To an extent, it is similar to a gap analysis, but designed to be used as an instrument when the target state is meant to have been achieved.

I would only recommend this as a periodic practice once at least the following are in place:

  • security policies, standards and procedures;
  • a risk management process;
  • an incident response plan;
  • business continuity or disaster recovery plans;
  • security controls are implemented according to accepted standards.

What I can do for you

Please note that I am not accredited to provide certification for compliance to any standards. That being said, a non-mandated audit is an invaluable test of the security level present at a certain point in time. At a high-level, the process can be broken down into the following steps:

  1. Determine the scope and objectives of the audit.
  2. Review existing documentation.
  3. Speak to the relevant departments about their processes.
  4. Evaluate systems' configurations and adherence to standards.
  5. Prepare a report that contains:
    • methodologies employed;
    • findings;
    • recommendations;
    • conclusions in the form of an executive summary.

The following are examples of the range of services that I can provide:

  • Evaluation of organisational documents against industry best-practices, standards or guidelines.
  • Evaluation of the implementation of technical or administrative security controls against the desired target.
  • Review of systems' configurations and their effectiveness.

Whether you are ready to test your security posture or not quite sure if a security audit is the right choice, you can always get in touch to discuss your requirements and expectations.

Other evaluations

There are several different approaches to evaluating information security, all focused on slightly different objectives, which can become confusing. I am committed to demystifying the terminology and explaining the concepts in language anyone can understand. Here are similar activities and how they compare to a security audit:

  • a risk assessment focuses on identifying threats and their impact, without evaluating how security measures are actually implemented in real life;
  • a gap analysis is meant to help in establishing a plan to achieve a desired target state after gauging the current one;
  • vulnerability assessment is based on using automated tools to identify weaknesses in systems, generally based on known signatures, without a profesional looking into the security documentation;
  • penetration testing takes vulnerability assessment one step further and attempts to establish how the weaknesses can be exploited to provoke controlled breaches.

These are all meant to be complementary, but also useful in their own right. If in doubt, speak to a professional.