Areas of audit:

Physical Security
Profile of the IT site
Visitor's Escort
Identification, Authentication & Access
Security of Online Access of Data
Management review of user accounts
User control of user accounts
Security Surveillance
Central Identification & Access Rights Management
Violation of Security Activity Report
Counterparty Trust
Trusted Path
Malicious Software Prevention, Detection and Correction
Firewall Architecture and Connections with Public Networks
Segregation of Duties
Communication of IT Security Awareness

Followed by a detailed list of recommendations.

The report is a minimum of 30 pages.

If policies & procedures are provided, the audit will include an analysis of the level of compliance.
 

Typical analysis Schedule:

FAQ:
 

1).  What type of access does the security analyst need?

          The security analyst needs root access

2).  Does the security analyst install any software?

          The security analyst will restore from tape a variety of proprietary scripts and one open source tool.  (The CIS scan tool).

3).  Will there be an impact on the system?

The scripts and tools used will have a minimum impact on the system.  The audit process has not interfered with any production system to date.

4).  Does the security analyst need to evaluate the system during production hours?

          It is most desired for the security analyst to work regular day hours, however, in a special circumstance the security analyst can work off hours.

5).  Does the security analyst need access to staff?

          Yes, the security analyst will need access to certain staff members for short interviews and to answer questions that come up during the analysis.

6).  What other resources will the security analyst need?

          The security analyst will need to be able to connect their laptop to the network.  The laptop is running Windows XP with SP 2, Norton Anti-Virus & Internet Security, ZeroSpyware, and Virtual PC with Red Hat Linux 3.0.

          The security analyst will need access to a color printer on the morning of the 3^rd day.

7).  How many systems does the audit include?

          The analysis is for one system or two systems if a second system is similarly configured as a test environment or failover.

8).  In the case of a second system that is a test or failover server, will the report just be copied?

          No, a complete analysis will be performed.  However, because of the similarities between the systems it will be much faster to analyze the second system.

9). What if I have multiple systems?

          The security analyst can provide a schedule and quote for the number of systems required.

10). What format is the report?

          COBIT is used for the framework of the report. The customer receives a hardcopy as well as a PDF version on CD.

11).  Will the security analyst be available to discuss issues with our auditors at a later date if needed?

            Yes, the security analyst has worked with auditors from Deloitte and PWC.

Cost

          $2,500 plus expenses (air, hotel, rental car)

Security analyst bio:

          Chris Wong is the author of the Prentice-Hall/HP Press book, “HP-UX 11i Security”. She is a highly rated speaker at HP World on topics such as “SSH Explained” and “LVM Explained”. In 2002, Chris created a customized class on HP-UX security and delivered it to nearly 100 HP engineers in Europe. Chris holds certifications from HP as an Accredited Integration Specialist, Certified Systems Administrator, and Accredited Presales Consultant.

          Chris has performed security audits for a variety of companies including non-profits, government agencies, SMB, and Fortune 100.  She is a Certified Information Systems Security Professional (CISSP).  

          Assisting customers with SOX and other compliance issues is Chris' specialty.

For more information contact: services@newfdawg.com

 Copyright © 2007 NEWFDAWG.COM All rights reserved.     Last modified: 02/03/07.