Areas of audit:
If policies & procedures are
provided, the audit will include an analysis of the level of compliance.
Typical analysis Schedule:
1). What type of access does the security analyst need?
The security analyst needs root access
The security analyst will restore from tape a variety of proprietary scripts and one open source tool. (The CIS scan tool).
3). Will there be an impact on the system?
The scripts and tools used will have a minimum impact on the system. The audit process has not interfered with any production system to date.
4). Does the security analyst need to evaluate the system during production hours?
It is most desired for the security analyst to work regular day hours, however, in a special circumstance the security analyst can work off hours.
5). Does the security analyst need access to staff?
Yes, the security analyst will need access to certain staff members for short interviews and to answer questions that come up during the analysis.
6). What other resources will the security analyst need?
The security analyst will need to be able to connect their laptop to the network. The laptop is running Windows XP with SP 2, Norton Anti-Virus & Internet Security, ZeroSpyware, and Virtual PC with Red Hat Linux 3.0.
The security analyst will need access to a color printer on the morning of the 3rd day.
7). How many systems does the audit include?
The analysis is for one system or two systems if a second system is similarly configured as a test environment or failover.
8). In the case of a second system that is a test or failover server, will the report just be copied?
No, a complete analysis will be performed. However, because of the similarities between the systems it will be much faster to analyze the second system.
9). What if I have multiple systems?
The security analyst can provide a schedule and quote for the number of systems required.
10). What format is the report?
COBIT is used for the framework of the report. The customer receives a hardcopy as well as a PDF version on CD.
11). Will the security analyst be available to discuss issues with our auditors at a later date if needed?
Yes, the security analyst has worked with auditors from Deloitte and PWC.
$2,500 plus expenses (air, hotel, rental car)
Security analyst bio:
Chris Wong is the author of the Prentice-Hall/HP Press book, “HP-UX 11i Security”. She is a highly rated speaker at HP World on topics such as “SSH Explained” and “LVM Explained”. In 2002, Chris created a customized class on HP-UX security and delivered it to nearly 100 HP engineers in Europe. Chris holds certifications from HP as an Accredited Integration Specialist, Certified Systems Administrator, and Accredited Presales Consultant.
Chris has performed security audits for a variety of companies including non-profits, government agencies, SMB, and Fortune 100. She is a Certified Information Systems Security Professional (CISSP).
Assisting customers with SOX and other compliance issues is Chris' specialty.
For more information contact: firstname.lastname@example.org
© 2007 NEWFDAWG.COM All rights reserved. Last modified: