Security policy audits verify the customer's policy and procedures, and provide a validation of the security stance. These audits are non-invasive in regards to the customer's network and host computers. They may cause disruption in the daily business, if extensive employee interviews are required.
The following policy audits would be completed with the customer through review of procedures, policies, employee interviews and inspection of network and host documentation. It is expected that these audits be tailored to the customers specific needs. Security policy audits do not normally involve network or host audits, although they may be a part of a larger process which does.
Security policy audits include:
An analysis of current security procedures will be performed. This examination will include both disaster recovery and an analysis of the staffs ability to detect an intrusion or attack. Optionally, this will include staging mock attacks to verify logging and intrusion detection systems and methods.
Site Security Analysis may also include a review of the customers physical security measures. This includes the physical placement and access to network servers, routers, firewalls and gateways. Physical layout of the customers network, accessibility of live network drops or unattended workstations will be inspected. It should also include backup procedures and storage.
An analysis will be made of possible pending threats that may result from malicious attack or accidents (e.g. pending disaster), as well as the risk of password sniffing and internal session high-jacking and spoofing.
Password files will be analyzed and an attempt will be made to crack sampled password files. The result will be reflected upon in the Policy Analysis phase. Optionally, a full password analysis can be done on all acquirable password (Unix and Windows) rather than just statistically sampled excerpts.
The analysis would include the development of a Threat Model for the customers operation. The model would be developed by inspecting the customers internal and external vulnerabilities internal and external threats, type and extent of information assurance required for the operation, and evaluating the customers risk of attack. The Threat Model will be used to validate, or develop, the customers overall security stance which directly feeds into the development of appropriate security policies.
An overview analysis of the official corporate security policy will be performed.
This examination will include the interviewing of employee and staff to determine the level of employee awareness of corporate policies and their adherence to them. The contents of the individual interviews will be kept anonymous, and the employees identities will not be included in the report so as to avoid biased statements.
Analysis of user access rights and acquisition procedures will also be included in this phase of the audit. It is important to verify that the listed company policies do not conflict, and that they embody the intent of the corporate information officer (or equivalent).
Last modified: Sat Oct 30 22:42:49 PDT 2004