The document discusses logging, monitoring, auditing, and the importance of management review controls. It provides details on:
- What a security audit involves, including assessing physical, software, network, and human aspects of an information system.
- How security auditing works by testing adherence to internal IT policies and external standards/regulations.
- The purpose of monitoring security logs to detect anomalies and threats, given the large volume of logs generated.
- The benefits of logging, monitoring and reporting which include stronger governance, oversight, security and compliance.
- How management review controls are important for an effective control environment and ensuring accuracy of key security documents.
2. A security audit is a comprehensive assessment of your organization’s information system;
typically, this assessment measures your information system’s security against an audit checklist
of industry best practices, externally established standards, or federal regulations. A
comprehensive security audit will assess an organization’s security controls relating to the
following:
● physical components of your information system and the environment in which the
information system is housed.
● applications and software, including security patches your systems administrators have
already implemented.
● network vulnerabilities, including evaluations of information as it travels between different
points within, and external of, your organization’s network
● the human dimension, including how employees collect, share, and store highly sensitive
information.
What is a security audit?
3. A security audit works by testing whether your organization’s information system is adhering to a
set of internal or external criteria regulating data security.
Internal criteria includes your company’s IT policies and procedures and security controls.
External criteria include like federal regulations like the Health Insurance Portability and
Accountability Act (HIPAA) and Cyber Audit India, and standards set by the International
Organization for Standardization (ISO) or the National Cyber Safety and Security Standards.
A security audit compares your organization’s actual IT practices with the standards relevant to
your enterprise, and will identify areas for remediation and growth.
How Does a Security Audit Work?
4. A security audit will provide a roadmap of your organization’s main information security
weaknesses and identify where it is meeting the criteria the organization has set out to follow
and where it isn’t.
Security audits are crucial to developing risk assessment plans and mitigation strategies for
organizations that deal with individuals’ sensitive and confidential data.
What Is the Main Purpose of a Security Audit?
5. A security audit in cybersecurity will ensure that there is adequate protection for your
organization’s networks, devices, and data from leaks, data breaches, and criminal interference.
Security audits are one of three primary types of cybersecurity assessment strategies — the
other two are penetration testing and vulnerability assessment, both of which involve running
real-time tests on the strength of firewalls, malware, passwords, and data protection measures.
What is Security Auditing in Cybersecurity?
6. A security audit consists of a complete assessment of all components of your IT infrastructure —
this includes operating systems, servers, digital communication and sharing tools, applications,
data storage and collection processes, and more. There are a few common components/steps:
1. Select Security Audit Criteria
2. Assess Staff Training
3. Monitor Network Logs
4. Identify Vulnerabilities
5. Implement Protections
What Does a Security Audit Consist of?
7. Steps of Security Audit
1. Select Security Audit Criteria
Determine which external criteria you want or need to meet, and use these to develop your list of
security features to analyze and test. Also keep a record of your organization’s internal policies, if
your IT team anticipates cybersecurity concerns that external criteria may not cover.
2. Assess Staff Training
The more people who have access to highly sensitive data, the greater the chance for human
error. Make sure there is a record of which staff members have access to sensitive information
and which employees have been trained in cybersecurity risk management or compliance
practices. Plan to train those who still require training.
8. 3. Monitor Network Logs
Monitor network activity and event logs. Keeping close track of logs will help to ensure only
employees with the proper permissions are accessing restricted data, and that those employees
are following the proper security measures.
4. Identify Vulnerabilities
Before conducting a penetration test or vulnerability assessment, your security audit should
uncover some of your most glaring vulnerabilities, like whether a security patch is outdated or
employee passwords haven’t been changed in over a year. Regular security audits make
penetration tests and vulnerability assessments more efficient and effective.
Steps of Security Audit
9. 5. Implement Protections
Once you have reviewed the organization’s vulnerabilities and ensured that staff is trained and
following the proper protocol, make sure the organization is employing internal controls to
prevent fraud, like limiting users’ access to sensitive data. Check that wireless networks are
secure, encryption tools are up-to-date, and that the proper anti-virus software has been
installed and updated across the entire network.
Steps of Security Audit
10. Companies need regular security audits:
● To make sure they are properly protecting their clients’ private information, complying with
federal regulations, and avoiding liability and costly fines.
● To avoid penalties, companies need to keep up with ever-changing federal regulations like
HIPAA and CAI.
● Periodic security audits are necessary to make sure your organization is up to speed with any
new requirements.
Why Do Companies Need Security Audits?
11. Security Audit Architecture
• Event discriminator: logic embedded into the
system software that monitors system activity and
detects security-related events that it has been
configured to detect.
• Audit recorder: event discriminator sends event
messages to the audit recorder.
• Alarm processor: some events are alarm events
sent to an alarm processor.
• Security audit trail: list of formatted event
records
• Audit analyzer: based on a pattern of activity,
may define a new auditable event that is sent to
the audit recorder and may generate an alarm.
12. Security Audit Architecture
• Audit archiver: extracts records from audit trail
to create a permanent archive.
• Archives: a permanent store of security-related
events on this system.
• Audit provider: an application and/or user
interface to the audit trail.
• Audit trail examiner: an application or user who
examines the audit trail and the audit archives for
historical trends, for computer forensic purposes /
other analysis.
• Security reports: the audit trail examiner
prepares human-readable security reports.
13. Security Auditing Functions
Data generation: Identifies the level of auditing,
enumerates the types of auditable events
Event selection: Inclusion or exclusion of events from the
auditable set
Event storage: Creation and maintenance of the secure
audit trail
Automatic response: reactions taken if detect a possible
security violation event
Audit analysis: automated mechanisms to analyze audit
data in search of security violations
Audit review: available to authorized users to assist in
audit data review
14. Logging provides a record of events related to IT systems and processes. Each recorded event is a
log entry, denoting information such as what occurred, when it occurred, and who or what caused
it.
A log might be as simple as a text list of application log-ons for a service host or as complex as a
description of transactions across an ERP system.
Benefits of Logging
Successful logging offers value beyond compliance that includes support of overall IT functions
including performance management, change management, security management, and project
planning.
Logging
15. Security logs provide little to no value if they are not monitored. In fact, attackers
hedge their bet that their target does not monitor their logs.
Log monitoring is essentially reviewing the recorded log entries for anomalous,
abnormal, or suspicious events. While log monitoring can be performed manually, it is
not efficient and should be reserved for more detailed analysis supported by
automation.
What is Monitoring?
16. The importance of monitoring security events via logs cannot be understated. Without
active log monitoring, the likelihood that an attacker maintains an undetected persistent
presence increases significantly.
While the prevention of breaches is highly preferred, detection of a breach is a must, and
the primary detection mechanism for breaches is the identification of anomalous activity
in security logs.
Why Is Monitoring Important?
17. Systems today generate incredible volumes of logs, so automation is essentially required
in order to perform any reliable level of log monitoring and analysis. The primary tool
used today for security log monitoring is a security information and event management
(SIEM) platform.
There are numerous SIEMs on the market today which provide a host of different
capabilities, but the primary premise of a SIEM is to collect or ingest logs from multiple
sources, perform or enable efficient analysis, and perform a designated action such as
alerting on events of interest.
Automation in Monitoring
18. The primary challenges regarding security logging and monitoring are the sheer
volume of logs that are generated by information systems and applications and the
lack of trained security staff to identify abnormal events using a SIEM or other
automated techniques.
Additional challenges include differing log formats based on the OS or application
generating the log, differing log content which makes it difficult to follow a thread
across multiple platforms, and non-standardized time stamps. Fortunately, today’s
SIEM platforms are able to normalize log entries into a common, parsable format while
also retaining the original log entry if required to support more in-depth analysis.
What Are the Challenges to Logging and Monitoring?
19. Reporting refers to the generation (automatic or manual) of reports that indicate the status of IT
controls designed to meet compliance goals. Reporting is intermeshed with both monitoring and
logging, since reports can be based on the output of both monitoring and logging activities. To
complicate the mix, some authorities—such as ISO 27002—require management to report on the
effectiveness of reporting and monitoring controls.
Benefits of Reporting
Reports are the currency of compliance for auditors. Without reliable, accurate, consistent, and
verifiable reporting, there can be no compliance assurance. Good reporting also helps IT
managers to evaluate system and employee performance over time and provides input for
balanced scorecards and other managerial mechanisms.
Reporting
20. Stronger IT governance—Logging, monitoring, and reporting are the information lifeblood of
compliance, risk management, and governance. They reveal problems, put performance
indicators behind managerial decisions, and supply evidence for control assurance, and provide
evidence for risk analyses.
Better managerial oversight—By providing a record of real-world events, logs provide invaluable
information that can validate or dispel managerial assumptions, reveal unrecognized
performance issues, point to problem-specific solutions, and provide case studies for staff
training.
Benefits of logging, monitoring, and reporting
21. Support of corporate information security—Logs can provide a record of access and
authentication events, note configuration or application changes that could compromise system
integrity, record details of inbound and outbound information traffic, and provide a corpus of
evidence for forensic investigation of security breaches.
Stronger service-level agreements (SLAs)—Logs monitoring is a critical component of SLA
assurance, revealing service interruptions, threats to network stability, and other critical
evidence that support troubleshooting efforts.
Performance validation—Logs and monitoring provide the basis for performance measurement,
while reporting requirements ensure that managers have the information they need to make
intelligent decisions about process changes that impact performance outcomes.
Benefits of logging, monitoring, and reporting
22. More effective change control—Logs provide a record of configuration, application, network,
and other types of changes that might otherwise go unnoticed by management.
Regulatory Compliance—Logging, monitoring, and reporting provide both the means and data
for auditing, intrusion monitoring, compliance monitoring, and ensuring adherence to
segregation of duties.
Benefits of logging, monitoring, and reporting
23. Management review controls are any key reviews performed by a company’s
management over Security information such as estimates for reasonableness and
accuracy.
In most cases, a manager will review the specific Security document (e.g., log reports, etc.)
prepared by a Security analyst, review the document in detail and work with the analyst
to reconcile any discrepancies, and sign-off on the Security document.
Management Control Reviews
24. Define the Matter: Define the matter with specific risks, focusing on the nature of
potential errors and how they occur.
Specify Objectives: Specify objectives by identifying the points within the process that
could give rise to the specific risk(s) and evaluate whether the control attributes of the
MRC sufficiently address each of those points.
Identify Possibilities: Identify possibilities by challenging assumptions, ensuring clearly
defined actions, including triggers for investigation and prescribed plans for resolution.
Gather and analyze info: Gather and analyze information that depicts performance of
each control attribute. Examine physical evidence of procedures performed, observe
actions that occur, and evaluate their sufficiency to meet objectives.
Reach conclusion: Reach conclusion as to the sufficiency of the control’s ability to
prevent or detect specified risks. Has each objective been met appropriately?
Reflect: Reflect on conclusions reached. Are each of the identified risk(s) sufficiently
addressed through the controls after consideration of their design and implementation?
Steps may be applied to an MRC
25. Management Review Controls are important because they are critical to an effective
control environment. The documents reviewed as part of MRCs cover a wide spectrum -
some examples include:
● Review of a reconciliation
● Review of journal entries
● Review for triggering events
● Review of the work supporting an estimate
Why are Management Review Controls So Important?