The Process of Auditing Information Systems
Management Questions
Reasons for Audits
Testing, Examination and Interviewing
Multiple levels of assessment
Assessment Lifecycle
Common Types of Assessments
Determine your Scope
Assessment Life Cycle
Certification Process (NIST SP 800-37)
Security Control Assessment Tasks
Security Documentation Tasks
Assessment Tasks (NIST SP 800-37 Rev 1)
Assessment Tasks (NIST SP 800-37 Rev 1)
Assessor/Auditor Selection
Assessor Competence
Legal Considerations
Developing the test plan
Assessment Methodology
Auditors/Assessors
Key Definitions (cont.)
How much testing?
Typical Sampling and Evaluation Criteria
Assessment Methods
Assessment Objectives and Guidance
NIST SP 800-53A Rev 1 Example
Identify and Select Automated Tools
Live CD Distributions for Security Testing
Review Techniques
Target Identification and Analysis Techniques
Target Vulnerability Validation Techniques
Checklists / MSAT
Incremental Testing
Verification Testing
Application testing
Database Auditing
Intrusion Detection/Prevention
Business Continuity
Vulnerability Scanning
Vulnerability Reports
External and Internal
Vulnerability Scanners
Red, White and Blue Teams
Red and Blue Teams
Penetration Testing
Penetration Test Phases
Penetration Assessment Reports
Vulnerability Information
Physical Assessments
The role of the host
Post-Testing Activities
Documenting the results
Included in the SAR
Audit / Assessment Documentation
Concurrent Remediation
Disagreements with findings
Organizations that can help