The Process of Auditing Information Systems

Situation

Management Questions

Reasons for Audits

Terms

Assessment

Audit

Testing, Examination and Interviewing

Multiple levels of assessment

Program Level

OIG

System Level

Assessment Lifecycle

Common Types of Assessments

Determine your Scope

Material

Level of Effort

Risk & Audit

Independence

Assessment Life Cycle

Plan (FISCAM)

Perform (FISCAM)

Report (FISCAM)

Certification Process (NIST SP 800-37)

Security Control Assessment Tasks

Security Documentation Tasks

Assessment Tasks (NIST SP 800-37 Rev 1)

Assessment Tasks (NIST SP 800-37 Rev 1)

Assessor/Auditor Selection

Assessor KSAs

Assessor Competence

Legal Considerations

Developing the test plan

Assessment Methodology

Auditors/Assessors

Key Definitions

Key Definitions (cont.)

How much testing?

Sample Size

Sampling

Typical Sampling and Evaluation Criteria

Assessment Methods

Assessment Objectives and Guidance

NIST SP 800-53A Rev 1 Example

Identify and Select Automated Tools

Checklists

Live CD Distributions for Security Testing

Review Techniques

Target Identification and Analysis Techniques

Target Vulnerability Validation Techniques

Checklists / MSAT

GRC Tools

Test Types

Testing

Incremental Testing

Verification Testing

Application testing

Database Auditing

Intrusion Detection/Prevention

EMR Testing

Green Computing

Business Continuity

Vulnerability Scanning

MBSA

Vulnerability Reports

External and Internal

Vulnerability Scanners

Red, White and Blue Teams

Red and Blue Teams

Penetration Testing

Penetration Test Phases

Attack Phases

Penetration Assessment Reports

Vulnerability Information

Physical Assessments

The role of the host

Test execution

Post-Testing Activities

Documenting the results

SAR

Included in the SAR

Audit / Assessment Documentation

Audit Papers

Concurrent Remediation

Disagreements with findings

Organizations that can help