Information Security Assessment and Audits(Security Analyst - II)

UNIT II Information Security Audit Tasks, Reports and Post Auditing Actions

The goal of a security assessment (also known as a security audit, security review, or network assessment[1]), is to ensure that necessary security controls are integrated into the design and implementation of a project. A properly completed security assessment should provide documentation outlining any security gaps between a project design and approved corporate security policies. Management can address security gaps in three ways: Management can decide to cancel the project, allocate the necessary resources to correct the security gaps, or accept the risk based on an informed risk / reward analysis.

In this unit we learn about Pre-audit checklist, Information Gathering, Vulnerability Analysis, External Security Audit, Internal Network Security Audit, IDS Security Auditing, Social Engineering Security Auditing


UNIT III Vulnerability Management

Vulnerability management is the "cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities", especially in software and firmware. Vulnerability management is integral to computer security and network security.

Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities, such as open ports, insecure software configuration, and susceptibility to malware. Unknown vulnerabilities, such as a zero-day attack may be found with fuzz testing, which can identify certain kinds of vulnerabilities, such as a buffer overflow exploit with relevant test cases. Such analysis can be facilitated by test automation. In addition, antivirus software capable of heuristic analysis may discover undocumented malware if it finds software behaving suspiciously (such as attempting to overwrite a system file).

Correcting vulnerabilities may variously involve the installation of a patch, a change in network security policy, reconfiguration of software (such as a firewall), or educating users about social engineering.


UNIT IV Information Security Assessments

In an assessment, the assessor should have the full cooperation of the organization being assessed. The organization grants access to its facilities, provides network access, outlines detailed information about the network, etc. All parties understand that the goal is to study security and identify improvements to secure the systems. An assessment for security is potentially the most useful of all security tests.

The goal of a security assessment (also known as a security audit, security review, or network assessment), is to ensure that necessary security controls are integrated into the design and implementation of a project. A properly completed security assessment should provide documentation outlining any security gaps between a project design and approved corporate security policies. Management can address security gaps in three ways: Management can decide to cancel the project, allocate the necessary resources to correct the security gaps, or accept the risk based on an informed risk / reward analysis.


UNIT V Configuration Reviews

Configuration management (CM) is a systems engineering process for establishing and maintaining consistency of a product's performance, functional, and physical attributes with its requirements, design, and operational information throughout its life.[1][2] The CM process is widely used by military engineering organizations to manage changes throughout the system lifecycle of complex systems, such as weapon systems, military vehicles, and information systems. Outside the military, the CM process is also used with IT service management as defined by ITIL, and with other domain models in the civil engineering and other industrial engineering segments such as roads, bridges, canals, dams, and buildings


UNIT I Information Security Performance Metrics and Audit

An information security audit is an audit on the level of information security in an organization. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized to technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases and highlights key components to look for and different methods for auditing these areas.

When centered on the IT aspects of information security, it can be seen as a part of an information technology audit. It is often then referred to as an information technology security audit or a computer security audit. However, information security encompasses much more than IT.

In this unit we learn about Security Metrics and Reporting, Common Issues and Variances of Performance Metrics Security Audit, servers and Storage devices, Infrastructure and Networks,  Communication Routes, Phases of Information Security Audit and Strategies and Ethics of an Information Security Auditor 


Text Books & References

TEXT BOOKS:

T1: Information Security Management – A student’s Hand Book – NASCOMM

T2: Assessing Information Security (strategies, tactics, logic and framework) by A Vladimirov, K.Gavrilenko, and A.Michajlowski.

T3: “The Art of Computer Virus Research and Defense by Peter Szor.”

 

REFERENCE BOOKS:

R1. Information Security Management – Facilitator’s Guide

R2:Information Security Management Handbook, Fourth Edition, Volume I - TIPTON HAROLD F

R3: CISSP (ISC)2 Certified Information Systems Security Professional Official Study

Guide Paperback – Import, 8 Oct 2015 by James M. Stewart (Author), Mike Chapple  (Author), Darril Gibson  (Author)

 

WEB REFERENCES:

ü     https://www.sans.org/reading-room/whitepapers/threats/implementing-vulnerability-management-process-34180

ü     http://csrc.nist.gov/publications/nistpubs/800-40-Ver2/SP800-40v2.pdf

ü     http://www.iso.org/iso/home/standards/management-standards/iso27001.htm

ü     http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf