6.1 Design and validate assessment, test, and audit strategies
- Internal
- External
- Third-party
How do we evaluate our security system? With regular testing of each control!
Security Testing
What do we need to think about before developing a test and a testing schedule?
- Do we have the resources to perform the test?
- How important are the systems that we need to test?
- How sensitive is the information stored by the system?
- What is the risk that the system could be attacked?
- Other changes that could affect the system?
- How long it would take to perform a test?
- How the test would affect the system or the business?
Security Assessment
- In a security assessment, we review the system to make sure that it will continue to function as planned
- We might use some evaluation tools
- We will also think about the current and future risks
Security Audit
- An audit is performed by a third party
- Sometimes we are biased or have a conflict of interest, so we shouldn’t perform our own audit.
- An analyst who designed the security system is less likely to find a fault with his system
- A third party like the government, a lender, or a customer might expect that we can complete an audit by a third party before allowing us to operate or before doing business with us
Internal Audit
- Internal audits are performed internally by the business
- They are intended for use by the organization
External Audit
- An external audit is performed by an outside organization that is skilled in auditing. They don’t or shouldn’t have a conflict of interest.
- Normally, audits are completed by accounting firms, especially financial audits
- Companies that are on the stock market must produce audited financial statements. These statements must be audited by third parties.
- The auditor could be liable if they don’t perform the audit correctly
- An external audit is more expensive
- The external auditor might not know enough about our business to conduct a meaningful audit
Third-Party Audit
- In a third-party audit, one organization completes the audit on behalf of another organization
- For example, the IRS can audit your business on behalf of the government, even if you did not request the audit
- Other third parties may have the right to audit your organization if there is some contract between you and them. For example, if you store sensitive data on behalf of your customers, your customers may have the right to audit you to ensure that you are storing the data properly.
- The audit can be a burden on you because you must provide documentation and cooperate. You must also provide access to the third party.
- SSAE 16 – Statement on Standards for Attestation Engagements document 16, provided by the American Institute of Certified Public Accountants (AICPA) gives auditors some guidelines for performing audits. There are two types of reports
- Type I Report – description of the controls that the organization provided, and the auditors opinion. This does not include testing of the controls. The auditor takes your word for it. The auditor is evaluating whether the controls exist, not whether they are actually being used.
- Type II Report – six-month long audit for the controls. The auditor is actually making sure that your controls are in use.
- Type I Report – description of the controls that the organization provided, and the auditors opinion. This does not include testing of the controls. The auditor takes your word for it. The auditor is evaluating whether the controls exist, not whether they are actually being used.
Audit Procedure
- We can’t possibly audit every possible piece of information or every control. We must have some sort of guideline.
- Control Objectives for Information and related Technologies (COBIT) is a type of audit guideline