6.5 Conduct or facilitate security audits

  • Internal
  • External
  • Third-party

In order to conduct a security audit, we must first create an audit procedure.  Some guidelines and frameworks for audits

  • SSAE SOC 2 Type I/II.  As discussed earlier, it is a Statement on Standards for Attestation Engagements are standards that are put out by American Institute of Certified Public Accountants (AICPA) Auditing Standards Board.  It is a Generally Accepted Accounting Standard.  The current version is version 18.

    The purpose of the standard is to conduct an audit of a financial system.  When an audit is implemented, the standard results in a report known as a SOC Type 1 or SOC Type 2, which shows that a financial statement is accurate, complete, and fair.  But, it can theoretically be applied to any other subject.  In other words, does the organization have internal controls to prevent fraud and bad behavior?  Can we trust what they say?

    • A SOC Type 1 report is an assessment of the design of the organization’s internal controls.
    • A SOC Type 2 report is an assessment of the operating effectiveness of the organization’s internal controls.  If the controls are designed well but people bend the rules, then the controls are meaningless

  • NIST Special Publication 800-53A Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans provides a set of standards for conducting security assessments.

  • ISO 15408-1: Evaluation criteria for IT security.  Provides guidelines for evaluating the security of IT products.

  • ISO 18045:2008: Information technology – Security techniques – Evaluation criteria for IT security.  Provides the guidelines for performing an evaluation under ISO 15408.  ISO 15408 and ISO 18045 must work together.

ISO 27006: Requirements for bodies providing audit and certification of information security management systems.  Provides guidelines for evaluating a privacy management system.