Additional Audit Considerations

In addition to the audit processes described in this chapter, there are a few other considerations to keep in mind:

Acceptable Risk

Security is always a balance between protection and practicality. Try our hardest to maintain security and there will always be situations where the best measure is simply not practical. This leads to what is called acceptable risk.

Acceptable risk is the acknowledgement that a security issue exists and we are knowingly allowing it to remain. The degree to which the issue remains may be somewhat lessened by practical security measures; however, the measures required to fully remove the risk are not conducive to good business sense.

I see acceptable risks all the time within organizations, usually because the protective measures required would harm productivity almost as much as a successful attack would. There is nothing wrong with an organization accepting a risk as long as the following practices are maintained:

• The risk should be explored to its fullest so that the organization knows exactly what it is risking and the estimated chance of it happening.

• Acceptable risks should always be determined by groups, never by an individual. Major parties that could be affected by the risk should be aware of the issue.

• Any risk deemed to be acceptable should be listed in an "Acceptable Risk Record" that states what the risk is, why the risk is deemed acceptable, and what measures were taken to reduce the risk.

Staffing an Audit

For an audit to be accurate, auditors must be impartial to the results. A security engineer, for example, should never audit his or her own security devices just as an administrator should never audit his/her own servers. Auditors should also not have any outstanding disciplinary problems or grudges against other staff members, since personal feelings tend to skew results. The best security audits are usually those staffed by consultants with no attachment to the environment. While the effort can be directed internally, in most situations it is highly recommended to bring in external resources or contract companies specializing in audits to perform the actual work.

Common Perspective Among the Staff

One vital requirement for an audit is that the entire team must have a common understanding of the organization, its risk levels, and the related risk factors. If any member of the audit team differs in his or her view or method for assigning risk factors, then the entire audit could be unbalanced. One facility, for example, could be given a better score than another simply because the primary auditor differed in opinion from the other auditors. This could potentially cause numerous issues with the audit results and could make the audit lose credibility in the eyes of the audited entities.

It is extremely important to have a basic group training session with all auditors present. During this session, each risk level should be discussed, along with the risk factors and overall audit process. The group should come to a consensus as to what these variables mean and how they will be assigned to different objects. When dealing with a group that has never performed such an audit, it is also a good idea to start by teaming people together for the first couple of interviews and hands-on assessments to make sure they learn and follow similar practices.