Auditing Methods

The auditing methods used depend on the goals of the audit, the environmental specifics, and the intended audience for which the report must ultimately be presented. The auditing methods used by information security professionals are similar to accounting audit methods but have a different focus. Likewise, the criteria developed by the United States Department of Defense Trusted Computer System Evaluation Criteria, also known as the "Orange Book," may be appropriate for government use but may not fit the private sector. In particular, the confidentiality of data and associated controls for military applications may be more than the civilian population requires or can effectively afford to deploy.

How is an information security audit different from the traditional accounting audit? The business environment that used to be based on paper and regular workdays might consist of data from 8 hour days, 5 days a week, 47 weeks per year. The electronic data analyzed for information systems, usually in the form of logs, gathers information 24 hours a day, 7 days a week, 52 weeks a year. The increase in the volume of data requires the use of automated tools to address the workload. This has led to an increased use of IT to assist with both the accounting audit and the information security audit. The processes are very similar but the tools used to perform the task are often different and specialized for the task. An effective information security auditor typically has command line knowledge of several operating systems to perform manually intensive searches on verbose logs and disparate systems. An understanding of the network topology is required for an information systems security auditor to determine if sensitive information assets are susceptible to external or internal breaches and what controls are appropriate to deploy to further protect those assets. An accounting auditor likewise must know the business environment in which the audit is conducted, but may not be as concerned with how an organization's network perimeter is secure and how hosts are secured down through all layers of the Open Systems Interconnect (OSI) model. The tools used to determine compliance in both environments are specific to audit but the processes are similar. The following list is based on Orange Book criteria but has been adapted for the private sector:

1. Approach the Client   Solicit information from the client on the desired goal of the audit and ensure that legal exposure associated with performing the audit is mitigated up front.

2. Information Gathering   Obtain the credentials required to perform an audit including proper systems access and authorization from management; determine the scope of work based on the time allowed and the desired goals.

3. Perform an Audit   Allow a reasonable amount of time to execute the work declared in the audit scope.

4. Provide an Audit Status   If any issues arise during the audit, maintain confidentiality and report the finding to the audit point contacts.

5. Deliver the Report   Provide an executive summary to management outlining the nature of the exposure that was found. Categorize the impact of the risk into categories such as high, medium, and low and indicate the number of incidents found and steps required for corrective action to mitigate risk.

The Orange Book provides a framework to perform an audit, but falls short of specifying each of the tools required to accomplish the security objectives. The data-gathering methods and tools required to verify information security compliance are discussed in the following sections:

• Checklist audits

• Penetration testing

• Wardialing

• Dumpster diving

• Social engineering