Fandom

The IT Law Wiki

Security audit

32,177pages on
this wiki
Add New Page
Talk0 Share

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.

Definitions Edit

Cloud computing Edit

A security audit is a

[s]ystematic evaluation of a cloud system by measuring how well it conforms to a set of established security criteria.[1]

General Edit

A security audit is an

[i]ndependent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.[2]
[a]n independent professional security review that tests and examines a company’s compliance with existing controls, the results of which enable an auditor to recommend necessary changes in security controls, policies, and procedures.[3]

Overview Edit

A common approach for measuring the security posture of an organization is a formal security audit. Audits ensure that policies and controls already implemented are operating correctly and effectively. Audits can include static analysis of policies, procedures, safeguards, and configuration settings as well as active probing of the system’s external and internal security mechanisms. The results of an audit identify the strengths and weaknesses of the security of the system and provide a list of noted deficits for resolution, typically ranked by degree of severity. Because the security posture of a system evolves over time, audits are most effective when done on a recurring basis.

While periodic formal audits are useful, they are not a replacement for day-to-day management of the security status of a system. Enabling system logs and reviewing their contents manually or through automated report summaries can sometimes be the best means of uncovering unauthorized behavior and detecting security problems. A well-known example of this is documented in Cliff Stoll’s book, The Cuckoo's Egg, where a 75-cent accounting error appearing in a computer log eventually led to the discovery of an industrial espionage ring.

References Edit

  1. NIST Taxonomy Terms and Definitions, v1.0 (Mar. 31, 2011) (full-text).
  2. NIST Special Publication 800-82, at B-7.
  3. Information Technology Security Handbook, Annex 1, Glossary.

Also on Fandom

Random Wiki