The IT Law Wiki
Register
Advertisement

Definitions[]

Cloud computing[]

A security audit is a

[s]ystematic evaluation of a cloud system by measuring how well it conforms to a set of established security criteria.[1]

General[]

A security audit is an

[i]ndependent review and examination of a system's records and activities to determine the adequacy of system controls, ensure compliance with established security policy and procedures, detect breaches in security services, and recommend any changes that are indicated for countermeasures.[2]
[a]n independent professional security review that tests and examines a company’s compliance with existing controls, the results of which enable an auditor to recommend necessary changes in security controls, policies, and procedures.[3]

Overview[]

A common approach for measuring the security posture of an organization is a formal security audit. Audits ensure that policies and controls already implemented are operating correctly and effectively. Audits can include static analysis of policies, procedures, safeguards, and configuration settings as well as active probing of the system’s external and internal security mechanisms. The results of an audit identify the strengths and weaknesses of the security of the system and provide a list of noted deficits for resolution, typically ranked by degree of severity. Because the security posture of a system evolves over time, audits are most effective when done on a recurring basis.

While periodic formal audits are useful, they are not a replacement for day-to-day management of the security status of a system. Enabling system logs and reviewing their contents manually or through automated report summaries can sometimes be the best means of uncovering unauthorized behavior and detecting security problems. A well-known example of this is documented in Cliff Stoll’s book, The Cuckoo's Egg, where a 75-cent accounting error appearing in a computer log eventually led to the discovery of an industrial espionage ring.

References[]

  1. NIST Taxonomy Terms and Definitions, v1.0 (Mar. 31, 2011) (full-text).
  2. NIST Special Publication 800-82, at B-7.
  3. Information Technology Security Handbook, Annex 1, Glossary.
Advertisement