Professional Documents
Culture Documents
Systems Security
Lesson 7
Auditing, Testing, and Monitoring
Is there effective
implementation and
upkeep of controls?
Appropriateness of controls
• Is the level of security control suitable for the risk it
addresses?
Correct installation of controls
• Is the security control in the right place and working
well?
Address purpose of controls
• Is the security control effective in addressing the risk it
was designed to address?
Define objectives;
Define which areas Identify personnel
determine which
of assurance to who will participate
systems or business
check in the audit
processes to review
Review documentation
Reviewing Reviewing
Checklists
documentation configurations
Reviewing Performing
policy security testing
Baselines
Closed-circuit TV
• Host IDS
Real-time • System integrity monitoring
monitoring • Data loss prevention (DLP)
• Host-based activity
Log activities • Network and network devices
IDSs
Controls that
monitor IPSs
activity
Firewalls
• Profile-based systems
Anomaly-based
IDSs
Black-box testing
• Uses test methods that aren’t based directly on
knowledge of a program’s architecture or design
White-box testing
• Is based on knowledge of the application’s design and
source code
Gray-box testing
• Lies somewhere between black-box testing and white-
box testing