Why is (computing & information) Security Auditability important:

----------------------------------------------------------------
updated: 18Jan02  revID: 1h
updated: 16Jul98  revID: 1g
by: Bill Schell   e-mail: rhk657@email.mot.com
----------------------------------------------------------------

In any Network Operation, whether local (building or campus) LAN or
regional - global (WAN), there are certain items that require periodic
review for compliance with some level of security "standard".

(whether this security standard is internally specified and/or imposed
on the organization by legal or customer requirements)

This measurement process is usually called a "Network Security Audit".

A "Network Security Audit" is predicated on a foundation of having at
least two documents both in existence, and rigourously followed:



Computing Policy Document: ----------------

a.) what is supported, what is accepted & what is neither...........
b.) what is/ are the penalties for operating outside this realm.....

"Appropriate Use Document: ----------------

signed by each and every employee, basically stating they will not
operate outside the realms described in the Computing Policy Document
(legal grounds for discipline)



Without these two documents, which state the standards of operation,
therefore the limits to which a "Network Security Audit" will hold
people & organizations & practices to the standard, there is no point
to a "Network Security Audit".

Regardless of organizational(network) size (local/global) an Audit
should review standards of security in, at minimum, these areas:

** Basic Operating System security:
	MicroSoft [9x | NT | 2000 | XP] | Unix/Linux | Macintosh | others]

** Network gateway(internal/external) security: - Routers: (between
internal departments and/or between internal & external networks)
Firewalls: similar to router security - but more oriented towards
"external" risks

** Web-access controls security: - Do you have a web-access-proxy, who
manages & reviews the logs? What action is taken when a "violation" is
found?

** Applications security: - key database, HR, order entry,
shop-build-orders, import/export, finance applications must be made
secure in their own right - regardless of the network upon which they
reside.

** Physical security: - key servers, backup-tapes, source files &
executables for applications, builidng & networking equipment security

** Back-up & restore procedures & processes: - key software is
identified, backed-up & available for timely restoration upon request

** Disaster recovery planning & testing: a "Disaster Recovey Plan" (DRP)
exists, has multiple focus people and has been tested and is stored
off-site for "timely business resumption" in case of a physical,
natural or human disaster

and - finally: 

** Periodic, hard-copy &/or electronic documentation that these 
activities are actually being carried out on a regular basis.



There is a difference between a "Network Security Audit" finding that
a network is "Secure" and finding that it is "Auditable".   

The difference is in the documentation required that defines auditable.
Most of the foundation of this difference comes from the legal
environment in which a company operates, especially the legal-financial
environment(s).

In order to judge "are we secure" / "are we auditable" - it is
"helpful" to attach some degree of "metric" to "secure" and
"auditable".

The "new & revisedÓ color-chart-tool with metrics, is an
attempt to do this.   It allows us to measure or metric one part of
the corporation against others, and allows us to see (we would hope)
an improvement, over time, of our level of security & auditability.

----------------------------------------------------------------------