Audit and Accountability Policy
The purpose of NIST publication SP800-53A
is to provide guidelines for building effective security assessment
plans and a comprehensive set of procedures for assessing the
effectiveness of security controls employed in information systems
supporting the executive agencies of the federal government. The most
important tool in actually implementing the guidance on this site is an
Audit and Accountability Policy. The purpose of this site is to provide
information about Audit and Accountability as well as to point to
policies on the SANS Institute's web policy project and other resources that may be helpful to organizations.
What is an Audit and Accountability Policy?
- A formal document that defines the purpose, scope, roles, responsibility, and management committment, of the different elements in the organization.
- It should lay the framework for security controls
- It should have a well developed compliance section.
- It should have an associated set of procedures to test for compliance.
Where do I start?
Step 1: Survey your organization. Determine what the priority of the CIA triad:
- Confidentiality
- Integrity
- Availability
in your organization should be. As an example, here is a paper
that argues for availability for many businesses. However, you want to
clearly understand which of the three is most important in your
organization.
Step 2 You want to start with the most critical systems. Once
again, you survey your organization to determine which are the most
crucial systems to meet your business objectives.
Step 3 You want to start with the most critical items, the things that need security controls the most, so consider the SANS Top 20.
For years the security community has been identifying the 20% of the
vulnerabilities and misconfigurations that cause 80% of system
compromise. Make sure you have security controls for these items first.
Step 4, armed with the high level guidance you have developed, it is
time to think about evaluating compliance. You can use SP800-53A
to determine the items to test in priority order (priority being the
most important systems and the most important items on those systems)
The tools of the trade for assessment are:
- Examination, where you review policies and procedures, in terms of where to start, seeing if they exist is a great start
- Interview, where you discuss policy, procedures with individuals
or groups. You can either start by selecting a few people at random, or
start at the top to see what the overall knowledge and awareness level
of security controls exist.
- Testing, this can be a powerful tool and includes penetration
testing, disaster recovery testing, but it has more potential for
things to go wrong. Be wise and begin all testing in a maintenance
window with a subset of the organization's assets.
Is there a quick way that I can use to get a roughly correct idea of my systems and networks security posture?
Certainly, go to http://www.cisecurity.org and download their testing tools. They are easy to use and well respected and you can be out of the gates in a day.
Where can I get training for Audit and Accountability Compliance Testing?
The NIST guidance is excellent, but at somepoint you need to move from
the guidance to either developing the procedures for compliance testing
of the controls or the procedures for the controls themselves. Training
is helpful for this. The SANS Institute offers training that can help.
First a general background into audit itself can help you understand
the approach and the importance of controls. Two courses and
certifications for this are AUD 410 and AUD 423. For more advanced
systems and networks audit training consider AUD 507.
Audit and Accountability and Security Control Links:
NIST SP800-53A (http://csrc.nist.gov/publications/drafts/800-53A/draft-SP800-53A-fpd-sz.pdf
Sample Audit and Accountability Checklist ( https://security.health.ufl.edu/VA_Research/VAChklist_Audit_and_Accountabliity.doc )
A Taxonomy of Information Systems Audits, Assessments and Reviews
A Guide to Security Metrics
Aligning an information risk management approach to BS 7799-3:2005
A Practical Guide to Auditing an ASP
System Identification for Vulnerability Assessment
Security Auditing: A Continuous Process
Future of Public Audit and Accountability (Note this is not IT security controls, but shows the importance of compliance )
State of IT Audit 2007 ( This was published in EDPACS, please consider joining or contributing )