IT Security Audit Series: How to perform Infrastructure Security Audit: Guiding Questions

In this post, I briefly explain how USGEBS audits infrastructure security. The USGEBS team usually works with an organization’s information technology personnel, including management. The USGEBS begins by explaining why and how they will audit infrastructure security. They also allow the organization to ask questions. After that, they get started with the audit.

What is infrastructure security?

I’d briefly discuss how we define infrastructure security and our corresponding audit objectives and approach. Infrastructure security includes Network segmentation, perimeter, end-points, and remote and mobile devices. This area demonstrates the importance of tested and continually monitored defense-in-depth controls. This audit is focused on answering the following essential questions.

· First, have policies been adopted that support infrastructure security?

· Second, is the network optimally segmented? For example, the network is segmented into DMZ, service networks, VLAN, and enclaves.

· Third, what is the process for locating, selecting, configuring, managing, and monitoring perimeter devices, such as routers, firewalls, IDS IPSs, and DLPs?

· Fourth, how does the organization prevent, disrupt, identify, and respond to malware attacks?

· Fifth, does the organization have end-point security standards? For example, AV, patch management, host-based firewalls, and IDS, and how are they managed?

· Sixth, does the organization use NAC technology? Network access control technology. And if so, how effective is the NAC?

· Seventh, are remote devices allowed to connect to the network? And if so, how are remote devices and locations controlled and managed?

· Eighth, are mobile devices in use? And if so, how are mobile devices controlled and managed, and how is confidential data on those devices protected?

· Ninth, does the organization have a threat intelligence program? And if so, how effectively is it at identifying potential infrastructure threats and vulnerabilities? How is remote access being handled, is it cost-effective, and how is it being analyzed?

· And lastly, what type of testing is conducted? For example, vulnerability assessments and penetration tests. How often are tests conducted? What are the rules of engagement? And how are the results communicated and responded to?

USGEBS team adhere to ISACA Audit and Assurance standards and guidelines throughout this audit. USGEBS audit has the appropriate infrastructure security experience. The team collects, evaluates, and analyzes evidence, including but not limited to policies and procedures, risk assessments, network diagrams and maps, asset inventories, controls documentation, configuration settings, security logs, incident reports, threat intelligence workflow, vulnerability management decisions, and test plans, including rules of engagement and results. The team then reconvenes the auditee group to discuss preliminary findings and the audit committee to provide the final report.

After the USGEBS team has completed their audit, they compile their findings and recommendations. Then, they present their findings to the organization’s management. They also make recommendations on how to improve infrastructure security. USGEBS is always available to help an organization implement its recommendations. Contact us today to learn more about our services.