最后更新于2017年11月6日星期一21:41:58 GMT
Sooner or later, your organization will likely be the subject of an IT audit. But as ominous as that sounds, it doesn’t have to be something to dread. If you’re a network administrator, you’ll have a specific role in an audit. Since audits are rarely small projects, you’ll likely be working with others throughout the process. The best way to fulfill your specific role well is to be prepared for an audit before it happens. Simply put, an audit is an examination to determine if controls are sufficient to meet policy and externally mandated objectives. They should help to identify security or service gaps that increase organizational risk to make your organization safer.
For real world example, suppose you say that you want to follow a low sodium diet. You may have come to this conclusion on your own after reading about the benefits of such a diet, 或者你的医生建议你这样做. How do you know if you’re doing well or not in keeping with the diet? You could just compare what you’ve been eating to the guidelines of a low sodium. 这实际上只是一次饮食审计. 如果你每天吃一袋薯片, 那么你并不是在吃低钠饮食. 这是什么意思?? 你的饮食审核失败了吗? 是的,但那不是最重要的部分. It is more important that departing from the low sodium diet guideline increases your risk of sodium related diseases and disorders. The goal of any audit is simply to see if your organization is complying with stated goals that reduce risk.
One of the best first steps to preparing for an IT audit is to understand what kind of audit is being conducted and who is conducting the audit. 大多数审计并不令人意外. In fact, 许多组织都有法规要求的审计, legislation, industry, 或者其他外部需求. 例如,您的组织是否接受支付卡? 取决于每年的交易数量, 你可能需要, PCI DSS下, 进行定期审核. Lots of other external requirements exist that can trigger audits, such as FISMA, HIPAA, and SOX. 不考虑审计的外部驱动因素, you’ll probably benefit greatly from adopting a standard IT control framework, 比如COBIT . COBIT provides a comprehensive framework and set of control objectives for IT management and governance. 如果您采用了一个框架, 或者简单地记录你自己的控制目标, you should map your infrastructure against the control objectives so that you can easily determine what is in scope for the audit. That step alone will help you manage the scope of work you’ll have to do. For example, 如果你正面临SOX 404条款的审计, you could use COBIT to help focus on controls in three initial key areas, including:
- 变更管理流程
- 访问控制/职责分离
- 备份/存档存储
An IT auditor is also interested in collecting documentation of activity. 这些文档的大部分是以日志文件的形式出现的. 但这并不是审计师感兴趣的全部. Activity logs aren’t much help unless there is something to compare with. Additional information can include policies, procedures, or even previously examined activity logs. Auditors are looking for evidence of activity over some period of time. 他们想要检查应该发生什么(政策), objectives, and procedures) against what actually happened (log files and other artifacts.) So how do you know what specific information an auditor wants? Just ask.
One of your first steps in preparing for any audit is to determine who will be conducting the audit. 这个信息应该很容易找到. 然后,询问审计人员他们需要你做什么. They’ll generally let you know what artifacts they’ll need to carry out their work. That information should help you determine whether you are ready. 如果你是,很好! 如果你不是, you’ll need to make some changes to ensure the auditors have what they need when they need it. That may include adding logging features or keeping more log file contents. Review your logging policies and procedures to ensure that you’ll have the information the auditors need – and that any changes you recommend don’t violate other parts of your security policy. 在某些情况下, auditors may require information that exceeds your organization’s information retention policy. 在这种情况下, management will have to review the security policy and potentially change it to align with external requirements.
There are lots of online resources as well to help you prepare for an audit. 一旦你知道了审计的具体类型, 例如年度PCI DSS审计, 使用你最喜欢的搜索引擎来帮助准备. In this case, searching for “PCI DSS audit preparation” is a good place to start. A little research should provide you with guidance that is specific to the type of audits that apply to you. 利用别人的经验来帮助你避免陷阱.
虽然听起来工作量很大, preparing for an audit helps your organization in several ways. 首先也是最重要的, actively preparing for an audit greatly increases the likelihood of receiving a positive audit outcome. Secondly, finding and removing gaps yourself before an auditor finds them reduces risk to your organization. 降低风险意味着降低泄露的可能性. 为审计做准备是值得花费精力和时间的. 不要害怕审计——它不是期末考试. It is just an opportunity to validate that either your risk is as low as possible, 或者你需要解决一些差距. And being well prepared means there will probably be fewer gaps in the audit report.
