Security Audit Project Sem 1 1444H

Write a Report about one of the following Topics

One Project for each Student(Late Submission is 4-11-2022)

Projects List:
1- Building a Security Program
Policies, procedures, and standards represent the foundation of a security program.
These are the documents that detail the who, what, when, and how of protecting your
business assets and resources.
1. Policy
2. Procedures
3. Standards
4. Security Controls
5. Administrative Controls
6. Technical Controls
7. Physical Controls
8. Preventative Controls
9. Detective Controls
10. Corrective Controls
11. Recovery Controls
12. Managing Risk
13. Risk Assessment
14. Risk Mitigation
15. Risk in the Fourth Dimension

2- The Auditing Process

The auditing process can be easily broken down into a number of phases. Each phase
builds on the last with the ultimate product being a report that documents the findings of
the audit. Having a good framework to conduct an audit makes the process run smoothly
and helps to eliminate opportunities for mistakes and inconsistencies that reduce the
accuracy of the audit. The phases of an audit are:
■ Planning phase: Audit the subject, objective, and scope.
■ Research phase: Plan, audit procedures, and evaluate criteria.
■ Data gathering phase: Gather checklists, tools, and evidence.
■ Data analysis phase: Analyze, map, and recommend.
■ Audit report phase: Write, present, and file the audit report.
■ Follow up phase: Follow up, follow up, and follow up!
3-Information security law
Information security law is one of the key drivers of auditing in businesses today. Most
companies agree that auditing security is a good idea, but actually doing it on a regular
basis requires a commitment of resources and time that could easily be set aside for other
projects. After a long string of high-impact security failures in business, security has
shifted from a voluntary discipline to one that is required by law. Compliance to federal
and state laws is enforced through fines, and, in some cases, jail time. In summary:
■ Most of the hacking laws classify hacking as access without authorization. Make sure
that you have permission for any security testing you might do while auditing networks
and hosts.
■ Packet capture and monitoring networks for fraud and abuse in a corporate environment
are perfectly legal. All organizations should have a well-defined monitoring
policy that employees are aware of, and it is recommended to have them sign off of
written policies.
■ Make sure that you attain professional legal advice when building corporate information
security policies. Many of the laws are tricky and constantly changing.
■ Developing a strong information security strategy that leverages best practices can
help to comply with multiple regulations.

4- Information Security Governance

To audit a process, procedure, or technology, you must first measure the
current state against the desired state; this enables you to identify the gaps.
Governance drives the organization to institute best practices and measures its
performance. In summary:

• Information Security Governance Organizational Structure

• Board of Directors
• Security Steering Committee
• CEO or Executive Management
• CIO/CISO
• Security Director
• Security Analyst
• Security Architect
• Security Engineer
• Systems Administrator
• Database Administrator
• IS Auditor
• End User
5- Process: Security Governance Frameworks
A best practice doesn’t become a standard until the organization adopts it and
decides to comply with it.
Auditors need to be aware of various best practices and industry standards
available today to better tailor audits to the companies for which they are
conducting them.

• COSO
• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring
• COBIT
• ITIL

6- Technology: Standards Procedures and Guidelines

The following standards and best practices can help the auditor distinguish
good security designs from bad and provide reference architectures to compare
against.
• ISO 27000 Series of Standards
• NIST
• Center for Internet Security
• NSA
• DISA
• SANS
• ISACA
• Cisco Security Best Practices

7- Evaluating Security Controls

Auditing Security Practices
Testing Security Technology
Security Testing Frameworks
OSSTMM
ISSAF
 NIST 800-115
OWASAP
Security Auditing Tools
Service Mapping Tools
Nmap
Hping

8- Vulnerability Assessment Tools

Nessus
RedSeal SRM
Packet Capture Tools
Tcpdump
Wireshark/Tshark
Penetration Testing Tools
Core Impact
Metasploit
BackTrack
Summary
References in This Chapter
Security Testing Frameworks

9- Auditing Cisco Security Solutions

The depth of IT audits and the skills required of auditors has increased dramatically as a
result. In the early days of assessing security, auditors typically focused on identifying the
presence or location of specific technologies, such as firewalls and routers, and less on how
well these technical controls were integrated into the business processes or their
effectiveness. The mere presence of a security device did not indicate that it was adequately
protecting the digital assets of the organization or mitigating risk, but it was a required
control and that was good enough. Much of this disconnect over the effectiveness of security
controls had to do with the fact that auditors in general were not technologically inclined,
having most often come from the financial world.
Auditors and Technology
Security as a System
Cisco Security Auditing Domains
Policy, Compliance, and Management
Infrastructure Security
Perimeter Intrusion Prevention
x Network Security Auditing
Access Control
Secure Remote Access
Endpoint Protection
10- Auditing Cisco Security Solutions
This domain identifies key areas that are necessary for securing a unified communications
installation. IP telephony is an application, and as with all applications, it needs to be
deployed securely and assessed for potential vulnerabilities. Toll fraud, eavesdropping,
and denial of service are all potential threats to an organization’s phone system. Auditing
unified communication installations against best practices and recommended security
configurations help identify areas of improvement as well as opportunities to mitigate
risk. There are numerous security features available in the Cisco Unified Communications
suite of products that should be utilized.
Unified Communications
Defining the Audit Scope of a Domain
Identifying Security Controls to Assess
Mapping Security Controls to Cisco Solutions
The Audit Checklist.

11- Policy, Compliance, and Access Management

A security policy is a document that provides the high-level direction and goals that a
business utilizes to control and protect its assets and information. The security policy
should be the foundation for which all security decisions are measured against and
consulted before any product or technology is put into place. In general, a security policy
tells you what activities are acceptable, required, or forbidden when interacting with
business-owned resources.
Do You Know Where Your Policy Is?
Auditing Security Policies
Standard Policies
Acceptable Use
Minimum Access
Network Access
Remote Access
Internet Access
User Account Management

12- Security policy, Compliance, and Data and Device Management

For the auditor, ensuring that a security policy meets the objectives of securing the
business’s assets and compliance requirements requires assessing policy documents and
comparing them against best practices. An auditor also interviews and observes how well
employees follow policies and identifies any areas of improvement.
Data Classification
Change Management
Server Security
Mobile Devices
Guest Access
 Physical Security
Password Policy
Malware Protection
Incident Handling
Audit Policy
Software Licensing
Electronic Monitoring and Privacy

13- Cisco Policies for Regulatory and Industry Compliance

An overview of what to look for when assessing an organization’s information security
policies for compliance with law and industry regulations.
Policies for Regulatory and Industry Compliance
Cisco Policy Management and Monitoring Tools
Cisco MARS
Cisco Configuration Professional
Cisco Security Manager
Cisco Network Compliance Manager
Checklist