Reviewing & Improving

Running hand-in-hand with all major activities and processes in the Security Management Cycle, (that is, Assessing Security Risks, Implementing & Maintaining a Secure Framework, and Monitoring & Recording) is Reviewing and Improving, which is an ongoing review that identifies what enhancements are necessary. This is a series of a cyclic compliance reviews and re-assessments designed to make sure that security controls are properly put into place to meet security requirements, and to cope with any rapid technological and environmental changes. It also requires continuous feedback and monitoring. The review can be done through periodic security audits to monitor and review security practices and strategies on an on-going basis.

• Security Audit
• Objectives of a Security Audit
• Auditing Steps
• Security Controls on Auditors

---

Security Audit

A security audit is a repetitive checking process to ensure that security measures are properly implemented from time to time. A Security Audit is performed more frequently than a Security Risk Assessment. It aims to find out if the current environment is securely protected in accordance with the defined security policy.

 

Objectives of a Security Audit

• to provide evidence of compliance with the security policy
• to examine and analyse safeguards to the system and the operational environment
• to assess the technical and non-technical implementation of the security design
• to validate proper or improper integration and operation of all security features

 

Auditing Steps

• Defining the audit scope & activities
• Planning
• Collecting audit data
• Performing audit tests
• Reporting audit results
• Protecting audit data and tools
• Making enhancements and follow-up

 

Security Controls on Auditors

The security control compliance of auditors should be monitored and reviewed actively and periodically. The organisation must reserve the right to audit the responsibilities of auditors defined in the service level agreement, and have those audits carried out by an independent third party.

To ensure an effective and comprehensive review, detailed inventories should be maintained accurately and kept up-to-date, including:

• a list of servers and systems within the scope of the project, and which servers / systems are storing sensitive or personal information.
  
• a list of support staff from third party service providers as well as the user IDs and access privileges granted to individual support staff.
  
• a list of data, especially sensitive or personal data, transferred to any third party service providers.