The enterprise always make procurement agency professional external (3rd Party Security Audit Firm) to serve as the inspector
.Information system in view of people outside the enterprise, which the difference obviously is the professionalism and the freedom of IT External. Auditor conclusion is both IT Internal Auditor IT External and Auditor.But may be in ~ two radio and functions that vary by IT Internal Auditor will focus on monitoring periodically scheduled annual inspection
.Aim to focus on the security of information system in the view of experts, the security information. The styles and techniques of inspection is divided into 3 level as follows:
step 1Best Practices Checklist or Interview Techniques
.This procedure is a basic step should be done in the introduction. Sometimes we often called
"Gap Analysis" by ISO / IEC 27001 Best Practice or CobiT Framework
.Be applied as Audit Checklist to interview (Interview session). Check at this stage focus on PP (People. And Process), PPT (PeopleProcess and Technology) Concept namely, make information system auditor. Understand the concept and awareness of safety of executive supervisor information system as well.(Interview Schedule) which normally should not exceed 10 people. Each person should not exceed 1 interview hours. And make the information system auditor that the organization has brought Information Security Best Practice or Framework applied in the enterprise? Which way.According to Best Practice such in a certain topic, make the enterprise get to know their weaknesses. As the guideline to check the next step!The second step Vulnerability Assessment Techniques
this stage focus on monitoring in view of T (Technology), PPT (PeopleProcess and Technology) Concept examines technical deeper interview by Best Practices Checklist (in step 1). Which will help people. Check the information system data vulnerability (Vulnerability) or weakness.Scanner such as Nessus (Opensource Scanner) to the administrator information increase awareness and see. Problems arising from the risk that has not been resolved by should be presented in the form of higher risks such as High, RiskMedium Risk or Low Risk etc. the information is required to have basic knowledge Information Security at level one. And should have the skills to use Vulnerability Scanner which is considered as the "Tool" or a tool to check the inspectors test.Translation results from Vulnerability Scanner and present results in a form easy to understand is the key point of making VA or Vulnerability Assessment. Because if translated wrong results, such as not based on standard SANS TOP 20 or OWASP Web Application Security Standard will.So the interpretation of Vulnerability Scanner should take various standards to help in the presentations in the form PowerPoint that managers can understand easily. See the problems that may occur with information system clearly.
การแปล กรุณารอสักครู่..