Updating of security procedures and scheduling of security audits speed dating in the city promo code
Don't try to hide the ugliness in your infrastructure. Highlight the areas that need improvement, as well as your strengths.
Candor will reduce the likelihood that your presentation will be viewed as a smokescreen.
Explain your applications and processes and how they relate to the business. Sometimes systems, architectures and configurations don't make sense to outside observers until they're put into context. Include identification, authentication, authorization, confidentiality, nonrepudiation, integrity, cryptography, audit and availability for each system.
Explain how your security program addresses these needs and what the controls are for each.
During the meeting, you'll want to ask: Documentation is king Documentation is the key to explaining how your security program works.
But, auditors -- whether they're internal or third parties -- are a security professional's friends.Whether you're dealing with internal reviews or external specialists, the key to surviving a security audit is starting on the right foot.Begin by scheduling a meeting with management to select a security audit response team -- a person or group that has the authority to facilitate the auditors' needs and respond to their inquiries.Every environment is unique, and an overview will make their jobs -- and yours -- easier.Include slides of all systems, networks and applications being audited. Don't just tell them your front-end Web server is Apache 2, but also that it proxies traffic to a J2EE application server, and that both servers run on Red Hat Linux.
Common audit documents describe the system, security policies, operational procedures, network and system diagrams, process charts, change control procedures, process definitions, security scans/reports, test results and, of course, logs.