ERE has identified that lack of adherence to policy is a pivotal and ubiquitous security problem. The fundamental step to deal with policy violations is to investigate the processes and procedures followed by:
- IT operations.
- Security operations.
- The validity of IT security related documentation.
ERE requests a copy of the following client documentation, where available, for our review:
- The corporate security policy.
- A copy of any specific policies, such as Incident Response Policy, Disaster Recovery Plan.
- Documentation of the corporate security process.
- Employee security training documentation and instructions.
- A copy of the security log (a written digest of prior security problems.)
- A copy of the network diagram.
- A copy of the rule base for all firewalls and VPNs.
- Any other relevant documentation.
An ERE security expert then conducts on-site interviews with the key members of the client’s IT and security staff. The goals for the interview are to:
- Review all the documentation, and ensure ERE has a clear understanding of their intent and to whom they apply.
- Gain an understanding of problem areas with regard to operations and security.
- Review the network architecture from a security perspective, and ensure ERE has a clear understanding of security operations with respect to the intent of the design.
- Get a clear understanding of any current security problems or concerns.
- Understand the design goals of the current network architecture.
- Understand the planned network changes to occur over the ensuing 6 – 12 month period.
- Conduct a tour of the Location technology room, accompanied by the IT team.
- Compare, at a large scale, the network diagram with the actual deployment, and gain an understanding of the reasons for any differences.
The process audit also may involve components of other audits, including: