情報セキュリティ監査がうまくいくポイント、SANSが紹介 - ITmedia エンタープライズ(情報元のブックマーク数)

IT セキュリティ

SANSが監査を切り抜ける秘訣を公開とのこと!

管理者にとって、第三者機関による情報セキュリティ監査は頭痛の種になりがちだが、こうした状況に全力で取り組むことは、会社の収益性向上につながるだけでなく、セキュリティ態勢を固めることにもつながるとSANSは指摘する。
具体的な助言として、監査人にITセキュリティポリシーのハードコピーとソフトコピーを渡す、質問にはすぐに答えられるようにしておく、人事などの関連部門には前もって連絡しておく――といった11項目のノウハウを紹介。ほかにも監査を切り抜けるコツや秘訣があれば紹介してほしいと促している。

情報セキュリティ監査がうまくいくポイント、SANSが紹介 - ITmedia エンタープライズ
  1. Stay calm and be prepared to the best of your ability.
  2. Provide the auditor with a hard and soft copy of your IT Security policy, hopefully one based on Internationally agreed standards.
  3. Use post-it flags to mark answers in the policy to any questions provided in advance. Saving the auditor time is a good thing.
  4. Make sure your policies include the approval date and revision histories for each section of policy.
  5. Set up a clean "routine" image workstation for the auditor to verify at their leisure.
  6. Have copies of your Security Awareness Training materials ready.
  7. Give heads up to the collateral departments which will need to provide requested documentation. Like HR for background checks and Physical Security for access logs.
  8. Practice accessing your logs from any SEIM or logging device. Double check logging enabled settings on all critical servers.
  9. Allow the examiner to work in a secured environment away from prying eyes and curious onlookers.
  10. Re-evaluate and study your questionnaire answers from the previous phases of the audit.
  11. Showing your professionalism and your dedication to security will undoubtedly assist in obtaining the vital business alliances required in our global economy.
InfoSec Handlers Diary Blog - Surviving a third party onsite audit

嘘をつかないのは、確かになぁ、、、あとでトラブルし。。。。

12. Do not lie or try to wiggle out of 'trouble'. You only dig your hole deeper.
13. Do not try to hide or cover up problems for two reasons: some auditors do not stop until they have found *something*. Nobody is perfect and they know it. And secondly: identified issues often provide good leverage towards management for getting those budgets in place to fix things.

InfoSec Handlers Diary Blog - Surviving a third party onsite audit

14. Don't try to hide something from them because they didn't ask a perfectly worded question. If you know what they're looking for, offer it up even if they didn't phrase it perfectly.
15. Don't be afraid to blow your own horn. If they ask about something and you put in protection measures that go beyond the norm, tell them.

InfoSec Handlers Diary Blog - Surviving a third party onsite audit

screenshot