Further to an attack of the computer network of a company, some dysfunctions were discovered at the security level.  The network manager decides to order a security audit of the computer infrastructure.

He wants to bring it into compliance on the basis of the security orientations advocated in the framework of the audit.

Context

The main objectives of this security audit are as follows:

  • Supply the company with a review of its computer security on the basis of the observed technical and organisational aspects.
  • Evaluate the differences from the Security References of the company.
  • Define the measures to bring the whole infrastructure into compliance.

The security concluded that strong points were observed but also weaker ones to be improved:

Positive points
  • Adequate size for the needs of the system,
  • Substantial physical partitioning of the network,
  • Use of robust industrial standards and equipments…

 

Points to be improved
  • Integration of the new responsibilities among the duties of the operation manager,
  • Strengthening of the system security by the replacement of obsolete systems and in mastering the network shares,
  • Formalisation and systematic update of the procedures: disaster recovery plan, security management, inventory.

Methodology

To carry out an audit, BlueKrypt uses a methodological approach adapted to the various subjects and corresponding to the types of service requested (intrusion test, technical audits, organisational audits, functional audits, compliance audits, etc.). In the case of this example, 3 steps were defined:

audit methodologie en

 

STEP 1: INTERVIEWS AND SITE VISIT

The general audit approach by BlueKrypt starts with a review of the existing situation, through interviews and technical tests.

a) Initialisation meeting

An initialisation meeting is the opportunity to explain the following points:

  • The area of the audit, for example the systems and processes to analyse,
  • The general planning and the various steps,
  • Identification of the information/documents to be taken into account,
  • Necessary contacts and interviews.
b) Interviews and site visits

The analysis of the existing security level is mostly based on interviews with the people involved in the security, as well as on tests and technical verifications, carried out during a visit of the concerned facilities.

BlueKrypt will formalise an interview guide to be approved by the project leader.

This document is derived from:

  • The MEHARI method issued by CLUSIF (French club for the system security),
  • ISO 27000 that supplies a full set of measures to master the best practices in the field of information security.

 

STEP 2: RISK ANALYSIS

For each component, service or function, BlueKrypt identifies and qualifies the risks resulting from the threats and vulnerabilities discovered. For each risk, the analysis determines:

  • A description of the risk.
  • The considered security criteria (availability, integrity, confidentiality, traceability).
  • The risk probability and its impact, evaluated with regards to the security concerns identified at step 1.

These elements are summarised in a table similar to the one presented here below:

audit tableau en

 

STEP 3: RECOMMENDATIONS AND ACTION PLAN

This step aims at explaining the security recommendations and formalising the associated action plan, making a distinction between very short term (actions to be achieved in priority to cover the main risks and for which an implementation is easy) and the short/medium term (less urgent actions or requiring a more substantial investment).

For each recommendation, the action plan will detail:

  • The measure description.
  • Its implementation priority level, showing in the first place the urgent actions to implement on the short term or allowing an easy and quick improvement of some security levels.
  • Its scope (in terms of area, dealt risks…).
  • Its technical or organisational pre-requisites.
  • Its possible impacts on the production.
  • An estimate of the implementation cost.
  • The residual risk.