7.12 Basic Audit Methods and Tools 221
Chapter 7
the auditor cringe, the auditor should remember that he or she is there to
provide guidance, in the form of reviews and recommendations for
improvement, to help the problem go away. Question everything, but be
nice about it.
7.12 Basic Audit Methods and Tools
Operational assurance is the process of reviewing an operational system to
see that security controls, both automated and manual, are functioning cor-
rectly and effectively [9]. To maintain operational assurance, organizations
use two basic methods: system audits and monitoring. These terms are used
loosely within the computer security community and often overlap. A sys-
tem audit is a periodic event used to evaluate security. An audit conducted
to support operational assurance examines whether the system is meeting
stated or implied security requirements, including system and organization
policies. Some audits will also examine whether security requirements are
appropriate for an organization, based on the risks identified in a risk analy-
sis process. Less formal audits are sometimes called security reviews.
Audits can be self-administered or performed by independent parties
(either internal or external to the organization). Both types of audit can pro-
vide an organization with excellent information about their technical, proce-
dural, managerial, and other related aspects of security. The essential
difference between a self-audit and an independent audit is objectivity.
Reviews done by system management staff, often called self-audits or self-
assessments, have an inherent conflict of interest. The system management
staff may have little incentive to say the computer system was poorly designed
or is sloppily operated. On the other hand, they may be motivated by a strong
desire to improve the security of the system. In addition, they are knowledge-
able about the system and may be able to find hidden problems.
The independent auditor, by contrast, should have no professional stake
in the system. The independent auditor has nothing to gain from the out-
come (good or bad) of an audit. An independent audit should be per-
formed by a professional, reputable audit firm, and done in accordance
with generally accepted auditing standards. Many methods and tools, some
of which are described below, can be used to audit a system.
7.12.1 Automated Tools
For small multiuser computer systems, it is a big job to manually review
security features. Using automated tools makes it possible to review com-