230 ◾ Official (ISC)
2
® Guide to the ISSMP® CBK®
© 2011 by Taylor & Francis Group, LLC
An internal audit is performed on the enterprise by the enterprise. An internal
audit may be preliminary to an external audit to discern and x obvious problems
prior to the external audit. An objective third party performs an external audit.
ese external auditors will attest to the depth and breadth of the audit, and the
accuracy of the results. For both internal and external audits, dene the scope and
stay within that scope.
Discovery is all the eld work that determines the physical location of people,
technology, and data (e.g., log les) and includes interviews, hands-on verication,
visual review for verication, and obtaining all relevant documentation. Log les
may be a very good source of data to view congurations, access, transactions, and
other activities; however, the volume of data in log les can be overwhelmingly
large and well beyond the capacity of manual analysis. ere are many commer-
cially available log analyzers to help consolidate and analyze log data.
Analysis evaluates all the data gathered during the discovery phase and com-
pares it to the security standard. e results of the analysis may be a subjective report
expressing an opinion or an objective report including statistics and graphs. e latter
is a bit more dicult to prepare for because there must be metrics assigned to the stan-
dard and to the discovery data. e report will include all ndings, highlight the most
important ndings in the opinion of the auditor, and express priorities in addressing
any gaps found between actual practice and practices expressed in the standard.
e follow-up activities result in changes to the enterprise’s people, process,
technology, and environment to bring current practices closer to adherence with
the standard. Follow-up activities may take years to accomplish depending on the
size of the gap, available resources for gap closure, and budget cycles to pay for labor
and materials necessary to close the gaps.
All audits should be subject to good project management practices that include
building a qualied team and establishing dates, work breakdown structure, depen-
dencies, milestones, and deliverables. Qualied team members should have the
appropriate certications (e.g., Certied Information System Security Professional
(CISSP), Information System Security Management Professional (ISSMP)), educa-
tion, experience, and personality. Knowledge of the organization provides insight
into processes and the overall big picture of organizational vision, mission, and
activities that fulll the mission.
Organizational knowledge includes the organizational hierarchy of depart-
ments, the expected products and services (both internally consumed [e.g., human
resources] and externally consumed [e.g., products sold to customers]), the func-
tions that produce these products and services, the people who perform the func-
tions, and the technology they use. Diagramming the organization will help the
auditor understand operations. One diagramming method is a Suppliers-Inputs-
Process-Outputs-Customers (SPIOC) diagram.
e auditor should have intimate knowledge of the security standard that is the
basis for the audit. If the standard is vague in any respect, clarify the standard by
writing an interpretation guide specic to the organization receiving the audit. is