Interesting article at Dark Reading about security audits with basic tips on how to pass them (or at least how to give it a good try) It starts off with “Nobody passes a security audit on the first try“. Maybe the title should be changed to “Where will the auditors look for issues (and probably find them)“.
The eight general recommendations are:
- Establish a consistent set of practices for change management
- Keep your app developers away from production/operations
- Give users access only to the data and apps they need
- Shore up physical access to your systems
- Establish methods to detect security anomalies — and where they come from
- Map your security processes to real business processes
- Double (and triple) check your accounting processes
- Document your work and train your users on what you’ve done
Sounds easy, heh? If you have that reasonably locked down, you’ve gone a long way.
