Rajesh, I understand you are looking for various technical aspects to be considered during audit of your corporate. The first thing to understand is.... if you are auditing in terms of IT Security baselining the appropriate international standards as you said ISO/IEC 27001:2005 or any other...
You shall first prepare the statement of applicability SOA and find/ list out all the applicable controls with respect to all the domains involved in company (say: telecom, finance, banking, healthcare, etc) but need not based on type of company (KPO, BPO, ITES, etc) Categorize all these into Administrative, Operational and Technical controls... Now, during auditing you shall have lot many questionare and reviews based on discussions with auditee for Administrative and Operational controls... But, Technical controls is one part which you shall test it for its effectiveness with some kind of technical skills.. Most of auditors does not have this as a skill set and more often fail to do their work correctly or cannot manage the audit program due to hurdles from management in discussing these... Good that you have bought up this question. The regular technical controls involve study / test the effectiveness of User access to Environment / System / Data. Each of these environment or system or data can again be subject to additional controls with respect to Law, Legal regulations or corporate policy. Further, I would like to tell you that all control areas which you were refering to (Vulnerability assessment, patch management, or any process ) can usually be associated with Environment (Audit area). Similarly, Application security / code review / penetration testing is associated with System (Audit area) and Data privacy / Data security in Data (Audit area). One opinion based on my experience i would like to share with you is, It will be myth if you assume that you are secured if you are following international standards. You shall infact take baseline controls from these international standards and establish your own custom policies and procedures. The SOA and respective standard operating procedures SOPs' should be prepared covering all types of controls (say: Security, Finance, Healthcare, Legal regulations, Country laws, etc) Let me try and come up with various regular technical controls or checklist you shall follow and check during audit... Meanwhile others if have any inputs can continue this discussion... Regards Sandeep Thakur On Jun 29, 2:04 am, rajesh kumar <[email protected]> wrote: > Hi Team, > > I am new to this group, its very nice to see discussions on > different aspects. > > Can anyone of you let me know what type of technical aspects to be > considered at the time of auditing in different industries like software, > BPO, KPO, etc. > > In my view some examples are like.... Vulnerability assessment, > Patch Management, Access privileges,Group Management........... so many as > per the standard ISO 27001:2005. > > Thanks & Regards, > Rajesh. -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
