Hi, This is probably a better question suited for the pen-test list (this question has actually already been answered on that list several times and if you take the time to search the SF archives which rock you will find the info) but I will take a stab at it.
I would begin by gathering information and documenting (security & incident response policy, configurations, service packs / patches.) Configurations of all ip aware devices (switches, routers, firewall & Ids). Once you have a good amount of information gathered you can begin to assess the state of the network. If they have a security policy you have something to match up the state of the network against. If not you MUST write them one. I would then begin port scanning & running Nessus. At that point you should have a good idea of the big holes and what needs to be patched. Hope that helps, Leon -----Original Message----- From: Kanikkannanl PN-149709 Dept-corp Audit Div Desg-Asst.Manager 1/421037 Ph-43983/45283 [mailto:[EMAIL PROTECTED]] Sent: Wednesday, September 26, 2001 1:31 PM To: [EMAIL PROTECTED] Subject: Query on audit approach while doing information security audit Hi, I am in the systems sudit division of a steel manufacturing firm. When I do information security audit in my company, what should be my audit approach ? (1) Should I do it technical component wise, say OS security, database security , Firewall security, authorisation procedures etc., and then audit these components. OR (2) Identify data clusters and then see all the technical components relevant to this. The merit I see in the second approach is that when I give a report on information secuirty to the customer ( various departments or data owners ) I will tell him that the confidence that he/she can place on the security of his/her data. Whereas in the first approach I will give a one dimensional view of security of data, may be across the company. But it does not tell how secure the data is. But it still does give some information on security. Can you please throw some more light on the pros and cons of these (or possibly other better ) approaches. What do you think ? regards Kani
