Audit Framework
From: JSZ (jszbug_at_gmail.com)
Date: 10/08/05
- Previous message: absolutezero273c_at_myrealbox.com: "hipaa guidance"
- Next in thread: cta_at_hcsin.net: "Re: Audit Framework"
- Reply: cta_at_hcsin.net: "Re: Audit Framework"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 08 Oct 2005 10:57:18 -0400 To: security-basics@lists.securityfocus.com
Hello all-
My company has recently asked me to perform a high-level security audit
of a potential ASP partner. If we were to outsource to this provider
they would be responsible for a large amount of proprietary customer and
associated data.
I was wondering if anyone has pointers to an audit methodology and
associated risk rankings from which I can base my audit.
The following is a list of items that I plan to cover during the audit:
- Network Access Control
- OWASP top 10 and associated development practices
- Firewall / IDS configuration
- Source code mgmt
- Change management
- General policies and procedures
- Employee Term Process
- Remote access process
- Password management
- Security training
- Proper use of encryption
- Wireless use (WEP/WPA etc..)
- Scanning for rouge AP's
- Patch mgmt
- Log correlation
- Server config / lockdown
- Desktop policy
Any help is appreciated…
JSZ
- Previous message: absolutezero273c_at_myrealbox.com: "hipaa guidance"
- Next in thread: cta_at_hcsin.net: "Re: Audit Framework"
- Reply: cta_at_hcsin.net: "Re: Audit Framework"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
