Security Slideshow: 10 Things the Security Auditor Saw

By Bob Violino  |  Posted 02-09-2009

10 Things the Security Auditor Saw

Excessive access rights. Almost one-third of respondents cited this finding, making it the top response. Individuals should have rights only to information needed to perform their jobs, and those should be revoked when no longer needed they.

10 Things the Security Auditor Saw

10 Things the Security Auditor Saw - Page 2

Segregation of duties. Users shouldn't have access to responsibilities and functions that conflict with one another. Lack of segregation of duties might allow people to circumvent controls.

10 Things the Security Auditor Saw - Page 2

10 Things the Security Auditor Saw - Page 3

Access control compliance with procedures. Access control ensures that users have access only to the systems and information they need to properly do their jobs.

10 Things the Security Auditor Saw - Page 3

10 Things the Security Auditor Saw - Page 4

Lack of audit trails/logging. With regulatory compliance a key part of risk management, organizations need to have the proper trails and logging procedures in place.

10 Things the Security Auditor Saw - Page 4

10 Things the Security Auditor Saw - Page 5

Lack of documentation of controls. Compliance means having documentation that the proper controls are in place.

10 Things the Security Auditor Saw - Page 5

10 Things the Security Auditor Saw - Page 6

Excessive developers' access to production systems and data. Make sure application developers have appropriate access to production systems and data, and determine the risk if they have too much.

10 Things the Security Auditor Saw - Page 6

10 Things the Security Auditor Saw - Page 7

Lack of review of audit trails. Audit trails must be reviewed on a regular basis, and updated as needed.

10 Things the Security Auditor Saw - Page 7

10 Things the Security Auditor Saw - Page 8

Lack of clean-up of access rules following a transfer or termination. Access rules need to be revoked or changed when someone leaves the organization or is transferred. Failure to do this can result in damaging security breaches.

10 Things the Security Auditor Saw - Page 8

10 Things the Security Auditor Saw - Page 9

Use of production data in testing. Testing of systems and applications shouldn't involve production data, as this could introduce security risks.

10 Things the Security Auditor Saw - Page 9

10 Things the Security Auditor Saw - Page 10

Disaster recovery plan/business continuity plan testing. Have disaster recovery and business continuity plans been tested adequately? Organizations can't afford to risk extensive systems downtime and lost business.

10 Things the Security Auditor Saw - Page 10