Page 1
The Process of Auditing Information Systems
Page 3
Management Questions
Page 4
Reasons for Audits
Page 8
Testing, Examination and Interviewing
Page 9
Multiple levels of assessment
Page 13
Assessment Lifecycle
Page 14
Common Types of Assessments
Page 15
Determine your Scope
Page 20
Assessment Life Cycle
Page 24
Certification Process (NIST SP 800-37)
Page 25
Security Control Assessment Tasks
Page 26
Security Documentation Tasks
Page 27
Assessment Tasks (NIST SP 800-37 Rev 1)
Page 28
Assessment Tasks (NIST SP 800-37 Rev 1)
Page 29
Assessor/Auditor Selection
Page 31
Assessor Competence
Page 32
Legal Considerations
Page 33
Developing the test plan
Page 34
Assessment Methodology
Page 35
Auditors/Assessors
Page 37
Key Definitions (cont.)
Page 38
How much testing?
Page 41
Typical Sampling and Evaluation Criteria
Page 42
Assessment Methods
Page 43
Assessment Objectives and Guidance
Page 44
NIST SP 800-53A Rev 1 Example
Page 45
Identify and Select Automated Tools
Page 47
Live CD Distributions for Security Testing
Page 48
Review Techniques
Page 49
Target Identification and Analysis Techniques
Page 50
Target Vulnerability Validation Techniques
Page 51
Checklists / MSAT
Page 55
Incremental Testing
Page 56
Verification Testing
Page 57
Application testing
Page 58
Database Auditing
Page 59
Intrusion Detection/Prevention
Page 63
Business Continuity
Page 64
Vulnerability Scanning
Page 66
Vulnerability Reports
Page 67
External and Internal
Page 68
Vulnerability Scanners
Page 69
Red, White and Blue Teams
Page 70
Red and Blue Teams
Page 71
Penetration Testing
Page 72
Penetration Test Phases
Page 74
Penetration Assessment Reports
Page 75
Vulnerability Information
Page 76
Physical Assessments
Page 77
The role of the host
Page 79
Post-Testing Activities
Page 80
Documenting the results
Page 82
Included in the SAR
Page 83
Audit / Assessment Documentation
Page 85
Concurrent Remediation
Page 86
Disagreements with findings
Page 87
Organizations that can help