Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] Leitfaden für IT-Sicherheitsaudit vom GAO,
January 7, 2002 

Guide helps auditors assess computer security efforts 

By Joshua Dean
jdean -!
- govexec -

Federal inspectors general and information technology executives have a
new weapon in the fight against computer hackers. 

A new guide from the General Accounting Office and the National State
Auditors Association (NSAA) describes how to create or enhance an
information security auditing program. 

Security professionals have long relied on independent penetration tests
and ethical, or ?white hat,? hacking to test the effectiveness of an
agency?s security measures. But until now, very little has been done to
measure the effectiveness of computer security initiatives. 

?Computer security has?become much more important as all levels of
government utilize information security measures to avoid data
tampering, fraud, disruptions in critical operations and inappropriate
disclosure of sensitive information,? wrote Comptroller General David
Walker and NSAA President Ronald Jones, who is also Alabama?s chief
auditor, in the introduction to the guide, ?Management Planning Guide
for Systems Security Auditing.? 

In order to remain accountable, auditors must be able to evaluate the
effectiveness of information security programs, the guide said. The
guide includes information on how to create a security auditing program,
when to use consultants, and how to identify what security skills
consultants lack. 

?Security is a big problem,? said Alan Paller, director of research at
the System Administration, Networking and Security Institute, a
technology research and education group based in Bethesda, Md. According
to Paller, security auditors can make ineffective security even more of
a problem if they are not adequately trained. ?The nontechnical auditor
becomes part of the problem,? he said. ?Technical auditors are key.? 

While the guide is aimed at use by auditors, federal agencies can use
its recommendations, too. The guide points out common security program
weaknesses such as ad hoc or poorly defined responsibilities in
technology offices, lack of education and awareness in technical staff,
failure to take full advantage of installed software, inadequate
contingency planning and lack of oversight by senior management.

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.