Checklists a Day: Week in Review – January 25, 2010

Posted on January 25, 2010 by James Tarala

This week we took a slightly different approach than our normal audit checklist postings. Many times, especially when we take a look at bigger picture issues, like risk assessment, we receive questions on how to make these issues practical. If risk assessment is so important, how do we actually perform a risk assessment?

There are a number of ways to go about this, ranging from simple Excel worksheets to more complicated approaches to assessment. There are even software tools that you can purchase that can help you implement your programs. This week we are focusing on a few of the more popular frameworks for risk assessment that are available. You don’t need to learn all of these, but you should consider picking one such framework and fully utilizing it to help you manage your IT risk.

Here are a few of the frameworks that are available that we think might be helpful to you as you make this topic practical for your organization:

Risk Management Frameworks:

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – January 18, 2010

Posted on January 18, 2010 by James Tarala

This week we will be focusing our checklists on guides that will help you to assess your risk management programs. Often times we like to say that risk management drives our audit programs and it drives our information security programs – but how do we know our risk management programs work? I have seen some companies run asset inventories and call that a risk assessment. I’ve seen other companies run vulnerability scans of their systems and call that a risk assessment. What is a risk assessment and how do I know if it meets my business needs. This week’s resources try to answer those questions and a little more.

We’ll post a summary again next week – or follow us live at @jamestarala and @isaudit! This week’s tweets are focused on risk management models for those of you trying to decide which model works best for you. We hope you enjoy them.

Risk Management Checklists & Security Guides

NIST 800-30 on Risk Assessment

Risk Assessment Resources from the University of GA

Truth 2 Power on Assessing Risk Management

Resources from the State of Ohio EPA

Resources from the State of DE

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – January 4, 2010

Posted on January 12, 2010 by James Tarala

Now that the New Year has begun, we’re back in the saddle providing audit checklists and resource that we hope will help auditors and information security professionals in general with their daily jobs. There are a lot of really good resources on the web that we can take advantage of, but the trouble is who has the time to find them. It turns out we do. And as we find these resources we hope it will make your lives easier by showing you some of the audit resources that are already out there for you.

This last week our focus for the week was on security metrics and organizations that have provided resources on security metrics. More and more when we’re at conference venues we have students asking us if we have resources on security metrics. Especially students of the 20 Critical Controls have been asking us – who else is providing security metrics? Here are a few for you to consider.

We’ll post a summary again next week – or follow us live at @jamestarala and @isaudit! This week’s tweets are focused on risk management resources and checklists for evaluating risk management programs. We hope you enjoy them.

Security Metric Checklists & Security Guides:

Security Metrics from the 20 Critical Controls

The Center for Internet Security Metrics Guide (Old Link Removed)

ISECOM RAVs (Old Link Removed)

NIST 800-55

NIST IR-7502 (Old Link Removed)

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – October 5, 2009

Posted on October 5, 2009 by James Tarala

So as promised this last week we focused on the Software Development Lifecycle (SDLC) and how to audit an SDLC in an organization. As usual we also wanted to make sure that we gave everyone some fun technical tools to play with, so to keep with the theme we tweeted on tools that you could use to perform automated fuzzing tests on applications. There are a number of other tools we could have also addressed, and we could go on for a few weeks giving you tools , but hopefully you’ll have a good starter list of tools to use now.

This week’s tweets have been a little more random on the checklists we’ve chosen, but the tools will all be consistent. We’re going to focus the tools this week on free tools that Microsoft has embedded in the operating system to give auditors a hand with how to perform assessments against user accounts in an Active Directory environment. I hope you enjoy them!

We’ll post again next week – or follow us live at @jamestarala and @isaudit!

SDLC Audit Checklists & Security Guides:

SDLC Checklist from Baylor University

SDLC Checklist from ISACA

SDLC Resources from Microsoft

White Box Fuzzing Checklist

Checklist for Auditing IT Contracts

Fuzzing Tools for Auditing Applications:

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – September 28, 2009

Posted on September 28, 2009 by James Tarala

So this week we’re back from Tweet-cation, and back to posting audit checklists and tools for everyone to enjoy. Last week I was teaching in San Diego for SANS Network Security and now I’m back and back on the bandwagon. We know everyone’s busy and it’s easy to miss some of these references, so here you go in blog format – which can now be indexed FOREVER by the Google Gods.

This last week’s topic was web application assessment, and we’ll continue the trend via Twitter this week with audit checklists for evaluating an SDLC and tools for fuzzing applications to boot! Not following me on Twitter yet? The handles are @isaudit and @jamestarala.

Web Application Audit Checklists & Security Guides:

OWASP Web Application Checklist

Web Application Basic & Advanced Checklists

Microsoft – Web App Architecture

Basic SANS Institute Checklist

Tools for Auditing Web Applications:

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – September 7, 2009

Posted on September 8, 2009 by James Tarala

Each week via Twitter we post a daily audit checklist tweet for all the IS auditors and security administrators out there in the tweet-o-sphere. But, we realize not everyone is ready for Twitter, and many of you are still resisting (you can keep trying, but eventually you will give in and start tweeting, everyone will eventually…), so we’ve decided to start posting them in our blog as well. So once each week we’ll post the audit checklists and audit tools that we posted into Twitter here in our blog as well. This way everyone will have a chance to enjoy all the audit fun!

This week’s focuses are on auditing segregation of duties controls and tools that you can use for auditing file system access controls. As usual we try to offer a mix of commercial plus free tools for you to try out and we hope you enjoy them. On the checklist side we’ve also included a few matrixes that you can use to evaluate position descriptions within your organization as well. Hopefully you can include these in your audit plans, regardless of the technical systems you’re evaluating.

Segregation of Duties Audit Checklists & Security Guides:

Segregation of Duties #1

Segregation of Duties #2

Segregation of Duties #3

Segregation of Duties #4

Segregation of Duties #5 (Old Link Removed)

Tools for Auditing File Access Controls:

Access Auditor

Quest Active Roles

Microsoft Xcalcs

Sysinternals AccessEnum

File Server Change Reporter

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – August 31, 2009

Posted on August 31, 2009 by James Tarala

This last week we focused on a series of operational security audit checklists and guides that didn’t follow one particular theme – they were checklists we found that we thought would generally be helpful to everyone. We also decided to give everyone a list of some of the more popular vulnerability assessment engines out there – both commercial and open source. If you’re not using one already, pick one free and one commercial tool – compare the results!

Please feel free to keep the requests coming. We’ll try to oblige as often as we can with new checklists based on your feedback.

Audit Checklists & Security Guides:

Security Update Process

Policy Inventory Checklist

Anti-Virus (Old Link Removed)

Handheld Devices

Data Center Physical Security

Tools for Vulnerability Management:

Tenable Security

eEye Digital Security

Qualys

OpenVAS

Rapid7

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – August 24, 2009

Posted on August 24, 2009 by James Tarala

This last week we focused back to process controls and operational assurance. We listed checklists to help auditors evaluate an organization’s stance on privacy based issues. We also listed out tools that exist to help an organization to better manage their audit program. Many of this past week’s tools were commercial, but sometimes those can be the best tool for the job.

This upcoming week will focus on additional operational controls, and we’ll through in some choices for vulnerability assessment along the way.

Privacy Audit Checklists & Security Guides:

Privacy Checklist #4

Tools for Audit Program Management:

Archer Technologies

TeamMate

MetricStream

Paisley Enterprise GRC

Pentana Audit Work System (Old Link Removed)

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – August 17, 2009

Posted on August 17, 2009 by James Tarala

We kept the technology focus last week and decided to post links to checklists and security guides that we thought would help people with their audits of Microsoft Windows systems. This may or may not be related to my migration to Windows 7 this week personally. What can I say though, I just can’t help myself sometimes. So enjoy your Windows audits. This coming week we’ll go back to some process controls. Enjoy the privacy checklists this week…

Microsoft Windows Audit Checklists & Security Guides:

General Windows Security

Microsoft Windows Vista

Microsoft Windows Server 2008

Microsoft Windows Server 2003

DISA Checklists for Windows

Microsoft Windows XP

Microsoft Windows Audit Tools:

Microsoft Baseline Security Analyzer

WinAudit

WinFingerprint (Link no longer available)

BelSecure

DISA Gold Disks (Old Link Removed)

Quest Reporter

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.

Checklists a Day: Week in Review – August 10, 2009

Posted on August 10, 2009 by James Tarala

So once each week we’ll post the audit checklists and audit tools that we posted into Twitter here in our blog as well. This way everyone will have a chance to enjoy all the audit fun!

So, from all the folks at Enclave Security, enjoy this week’s audit checklists and tools. This week we focused on firewall auditing. So all the checklists and tools are firewall focused this week.

Firewall Audit Checklists & Security Guides:

From University of North Carolina (UNC Cause)

From NIST

From Lance Spitzner

From the Center for Internet Security (Old Link Removed)

From the SANS Institute

Firewall Audit Tools:

Nmap v.5.0

Athena FirePac

Skybox Firewall Auditor

ManageEngine Device Expert

Hping

We hope everyone will enjoy and use these tools this week. If you have suggestions or ideas for future audit checklists or tools, please let us know, we’d love to hear your feedback.