Title :
Security audit: a case study [information systems]
Author :
Lo, Edward C. ; Marchand, Mike
Author_Institution :
Univ. Coll. of the Fraser Valley, NV, USA
Abstract :
This paper presents the basics of an information systems security audit, through a real security audit carried out on a medium-sized organization. The audit was the 1st security audit done on the company and would serve as a security baseline for future audits. An effective security audit should not be a one-time event but rather an ongoing process. Security is a delicate balance between protection, availability and user acceptance. We start the security audit at the outside of the network and gradually work our way inward. We performed a vulnerability check on the exposed IP addresses and ports. Each of the vulnerabilities found was carefully assessed to see if it violated the security policies of the organization. An analysis of firewalls and various remote access methods of the organization were also evaluated. Using a wireless network sniffer, we found the footprints of the wireless LAN and some interesting results were obtained. Finally, some sensitive managerial issues and findings of an awareness survey of information security were presented.
Keywords :
auditing; data privacy; information systems; security of data; telecommunication security; wireless LAN; availability; data privacy; exposed IP address vulnerability check; exposed ports; firewalls; information security awareness; information systems security audit; ongoing security process; organization security policies; password audit; protection; remote access methods; user acceptance; wireless LAN footprints; wireless network sniffer; Computer aided software engineering; Computer science; Data privacy; Data security; Information security; Information systems; Law; Management information systems; Protection; Wireless LAN;
Conference_Titel :
Electrical and Computer Engineering, 2004. Canadian Conference on
Print_ISBN :
0-7803-8253-6
DOI :
10.1109/CCECE.2004.1344989
