网络安全审计的六个好处 (and 6 Steps to Perform One)

在20世纪80年代, 美国空军创造了“网络安全”一词来描述对计算机网络的保护. 1985年，空军发表了一篇关于该主题的论文，在一个公共论坛上首次使用了这个词.¹

在20世纪90年代, 随着互联网的普及, 美国政府成立了国家标准与技术研究院(NIST)来制定网络安全标准. In 1997, NIST发布了其关于信息系统安全控制的特别出版物(SP) 800-53的第一版.²

Beca使用 cyberattacks have become more frequent and sophisticated in recent years, 网络安全一词现在用来描述对计算机系统和网络的各个方面的保护, 包括硬件, 软件, 数据和人.

随着越来越多的日常生活转移到网上, 个人和财务信息越来越有可能成为网络攻击的目标. 因此，网络安全正成为澳门赌场官方下载、政府和个人的一个关键问题. 他们必须采取措施保护他们的系统和网络，降低网络攻击的风险. The first step is to conduct a cyber安全 audit.

网络安全审计使各种规模的组织能够帮助识别和减轻网络安全风险. 它是对组织信息安全控制的系统检查，以确定它们是否有效地保护敏感数据和系统.

Auditing cyber安全 is vital for organizations to achieve 6 business objectives:

1. 识别和减轻风险-网络安全审计可用于帮助组织识别安全漏洞和风险. This includes identifying the assets that need to be protected, 可能对这些资产构成风险的威胁以及可能被攻击者利用的漏洞. 通过识别和处理这种风险，组织可以减少被攻击的可能性.
2. 保护敏感信息组织可以使用网络安全审计来实现保护敏感信息的目标. This includes ensuring that sensitive data are encrypted, that access to sensitive data is restricted to authorized personnel, 并且安全程序已经到位，以保护敏感数据免遭未经授权的访问, 使用, 信息披露, 中断, 修改或销毁.
3. 遵守法规—When cyber安全 audits are conducted regularly, 澳门赌场官方下载对自己没有违反任何安全法规更有信心. 网络审计有助于确保组织符合特定行业的法规，例如支付卡行业数据安全标准(PCI DSS)或美国健康保险流通与责任法案(HIPAA)。. 通过遵守这些规定, organizations can reduce their risk of being penalized by regulators.
4. 改善安全态势-网络安全审计可以帮助组织确定如何改善其安全状况. Audits can aid in identifying gaps in 安全 控制s, outdated 安全 policies or a lack of employee training. By making improvements to their 安全 postures, organizations can reduce their risk of cyberattacks.
5. 赢得客户信任—Customers are growing increasingly concerned about the 安全 of their personal data. 因此，网络安全审计可以帮助组织获得客户的信任. By conducting regular cyber安全 audits, 组织可以向他们的客户证明他们的安全是被认真对待的.
6. 保持业务连续性-网络安全审计确保组织的关键系统和数据受到保护, reducing the risk of 中断s to business operations due to cyber incidents.

By conducting regular cyber安全 audits, 组织可以向他们的客户证明他们的安全是被认真对待的.

To aid organizations in protecting their digital assets from cyberattacks, a cyber安全 audit must take into account how information assets are classified. Information assets’ importance varies based on their classification. 具有高度重要性的资产需要更严格的控制，并进一步保证这种控制的有效性和效率. 

Understanding and Performing a 网络安全审计

网络安全审计是对组织的IT基础设施进行的系统检查，旨在识别和, 最终, 用于降低安全风险. 网络安全审计的范围可以根据组织的规模和复杂程度而变化. However, all cyber安全 audits typically cover the following areas:

• Information 安全 policies and procedures审核员必须审查组织的信息安全政策和程序，以确保它们是最新的, comprehensive and effectively implemented.
• 物理安全审核员应评估组织的物理安全控制，如访问控制, perimeter 安全 and video surveillance.
• 网络安全—The organization's network 安全 控制s must also be assessed. These may include firewalls, intrusion detection systems (IDS) and vulnerability scanning.
• App 保护—App 保护 控制s such as input validation, 输出编码, 会话管理, and identity and access management (IAM) should be included in the audit.
• 用户安全—The auditor must assess the organization's user 安全 控制s (e.g., password management, training, awareness).

除了, the auditor may also review the organization's incident response plan, disaster recovery plan and business continuity plan.

Steps to Performing a 网络安全审计

A cyber安全 audit typically includes 6 steps:

1. 计划和确定审核范围. The auditor should have a clear understanding of the organization's IT environment, objectives and risk before conducting the audit. 对于审计师来说，了解网络安全框架和最佳实践也很重要.
2. Gather information, observations and data. 这可以使用:
   • 风险评估—To assess the organization’s IT infrastructure to identify potential 安全 risk. This includes identifying the assets that need to be protected, 可能对这些资产构成风险的威胁以及可能被攻击者利用的漏洞.
   • 漏洞扫描工具-可用于识别组织IT基础设施中的任何安全漏洞. 这包括操作系统、应用程序和网络基础设施中的漏洞.
   • 渗透测试—Can be conducted to simulate a real-world attack on the organization's IT infrastructure. This helps identify any 安全 vulnerabilities that could be exploited by attackers.
3. Evaluate the effectiveness of the organization's cyber安全 控制s. Controls to be evaluated may include access, encryption and incident response 控制s.
4. 检查已收集的数据，以识别任何潜在的安全漏洞或风险. 审核员还应评估组织在减轻这些漏洞和风险因素方面的安全控制的有效性.
5. Document the findings of the audit in a report and make recommendations for improvement. The report should be clear, concise and easy to understand. 该报告还应包括组织可以实施的改进建议，以改善其安全状况.
6. 跟踪审核结果，确保组织实施改进建议. 审核员应跟踪组织安全状况的进展，并根据需要提出进一步改进的建议.

The results of a cyber安全 audit are typically documented in an audit report. 审计报告确定在审计期间确定的任何安全风险因素，并可用于就如何减轻这些风险来源提出建议.

结论

定期的网络安全审计对于确保组织的安全控制是最新的至关重要, vulnerabilities are identified and addressed, 数据也得到了适当的保护. 网络安全 audits are performed by planning and scoping the audit; gathering information, observations and data; evaluating the effectiveness of the organization's cyber安全 控制s; reviewing data to identify potential 安全 vulnerabilities or risk; documenting findings; and making recommendations for improvement. By investing in regular cyber安全 audits, organizations can reduce their risk of cyberattacks and data breaches, 改善他们的安全姿势, and increase customer confidence and trust.

尾注

¹ 斯奈德,D.; J.D. Powers; E. Bodine-Baron; B. Fox; L. Kendrick; M. H. 鲍威尔; 提高美国空军军事系统整个生命周期的网络安全，兰德，2015
² National Institute of Standards and Technology, NIST SP 800-53修订5 Security and 隐私 Controls for Information Systems and Organizations2020年，美国

Osman Azab, CISA, CISM, CRISC, CGEIT, CSAC

是信息系统审计吗, 安全, 控制, risk and governance expert with more than 38 years of experience. He is recognized as an audit, assurance and governance topic leader on the ISACA^® 参与 platform and has participated in several ISACA review manual and job practice reviews.