Page 1256 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1256
security for the environment. The test process ensures that personnel
are following the requirements dictated by the security policy or other
regulations, and that no significant holes or weaknesses exist in
deployed security solutions.
Auditors are responsible for testing and verifying that processes and
procedures are in place to implement security policies or regulations,
and that they are adequate to meet the organization’s security
requirements. They also verify that personnel are following these
processes and procedures. In other words, auditors perform the
auditing.
Auditing and Auditing
The term auditing has two different distinct meanings within the
context of IT security, so it’s important to recognize the
differences.
First, auditing refers to the use of audit logs and monitoring tools
to track activity. For example, audit logs can record when any user
accesses a file and document exactly what the user did with the file
and when.
Second, auditing also refers to an inspection or evaluation.
Specifically, an audit is an inspection or evaluation of a specific
process or result to determine whether an organization is following
specific rules or guidelines.
These rules may be from the organization’s security policy or a
result of external laws and regulations. For example, a security
policy may dictate that inactive accounts should be disabled as
soon as possible after an employee is terminated. An audit can
check for inactive accounts and even verify the exact time accounts
were disabled and match this to the time of a terminated
employee’s exit interview. Inspection audits can be done internally
or by an external auditor, and they will often use the logs created
from auditing and monitoring as part of the evaluation process.
