Page 1257 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1257
Inspection Audits
Secure IT environments rely heavily on auditing as a detective security
control to discover and correct vulnerabilities. Two important audits
within the context of access control are access review audits and user
entitlement audits.
It’s important to clearly define and adhere to the frequency of audit
reviews. Organizations typically determine the frequency of a security
audit or security review based on risk. Personnel evaluate
vulnerabilities and threats against the organization’s valuable assets to
determine the overall level of risk. This helps the organization justify
the expense of an audit and determine how frequently they want to
have an audit.
Audits cost time and money, and the frequency of an audit is
based on the associated risk. For example, potential misuse or
compromise of privileged accounts represents a much greater risk
than misuse or compromise of regular user accounts. With this in
mind, security personnel would perform user entitlement audits
for privileged accounts much more often than user entitlement
audits of regular user accounts.
As with many other aspects of deploying and maintaining security,
security audits are often viewed as key elements of due care. If senior
management fails to enforce compliance with regular security reviews,
then stakeholders can hold them accountable and liable for any asset
losses that occur because of security breaches or policy violations.
When audits aren’t performed, it creates the perception that
management is not exercising due care.
Access Review Audits
Many organizations perform periodic access reviews and audits to
ensure that object access and account management practices support
the security policy. These audits verify that users do not have excessive
privileges and that accounts are managed appropriately. They ensure
that secure processes and procedures are in place, that personnel are
