administrator account only 10 percent of the time to perform
               administrative actions, this reduces the potential risk of an infection

               occurring at the same time the administrator is logged on with an
               administrator account.

               Auditing can verify that administrators are using the privileged
               account appropriately. For example, an organization may estimate
               that administrators will need to use a privileged account only about 10
               percent of the time during a typical day and should use their regular

               account the rest of the time. An analysis of logs can show whether this
               is an accurate estimate and whether administrators are following the
               rule. If an administrator is constantly using the administrator account
               and rarely using the regular user account, an audit can flag this as an
               obvious policy violation.


               Security Audits and Reviews


               Security audits and reviews help ensure that an organization has
               implemented security controls properly. Access review audits
               (presented earlier in this chapter) assess the effectiveness of access
               controls. These reviews ensure that accounts are managed
               appropriately, don’t have excessive privileges, and are disabled or
               deleted when required. In the context of the Security Operations
               domain, security audits help ensure that management controls are in

               place. The following list includes some common items to check:

               Patch Management A patch management review ensures that
               patches are evaluated as soon as possible once they are available. It
               also ensures that the organization follows established procedures to
               evaluate, test, approve, deploy, and verify the patches. Vulnerability
               scan reports can be valuable in any patch management review or
               audit.


               Vulnerability Management A vulnerability management review
               ensures that vulnerability scans and assessments are performed
               regularly in compliance with established guidelines. For example, an
               organization may have a policy document stating that vulnerability
               scans are performed at least weekly, and the review verifies that this is
               done. Additionally, the review will verify that the vulnerabilities