Page 1262 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1262
discovered in the scans have been addressed and mitigated.
Configuration Management Systems can be audited periodically
to ensure that the original configurations are not modified. It is often
possible to use scripting tools to check specific configurations of
systems and identify when a change has occurred. Additionally,
logging can be enabled for many configuration settings to record
configuration changes. A configuration management audit can check
the logs for any changes and verify that they are authorized.
Change Management A change management review ensures that
changes are implemented in accordance with the organization’s
change management policy. This often includes a review of outages to
determine the cause. Outages that result from unauthorized changes
are a clear indication that the change management program needs
improvement.
Reporting Audit Results
The actual formats used by an organization to produce reports from
audits vary. However, reports should address a few basic or central
concepts:
The purpose of the audit
The scope of the audit
The results discovered or revealed by the audit
In addition to these basic concepts, audit reports often include many
details specific to the environment, such as time, date, and a list of the
audited systems. They can also include a wide range of content that
focuses on
Problems, events, and conditions
Standards, criteria, and baselines
Causes, reasons, impact, and effect
Recommended solutions and safeguards
Audit reports should have a structure or design that is clear, concise,
and objective. Although auditors will often include opinions or
