Page 1263 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1263

recommendations, they should clearly identify them. The actual
               findings should be based on fact and evidence gathered from audit

               trails and other sources during the audit.


               Protecting Audit Results

               Audit reports include sensitive information. They should be assigned a
               classification label and only those people with sufficient privilege
               should have access to audit reports. This includes high-level executives
               and security personnel involved in the creation of the reports or
               responsible for the correction of items mentioned in the reports.

               Auditors sometimes create a separate audit report with limited data

               for other personnel. This modified report provides only the details
               relevant to the target audience. For example, senior management does
               not need to know all the minute details of an audit report. Therefore,
               the audit report for senior management is much more concise and
               offers more of an overview or summary of findings. An audit report for
               a security administrator responsible for correction of the problems

               should be very detailed and include all available information on the
               events it covers.

               On the other hand, the fact that an auditor is performing an audit is
               often very public. This lets personnel know that senior management is
               actively taking steps to maintain security.


               Distributing Audit Reports

               Once an audit report is completed, auditors submit it to its assigned
               recipients, as defined in security policy documentation. It’s common to
               file a signed confirmation of receipt. When an audit report contains

               information about serious security violations or performance issues,
               personnel escalate it to higher levels of management for review,
               notification, and assignment of a response to resolve the issues.


               Using External Auditors

               Many organizations choose to conduct independent audits by hiring
               external security auditors. Additionally, some laws and regulations
               require external audits. External audits provide a level of objectivity
   1258   1259   1260   1261   1262   1263   1264   1265   1266   1267   1268