Page 1264 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1264

that an internal audit cannot provide, and they bring a fresh, outside
               perspective to internal policies, practices, and procedures.




                             Many organizations hire external security experts to

                  perform penetration testing against their system as a form of

                  testing. These penetration tests help an organization identify
                  vulnerabilities and the ability of attackers to exploit these
                  vulnerabilities.



               An external auditor is given access to the company’s security policy
               and the authorization to inspect appropriate aspects of the IT and
               physical environment. Thus, the auditor must be a trusted entity. The
               goal of the audit activity is to obtain a final report that details findings
               and suggests countermeasures when appropriate.


               An external audit can take a considerable amount of time to complete
               —weeks or months, in some cases. During the course of the audit, the
               auditor may issue interim reports. An interim report is a written or
               verbal report given to the organization about any observed security
               weaknesses or policy/procedure mismatches that demand immediate
               attention. Auditors issue interim reports whenever a problem or issue
               is too important to wait until the final audit report.


               Once the auditors complete their investigations, they typically hold an
               exit conference. During this conference, the auditors present and
               discuss their findings and discuss resolution issues with the affected
               parties. However, only after the exit conference is over and the
               auditors have left the premises do they write and submit their final
               audit report to the organization. This allows the final audit report to
               remain unaffected by office politics and coercion.


               After the organization receives the final audit report, internal auditors
               review it and make recommendations to senior management based on
               the report. Senior management is responsible for selecting which
               recommendations to implement and for delegating implementation
               requirements to internal personnel.
   1259   1260   1261   1262   1263   1264   1265   1266   1267   1268   1269