Page 1273 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1273

account management practices to prevent violations with least
               privilege or need-to-know principles. However, they can also be

               performed to oversee patch management, vulnerability management,
               change management, and configuration management programs.

               Understand auditing and the need for frequent security
               audits. Auditing is a methodical examination or review of an
               environment to ensure compliance with regulations and to detect
               abnormalities, unauthorized occurrences, or outright crimes. Secure

               IT environments rely heavily on auditing. Overall, auditing serves as a
               primary type of detective control used within a secure environment.
               The frequency of an IT infrastructure security audit or security review
               is based on risk. An organization determines whether sufficient risk
               exists to warrant the expense and interruption of a security audit. The
               degree of risk also affects how often an audit is performed. It is
               important to clearly define and adhere to the frequency of audit
               reviews.


               Understand that auditing is an aspect of due care. Security
               audits and effectiveness reviews are key elements in displaying due
               care. Senior management must enforce compliance with regular
               periodic security reviews, or they will likely be held accountable and
               liable for any asset losses that occur.

               Understand the need to control access to audit reports. Audit

               reports typically address common concepts such as the purpose of the
               audit, the scope of the audit, and the results discovered or revealed by
               the audit. They often include other details specific to the environment
               and can include sensitive information such as problems, standards,
               causes, and recommendations. Audit reports that include sensitive
               information should be assigned a classification label and handled
               appropriately. Only people with sufficient privilege should have access

               to them. An audit report can be prepared in various versions for
               different target audiences to include only the details needed by a
               specific audience. For example, senior security administrators might
               have a report with all the relevant details, whereas a report for
               executives would provide only high-level information.

               Understand access review and user entitlement audits. An
   1268   1269   1270   1271   1272   1273   1274   1275   1276   1277   1278