What does a security audit include?

Security audit involves four basic elements: control objectives, security loopholes, control measures and control testing. Among them, the control target refers to the safety control requirements formulated by the enterprise according to the specific computer application and the actual situation of the unit. Security vulnerability refers to the weak link of system security, which is easy to be disturbed or destroyed. Control measures refer to safety control technologies, configuration methods and various specifications and systems formulated by enterprises to achieve their safety control objectives. Control test is to compare the consistency of various safety control measures of enterprises with predetermined safety standards, determine whether the control measures exist, whether they are implemented, whether the loopholes are effective, and evaluate the reliability of enterprise safety measures. Obviously, as a special audit project, safety audit requires auditors to have strong professional and technical knowledge and skills.

Safety audit is an integral part of audit. Because the security of computer network environment will not only involve national security, but also involve the economic interests of enterprises. Therefore, we think it is necessary to establish a trinity safety audit system of state, society and enterprises as soon as possible. Among them, the national security audit institution should implement an annual audit system for the information security of enterprises on the WAN according to national laws, especially for the various security technical requirements of the computer network itself. In addition, social intermediary organizations should be developed to provide audit services for the security of computer network environment. Like accounting firms and law firms, they are all institutions that evaluate the security of enterprise computer network systems. When the enterprise management authorities weigh the potential losses caused by the network system, they need to check and evaluate the security through the intermediary. In addition, financial and financial auditing can not be separated from network security experts, who evaluate the security control of the network and help certified public accountants to make a correct judgment on the authenticity and reliability of the information disclosed by the corresponding information processing system.

Ira Winkler, Chairman of Internet Security Consulting Group, believes that security audit, vulnerability assessment and penetration test are the three main ways of security diagnosis. These three adopt different methods and are suitable for specific goals. Security audit measures the performance of information system through a series of standards. Vulnerability assessment involves a comprehensive investigation of the entire information system and finding potential security vulnerabilities. Penetration testing is a covert operation, and security experts carry out a lot of attacks to explore whether the system can resist similar attacks from malicious hackers. In the penetration test, forged attacks may include any attacks that real hackers may try, such as social engineering. Each of these methods has its inherent ability, and the combination of two or more methods may be the most effective.