2 cissp ® Official Study Guide Eighth Edition

Logging, Monitoring, and Auditing 
785
Audits cost time and money, and the frequency of an audit is based on the 
associated risk. For example, potential misuse or compromise of privileged 
accounts represents a much greater risk than misuse or compromise of 
regular user accounts. With this in mind, security personnel would per-
form user entitlement audits for privileged accounts much more often than 
user entitlement audits of regular user accounts.
As with many other aspects of deploying and maintaining security, security audits are 
often viewed as key elements of due care. If senior management fails to enforce compli-
ance with regular security reviews, then stakeholders can hold them accountable and 
liable for any asset losses that occur because of security breaches or policy violations. 
When audits aren’t performed, it creates the perception that management is not exercis-
ing due care.
Access Review Audits 
Many organizations perform periodic access reviews and audits to ensure that object access 
and account management practices support the security policy. These audits verify that 
users do not have excessive privileges and that accounts are managed appropriately. They 
ensure that secure processes and procedures are in place, that personnel are following 
them, and that these processes and procedures are working as expected. 
For example, access to highly valuable data should be restricted to only the users who 
need it. An access review audit will verify that data has been classifi ed and that data clas-
sifi cations are clear to the users. Additionally, it will ensure that anyone who has the 
authority to grant access to data understands what makes a user eligible for the access. For 
example, if a help desk professional can grant access to highly classifi ed data, the help desk 
professional needs to know what makes a user eligible for that level of access. 
When examining account management practices, an access review audit will ensure 
that accounts are disabled and deleted in accordance with best practices and security 
policies. For example, accounts should be disabled as soon as possible if an employee 
is terminated. A typical termination procedure policy often includes the following 
elements: 
■
At least one witness is present during the exit interview. 
■
Account access is disabled during the interview. 
■
Employee identification badges and other physical credentials such as smartcards are 
collected during or immediately after the interview. 
■
The employee is escorted off the premises immediately after the interview.
The access review verifi es that a policy exists and that personnel are following it. When 
terminated employees have continued access to the network after an exit interview, they 
can easily cause damage. For example, an administrator can create a separate administra-
tor account and use it to access the network even if the administrator’s original account is 
disabled.

Download 19,3 Mb.

Do'stlaringiz bilan baham: