2 cissp ® Official Study Guide Eighth Edition

788
Chapter 17 
■
Preventing and Responding to Incidents
Vulnerability Management
A vulnerability management review ensures that vulnerability 
scans and assessments are performed regularly in compliance with established guidelines. 
For example, an organization may have a policy document stating that vulnerability scans 
are performed at least weekly, and the review verifies that this is done. Additionally, the 
review will verify that the vulnerabilities discovered in the scans have been addressed and 
mitigated.
Configuration Management
Systems can be audited periodically to ensure that the original 
configurations are not modified. It is often possible to use scripting tools to check specific 
configurations of systems and identify when a change has occurred. Additionally, logging can 
be enabled for many configuration settings to record configuration changes. A configuration 
management audit can check the logs for any changes and verify that they are authorized.
Change Management
A change management review ensures that changes are imple-
mented in accordance with the organization’s change management policy. This often 
includes a review of outages to determine the cause. Outages that result from unauthorized 
changes are a clear indication that the change management program needs improvement.
Reporting Audit Results
The actual formats used by an organization to produce reports from audits vary. However, 
reports should address a few basic or central concepts:
■
The purpose of the audit
■
The scope of the audit
■
The results discovered or revealed by the audit
In addition to these basic concepts, audit reports often include many details specific to 
the environment, such as time, date, and a list of the audited systems. They can also include 
a wide range of content that focuses on
■
Problems, events, and conditions
■
Standards, criteria, and baselines
■
Causes, reasons, impact, and effect
■
Recommended solutions and safeguards
Audit reports should have a structure or design that is clear, concise, and objective. 
Although auditors will often include opinions or recommendations, they should clearly 
identify them. The actual findings should be based on fact and evidence gathered from 
audit trails and other sources during the audit.

Download 19,3 Mb.

Do'stlaringiz bilan baham: