238 7.21 Endnotes
We have covered the fundamentals of auditing from the perspective of a
manager implementing security in an organization. We discussed the audi-
tor’s role in developing security policies and how those policies should be
implemented with an audit frame of mind. We discussed several audit stan-
dards and organizations you can use to obtain further information and cov-
ered the basic auditing and assessment strategies needed for making audits
successful. The audit process itself was discussed, explaining the six major
areas every audit should cover and why. We looked at the need to evaluate
organizational perimeters, namely firewalls and routers, and some tools
auditors can use to accomplish those tasks.
The latter part of this chapter covered the need for training staff for the
business recovery process. This training process begins by having the train-
ing team develop objectives and determine the scope of training that will be
needed. Next, they must conduct a training needs assessment and begin the
work of developing the needed training materials. After the training materi-
als development has begun, it is necessary to prepare training schedules and
develop means to get the word out to all of your employees. The impor-
tance of proper communication to staff was discussed. When getting ready
to train, it is a good idea to prepare a budget for the training phase and to
develop feedback questionnaires that will be used to assess feedback. When
you actually conduct the training, these will be used to help you evaluate
the effectiveness of the training. In the next chapter, we will discuss how
you can maintain the BCP once you have it completed.
7.21 Endnotes
1. Herzog, Pete, Open Source Security Testing Methodology Manual,
February 26, 2002. http://isecom.org
2. http://www.cert.org/security-improvement/#Harden
3. National State Auditors Association and the U.S. General
Accounting Office (joint initiative), Management Planning Guide
for Information Systems Security Auditing. December 10, 2001.
4. CERT Coordination Center. (2005).CERT® Coordination
Center2003 Annual Report. Retrieved June 23, 2005 from
5. Alan Oliphant, “An Introduction to Computer Auditing—Part
2,” October 1998. http://www.theiia.org/itaudit.
7.21 Endnotes 239
Chapter 7
6. GAO/AIMD-12.19.6, Federal Information System Controls Audit
Manual. January 1999.
7. GAO/AIMD-12.19.6, Federal Information System Controls Audit
Manual. January 1999,
8. Anonymous (April 27, 2001). “IT Security Is All Wrong, Says
Expert,” the(451).
9. National Institute of Standards and Technology, Special Publica-
tion 800-12: An Introduction to Computer Security: The NIST
Handbook. October 1995. Ch. 8.
This Page Intentionally Left Blank

Get Business Continuity and Disaster Recovery for InfoSec Managers now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.