Network Perimeter Security Audit/Assurance Program 

 

Network Perimeter Security Audit/Assurance Program   Download (Member Only, 1.8M)
Bookstore Purchase the Book

  Provide feedback on this document
Knowledge Center  Visit the Audit Tools and Techniques Knowledge Center community
Knowledge Center  Visit the Network Security Knowledge Center community

The audit/assurance programs reflect the IT Assurance Framework (ITAF) sections 3400—IT Management Processes, 3600—IT Audit and Assurance Processes and 3800—IT Audit and Assurance Management and were developed in alignment with the Control Objectives for Information and related Technology (COBIT®)—specifically COBIT 4.1.

Objective—The objectives of the network perimeter security audit/assurance review are to:
  • Provide management with an independent assessment relating to the effectiveness of the network perimeter security and its alignment with the IT security architecture and policy
  • Provide management with an evaluation of the IT function’s preparedness in the event of an intrusion
  • Identify issues which affect the security of the enterprise’s network

Scope—The review will focus on the network perimeter security, including associated policies, standards and procedures as well as the effectiveness of the security implementation.

{The remainder of this paragraph on scope needs to be customized to describe which networks within the enterprise will be reviewed. In addition, the reviewer should determine if the scope also includes independent penetration and intrusion testing. Generally, this requires significant planning to avoid disrupting the business processes and other network traffic. The scope should include such things as:
  • The review will focus on the networks at the XYZ location as well as the connectivity to the Internet
  • The web servers managed by third-party suppliers will be excluded from this review and assessed separately}

IT audit and assurance professionals are expected to customize this document to the environment in which they are performing an assurance process. This document is to be used as a review tool and starting point. It may be modified by the IT audit and assurance professional; it is not intended to be a checklist or questionnaire. It is assumed that the IT audit and assurance professional holds the Certified Information Systems Auditor (CISA) designation or has the necessary subject matter expertise required to conduct the work and is supervised by a professional with the CISA designation and necessary subject matter expertise to adequately review the work performed.