An audit has little chance of success without having visibility of your network, including software, hardware, policies and risks. The following are examples of key information required to plan the audit work
  • Obtain copies of relevant security policies
  • Obtain access to firewall logs that can be analyzed against the firewall rule base to understand what is actually being used.
  • Obtain a diagram of the current network and firewall topologies.
  • Obtain reports and documents of previous audits, including firewall rules, objects and policy revisions.
  • Identify all Internet Service Providers (ISP) and Virtual Private Networks (VPN).
  • Obtain all relevant firewall vendor information including OS version, latest patches and default configuration.
  • Understand all the key servers and key information repositories in the network and their relative values to the company
Once you have gathered this information, how are you aggregating it and storing it? Spreadsheet compliance is a surefire way to make the audit process painful. Document, store and consolidate this important information in a way that enables collaboration with your IT counterparts. Then you can start reviewing policies and procedures and tracking their effectiveness in terms of compliance, operational efficiency and risk mitigation.

Review Change
Management

Audit Firewall Physical
& OS Security

Clean Up & Optimize
Rule Base

Assess &
Remediate Risk

Repeat