This document discusses techniques for auditing systems to improve security, including: 1. Monitoring system activity to detect security events and record them in an audit trail for analysis and reporting of violations. 2. Analyzing the audit trail, which includes system events, application events, user activity, and network traffic, to uncover security issues. 3. Developing security performance metrics to measure compliance, identify vulnerabilities, and monitor the security posture through reporting on threats, vulnerabilities, security events, and risk level changes to facilitate timely response and maintenance of acceptable risk.

1. Security Monitoring
and Improvement
Effective security monitoring enables timely detection of threats. Regular
audits provide insight into compliance and identify areas for improvement.
This chapter examines techniques for auditing, performance
measurement, and risk reporting.
by Muhammad Atif Imtiaz

2. Security Audit Model
1 Event Discrimination
Software monitors system activity, detecting security events.
2 Audit Recording
Security events are recorded in an audit trail.
3 Analysis & Reporting
Audit trail is analyzed to uncover security violations.

3. Audit Trail Data
1 System Events
Login attempts, OS functions performed.
2 Application Events
Database queries, emails sent/received.
3 User Activity
Commands issued, resources accessed.
4 Network Traffic
Firewall logs, VPN connections.

4. Security Performance Metrics
Strategic Support
Aid decision-making for
planning and resource
allocation.
Quality Assurance
Identify vulnerabilities during
development lifecycle.
Tactical Oversight
Monitor security posture and
compliance.

5. Metric Development
Define Goals
Establish clear
objectives for the
metrics program.
Select Metrics
Choose metrics
from authoritative
sources like NIST.
Implement
Strategies
Plan data collection,
reporting formats,
responsibilities.
Establish
Benchmarks
Compare against
industry peers to
identify
improvement areas.

6. Security Monitoring
Performance Reporting
Assess delivery against targets and
enterprise objectives.
Control Monitoring
Continuously evaluate control environment
effectiveness.
Compliance Verification
Confirm adherence to policies, regulations,
contracts.
Corrective Actions
Identify and initiate improvements based on
findings.

7. Information Risk Reporting
Objective Provide executive management visibility into
information risks
Contents Threats, vulnerabilities, security events, risk
changes
Benefits Enable timely response, maintain acceptable
risk levels
Audience Executive management

8. Compliance Monitoring
Regulations
Monitor adherence to laws and
industry rules.
Contracts
Ensure security controls meet
contractual obligations.
Policies
Verify alignment with
organizational security policies.

9. Security Audit Best Practices
Planning
Define methodology
and scope for audits.
Fieldwork
Collect evidence,
perform tests, record
results.
Reporting
Document findings
and
recommendations.
Monitoring
Track risk treatment
and control
implementation.

10. Continuous Improvement
Regular auditing, monitoring and reporting enable an ongoing cycle of security assessment and
enhancement. By measuring performance against defined metrics, an organization can identify
vulnerabilities, implement corrective actions, and continuously improve its security posture over time.