Security Audits

During security audits of applications at least all of the mentioned disciplines are verified by an external or internal consultant, those include:

• Resource States
• Isolation
• Encryption
• Boundaries
• Deveopment Practices

Auditors follow the regular NIST / ISO / DIN norms when auditing. Therefore setups are verified from corporate to individual level (top-down):

1. Organizational policies
2. Department policies
3. Application policies

Common Identity Management questions to evaluate policy compliance, which are evaluated with Security Architects and Platform Providers first and afterwards with Solution Architects are:

• How is identity management impemented?
• Who is responsible for the identify management system?
• Are roles accross the organization clearly defined?
  Keep in mind that norms also define communication and escalation structures.
• How does an organization provision and de-provision accounts?
• What privileges are associated with normal or specialized roles?
• How does the organization and platform providers interact?
• How is the system tested with respect to security?
• How are new passwords confirmed as to strenght?
• How are credentials for the platform managed from the organization?
• How are passwords saved?

Platform Providers can aquire independent certification to one or more of the available domain specific standards. Those reduce the required involvement into audits as an external company certifies that given security standards are fulfilled. NIST 800-53, ISO/IEC-27001 and DIN 32757 are some of those standards. Standardization processes will take up to multiple years, even though the standards themselfes are summarized in a few pages. That\’s due to the included work packages within organizations and cultural changes within companies.

Next to organizational and policy compliance, the development process and its practices can also be audited:

• Is security awareness on the part of the developers?
• Are there security tests in the deployment pipeline?
  Security tests in code and integrated in the pipeline or having security police implementation automated in well-tested scripts is a good evidence to auditors.
• Are reviews arried out?
• Are design considerations enumerated earlier utilized and verified?
• Are the same practices carried out in developing scripts and using DevOps tools?

Within the last stage security evidence is verified via samples to verify if the concepts are in-practice. Some queries might be:

• Create a new account for me.
• Show me the privileges I get.
• Show me the records that demonstrate how long it takes to deactivate an account once an emplyee leaves the organization.
• Show me how this links back into the change management system.