The security of an application is inexorably linked to a myriad of other processes in an organization. Ensuring that these processes are appropriately designed and operating as intended is often critical to providing management with assurances that key control objectives are being achieved and that core risks are mitigated to an acceptable level. Operational Audits are an effective mechanism to provide this assurance.
Key activities include:
- Leveraging the Threat Assessment, System Security Plan, Vulnerability Assessment, or Penetration Testing to understand which operational activities (e.g. User Entitlement Review, User Provisioning, System Audit) are critical to the security of the application;
- Conducting a design and/or compliance review of those operational activities that are deemed essential to the ongoing achievement of critical security objectives; and,
- Formal reporting on the process, gap analysis, relevant findings, and mitigation roadmap. Where possible the report will also include; root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
The predominant benefits realized by an Operational Audit are:
- Provides assurance that key operational security controls are in place and operating as intended; and
- Provides a measure of assurance that the control environment can perpetuate the current security posture over an extended period of time.
Operational Audits are best used:
- As part of a compliance management program a to demonstrate compliance with relevant laws and regulations over an extended period of time; and,
- As part of a broader "certification and accreditation" exercise to provide a higher level of assurance for critical applications.