The complexities of SOA implementations and the criticality of the data they generally process and transit impose a greater requirement on organizations to ensure that the SOA Implementation and the processes it relies on are operating as intended to provide management with assurances that key control objectives are being achieved and that core risks are mitigated to an acceptable level. Operational Assessments are an effective mechanism to provide this assurance.
Key activities include:
- Leveraging the SOA Design Review, System Security Plan, Threat/Vulnerability Assessment, or Penetration Testing to understand which operational activities (e.g. XML Gateway Services, User Provisioning, System Audit) are critical to the security of the application;
- Conducting a compliance review of those operational activities that are deemed essential to the ongoing achievement of critical security objectives; and,
- Formal reporting on the process, relevant findings, and remediation advice. Where possible the report will also include: root cause analysis, peer-group benchmarking, good practice benchmarking, executive summaries, and technical summaries.
The predominant benefits realized by an Operational Audit are:
- Provides assurance that key operational security controls are in place and operating as intended; and
- Provides a measure of assurance that the SOA control environment can perpetuate the current security posture over an extended period of time.
Operational Audits are best used:
- As part of a compliance management program a to demonstrate compliance with relevant laws and regulations over an extended period of time; and,
- As part of a broader "certification and accreditation" exercise to provide a higher level of assurance for critical services such as SOA.