Security Audit and Testing (SAT)

One of the important aspects of an organization’s security initiative is to provide an assurance over the security behavior of its IT ecosystem. This assurance primarily is sought for two reasons; first to test the security behavior against the security threats that could significantly jeopardize business interests of an organization; second to test the effectiveness of design, implementation and operations of the security countermeasures against the compliance requirements. Expanding threat landscape compounded with continual pressure of compliance demonstrations demand effective and efficient assurance function. Security Audit and Testing (SAT) has traditionally been seen as a means to get an assurance over the organization’s security. In the wake of legal and compliance requirements and increasing adoption of the security frameworks that rely on internal control implementations.


SAT helps an organization assess its state or baseline against these requirements and control objectives. SAT becomes an important means for an organization to check its preparedness in case of a change in the threat landscape or IT infrastructure characteristics. SAT also provides a way to external parties those have interest in an organization’s operations — either for business or for legal compliance — to get an assurance. As SAT helps an organization to understand the state of security for internal reasons and provides assurance to external parties, it requires an attention of the highest degree. DSCI believes that a comprehensive SAT capability of an organization goes a long way in aligning organization’s security initiatives to the real challenges or threats it faces, ensuring an extension of the security program to the most desired elements, harmonizing the processes for maximum efficiency and creating demonstration capabilities for better management of compliance.


DSF considers SAT as an important element of the transactional or process layer of security, which keeps the organizations secure against evolving and perennial security threats. DSCI Best Practices provide an approach to organize this discipline of security to get the fullest benefits of an organization’s investments and efforts in security audits and testing. While attempts are made to relate this discipline to new understandings, evolving practices and technological directions, this document renders how an organization can traverse the path of maturity in SAT. The next section explains DSCI’s approach towards SAT. The Security Audit and Testing (SAT) practices compiled provide practical guidelines in setting up effective Security Auditing and Testing function in an organization.

  • Strategy for Security Audit
    • Identify and make an inventory of security audit requirements
    • Identify the type of audits required for an organization i.e. a. Nature of audit , Type of Audit and Audit execution methodology
    • Create a map of security audit types, schedule & timeline of audits, resource requirement
    • Create an inventory of audit and assurance processes, any tactical mechanisms or tools used to carry them, and operational elements involved
    • Identify the audit information flow in the organization — audit observations, audit reporting, audit issues/alerts, management reporting
    • Create an inventory of audit sources or artifacts used in audit processes
    • Create a visibility over a number of audit engagements, non-compliance issues identified, process/technical flaws reported, and remediation initiated or completed
    • Evaluate the audit engagements from a perspective of — effectiveness and completeness,
    • Create a strategic roadmap for building enterprise wide security function to achieve effectiveness, completeness, professionalism in security audit processes
  • Strategy for Security Testing
    • Make an inventory of systems, mission critical systems, vulnerable to internal security threats and that of exposure to the public networks
    • Identify the scenarios that could lead to a compromise of these systems or tend to loss of critical data that resides or transits through these systems
    • Identify and make an inventory of security testing requirements based on Business criticality, exposure and security requirements; Security architecture – infrastructure, application and data security; Compliance requirements
    • Identify the types of security testing
    • Create a map of security testing types to resources and skills required, efforts required and timelines
    • Create an inventory of in-scope systems that require incorporating security testing as per compliance requirements
    • Create an inventory of tools, techniques and solutions adopted, and implemented for security testing
    • Create a map of security testing processes, tactical mechanism involved and participating operational elements
    • Identify how a security testing process updates itself with new vulnerabilities identified, exploits available and how it tests their relevance in the organization’s environment
    • Identify how the security testing reports are managed — how the security issues are reported, assessed, and reported to the management. Also assess how the remediation process is initiated
    • Create a strategic roadmap for security testing considering options like Security testing tools, Collaboration with security community, Use of external service providers, Collaboration with Computer Emergency Response Teams
  • Security Audit
    • Establish enterprise wide guidelines for security audit that include: Audit charter; Audit engagement definition, Qualifications and credentials of Auditor, Audit documentation etc.
    • Ensure that an audit management function exists that is responsible for — compiling audit requirements, defining audit types, identifying audit engagements, planning and arranging audits, overseeing audit execution, managing engagement performance, managing audit results and reporting to the management
    • Establish an internal audit function for ongoing assessment of internal controls and compliance testing
    • Define a calendar of audit with their schedules, resources allocated and efforts dedicated
    • Ensure that a security and compliance risk intelligence mechanism exists that provides inputs to the audit process of perennial and evolving security issues to check their relevance in the organization’s environment
    • Ensure that the audit exercise covers all the elements of the scope of audit, as far as possible.
    • Ensure that during the course of an audit, the auditor gets sufficient, reliable and relevant evidence to achieve the audit objectives
    • Define the structure of audit reporting. Ensure that a traceability of each audit observation is maintained to its evidences and original information sources
    • Ensure that the audit information — audit evidence, enterprise information shared, systems reports and artifacts generated, and audit reports — is effectively managed to serve compliance requirements, management reporting and future audits
    • Ensure that a security auditing function is positioned in a way that it plays an important role in management reporting about an organization’s risk exposure.
    • Ensure that a security audit process is integrated with the organization’s incident and problem management processes in order to trigger remediation to address specific issues identified during the audit engagement
    • Establish an enterprise collaboration platform to liaise between departments involved in the security audit
  • Security Testing
    • Assign a criticality rating to the IT infrastructure elements — systems, network, application and data — based on their importance to the business processes and compliance requirements
    • Define a security testing plan that includes — type of test, test schedule, resources (tools/solutions) required, and efforts dedicated
    • Ensure that the security testing is a routine and integral part of the system and network operations and maintenance and followed as an operational practice
    • Ensure that the objectives of security testing engagement are clearly mentioned, focusing on understanding the potential problems of a system
    • Establish a methodology for testing the IT infrastructure — type of tests, usage of tools, threat profiling methods, risk rating methodology, and reporting standards
    • Ensure that there exists a significant understanding of technical security concepts and issues, and adequate efforts are dedicated to cultivate and enhance the understanding on how security attacks are launched, how vulnerability are exploited, what are the countermeasures and how to implement them
    • Ensure that the security testing processes are integrated into organization’s risk management processes
    • Ensure that an adequate level of resources and skills are present to carry out the critical technical tasks of security testing
    • Ensure that a mechanism exists that collaborates with different information sources to identify new security vulnerabilities, its criticality, likely impact and exploitability
    • Ensure that all the new identified vulnerabilities that may cause potential damage to the security of an organization, are tested for its relevance and impact
    • Ensure that the results of security testing are effectively managed — report security posture, identify and alert on critical issues, initiate remediation action and create knowledgebase within the organization for future use
    • Ensure that a collaboration mechanism exists that helps in interaction between security, IT infrastructure, application and incident management teams for test management and remediation
  • Business alignment of investments in security audit and testing
  • Ability to serve enterprise risk management
  • Standardization of audit and testing processes
  • Ability to identify critical issues and invoke a response to each of these issues
  • Coverage and accuracy of security audit and testing engagements
  • Responsiveness in testing relevance of new issues in an organization’s environment
  • Knowledge management – testing and audit information management
  • Organizational understanding of security concepts, issues, threats, and vulnerabilities
  • Adequacy of skills and technical competence
  • Adequacy of resources and efforts assigned
  • Optimization of resources and efforts for audit and testing
  • Integration with IT infrastructure management processes for timely remediation

Please allow pop-up in your internet browser to download DSF


DSCI Security Framework