Search in ISMS Guides


Sunday, October 7, 2007

Network Security Audit Case Study

This is a case study of Dionach carrying out a network security audit on an insurance company based in the UK. The audit comprised of an internal security audit and an external perimeter security audit. Some of the information has been changed or omitted to maintain confidentiality.


The organisation carries out much of its business online, and felt that an independent view of their internal and external network security was required. The organisation selected Dionach to carry out the auditing. Dionach carried out an external penetration test, and then the on-site audit.

Internal Audit

Three Dionach consultants carried out the internal audit, with one of them nominated as the lead auditor. This lead auditor liaised with the organisation's information security officer I(ISO).

The ISO was interviewed to gain an understanding of the setup of the network, servers and LAN, along with other staff with the appropriate knowledge. This allowed an up-to-date network diagram to be created. Copies of existing network diagrams and the security policy were also taken.

The lead auditor then assigned consultants to audit the configuration of firewalls, routers, web servers, database servers and domain controllers, and samples of other workstations. Antivirus, email, network topology and physical security were also areas that were examined.

Throughout the process, the organisation's staff responsible for each area being audited were interviewed further as required; however, the purpose of the audit was to determine the actual, technical setup and compare it to best practice.

At the end of the on-site process, the lead auditor held a meeting with the ISO to provide an initial oral report of findings. The audit team's task was then to produce the final report.


The report produced was a comprehensive, detailed report with an executive summary, a section for the external audit, and on-site internal audit. There was finally a technical summary of conclusions.

The executive summary first specified that the security of the network represented medium risk. Most elements of the network were configured securely, and the recent introduction of a group security policy would reinforce and improve security awareness.

The executive summary also listed the following issues:

  • The external security risk was low, although one of the firewall configurations would allow outbound connections if a server was vulnerable, an attacker could more easily compromise it.
  • Although external, email and server anti-virus was in place, the individual user workstations were not protected. There was also no patching for workstations, so if a virus or worm found its way onto the internal network it would spread unhindered.
  • There was no intrusion detection system (IDS) in place; the external penetration test was not noticed by the organisation, and the organisation being dependent on online business meant that Dionach highly recommended the implementation of a network IDS, that would be monitored.
  • A domain users password audit showed that many users had simple passwords, although the security policy gave guidance on choosing strong passwords. There was no mechanism enforcing strong passwords.
  • A number of internal SQL Server databases had blank administrator passwords and service pack levels that were not up-to-date.

Further detail and recommendations was provided in the rest of the report.

The external audit section listed the external test results in detail, with a technical summary of issues and recommendations, for which there were few.

The internal audit section listed the areas audited, good security practices, and areas where security could be improved: antivirus protection, physical security, information security, wireless connectivity, database servers, firewall configurations, DMZs and perimeter security.

The internal audit section presented the audit findings, including diagrams and tables, such as the network topology.

Finally, the report showed a summary of conclusions with issues listed in order of risk, with the most critical first.


The report was then agreed with the organisation, and presented to them in a meeting to ensure that the organisation gained the most value from the audit and the report.

The organisation then proceeded to prioritise and resolve the issues.

Source :

ISO 27001 Internal Audit Case Study

This is a case study of Dionach carrying out an ISO 27001 internal audit for a public organisation based in the Republic of Ireland. Some of the information has been changed or omitted to maintain confidentiality.


The client is certified to the international standard ISO 27001. Part of the standard specifies that planned, objective and impartial internal ISMS audits should take place. The audits shall determine whether the ISMS:

  • Conforms to the standard
  • Conforms to the information security requirements specified
  • Is effective and well maintained
  • Performs as expected

The organisation felt that it could not resource the audit personnel from within the organisation, and so commissioned Dionach to carry out the internal audits.

Internal Audit

The organisation decided to split the auditing of the ISMS into several stages throughout the year. The scope of the initial audit was the following areas:

  • Risk Assessment
  • Information Handling
  • Physical Security and Incident Reporting

Prior to the audit, Dionach requested relevant copies of the ISMS and other related documentation from the organisation. Dionach consultants spent a significant amount of familiarising themselves with the organisation's documentation, and finding out more about the organisation in general. Dionach produced a detailed schedule of tasks and interviews over four days to spend with the organisation, providing two consultants to carry out the audit. The schedule was agreed with the organisation.

On site at the organisation, the consultants liaised with the organisation's ISMS Manager, starting with a tour of the site. The tour also gave a preview of the physical security of the site, and a chance to meet some of the staff.

The Dionach consultants followed guidelines for auditing as specified in ISO19011 during the course of the audit, using the following principles: ethical conduct, fair presentation, due professional care, independence, and an evidence-based approach.

After taking notes from documentation, observations and interviews, the consultants gave feedback at the end of every day to the organisation's ISMS Manager on any likely non-conformances or comments.

On the last day in the closing meeting, Dionach presented a draft report with non-conformances; each graded either as major, minor or just a comment. There were no major non-conformances within the scope of the audit, several minor non-conformances, and two comments. The minor non-conformances ranged from easily corrected ISMS documentation inconsistencies, to issues that would need to be discussed at length in the organisation's Information Security Forum.

In the closing meeting the organisation agreed to have a list of corrective actions for each of the non-conformances by a certain date.

Dionach provided the organisation with a final version of the audit report, and now looks forward to carrying out the next part of the internal audit process.

Source :