External Auditors It is often necessary to test or verify the security mechanisms deployed in an environment. The test process is designed to ensure that the requirements dictated by the security policy are fol- lowed and that no significant holes or weaknesses exist in the deployed security solution. Many organizations conduct independent audits by hiring outside or external security auditors to check the security of their environment. External audits provide a level of objectivity that an internal audit cannot. An external auditor is given access to the company’s security policy and the authorization to inspect every aspect of the IT and physical environment. Thus the auditor must be a trusted entity. The goal of the audit activity is to obtain a final report that details any findings and sug- gests countermeasures when appropriate. However, an audit of this type can take a consider- able amount of time to complete—weeks or months, in fact. During the course of the audit, the auditor may issue interim reports. An interim report is a written or verbal report given to the organization about a discovered security weakness that needs immediate attention. Interim reports are issued whenever a problem or issue is too severe to wait until the final audit report is issued. Once the auditor completes their investigations, an exit conference is held. During the exit conference, the auditor presents and discusses their findings and discusses resolution issues with the affected parties. However, only after the exit conference is over and the auditor has left the premises does the auditor write and submit the final audit report to the organization. This allows the final audit report to be as unaffected as possible by office politics and coer- cion. After the final audit report is received, the internal auditors should verify whether or not the recommendations in the report are carried out. However, it is the responsibility of senior management to select which recommendations to follow and to delegate the implementation to the security team. Monitoring Monitoring is a form of auditing that focuses on the active review of the audited information or the audited asset. For example, you would audit the activity of failed logons, but you would monitor CPU performance. Monitoring is most often used in conjunction with performance, but it can be used in a security context as well. Monitoring can focus on events, subsystems, users, hardware, software, or any other object within the IT environment. A common implementation of monitoring is known as illegal software monitoring. This type of monitoring is used to watch for attempted or successful installation of unapproved software, use of unauthorized software, or unauthorized use of approved software i.e., attempts to bypass the restrictions of the security classification hierarchy. Monitoring in this fashion reduces the likelihood of a virus or Trojan horse being installed or of software circumventing the security controls imposed.