Security Audit Report

Definition

The security audit report is the security work product that documents the results of a security audit.

Objectives

The typical objectives of the security audit report are to:

TBD

Benefits

The typical benefits of the security audit report are to:

Ensure that each application has an appropriate approach to security.
Ensure that all aspects of security are addressed.

Contents

The typical contents of the security audit report are:

Security Threat Analysis:
- Denial Of Service
- Fraud
- Impersonation
- Privacy Violation
- Repudiation
- Sabotage
- Theft
- Vandalism
- Virus
Appendices:
- Major Issues
- TBDs
- Assumptions

Stakeholders

The typical stakeholders of the security audit report are:

Producer: Security Team
Evaluators: Architecture Inspection Team
Approvers:
- Project Management Team
- Customer Representative
Maintainers: Security Team
Users:
- Requirements Team, which uses the security policy to elicit standard security requirements.
- Architecture Team, which uses the security policy to architect standard security mechanisms.

Phases

Business Strategy: Completed
Business Optimization: Completed
Initiation: Completed
Construction: Maintained
Delivery: Maintained
Usage: Maintained
Retirement: Archived

Preconditions

The security audit report typically can be started if the following preconditions hold:

The initiation phase is started.
The security team is staffed and trained in security.

Inputs

The security audit report typically has the following inputs:

Work products:
- Security Policy
Stakeholders:

Guidelines

The security requirements for individual applications are documented in the associated System Requirements Specifications.
The security mechanisms for individual applications are documented in the associated software architecture documents.

Conventions

The security audit report is typically constrained by the following conventions:

Content and Format Standard
MS Word Template
XML DTD
Inspection Checklist

Examples

Example Security Audit Report