Skip to content.
|Networking government in New Zealand.
 

11 Security audits

  1. A third party should audit secure applications, certificate authorities, and S.E.E. agencies periodically.

  2. The audit should cover aspects discussed in this document as well as application security, operating system security, surrounding infrastructure (e.g. firewalls), physical security, and the policies and procedures for managing the environment.

  3. An audit could be performed against a particular standard, e.g. NZS 4444; in future the S.E.E. Project is likely to define which standards. It would be prudent to use multiple auditors over time to gain the broadest possible advice.

  4. An audit should be performed as a partnership so that the auditors have the maximum amount of information available to make the best recommendations to the agency audited. The auditor should discuss draft recommendations with the agency and together they should carefully consider the benefits of each, the expense or effort, and any potential negative impact on functionality. The audit recommendations should then be prioritised. If there is disagreement between the parties, both views should be presented.

  5. Audits should be performed after any significant change to components in the architecture, and otherwise at least annually.


[ Previous | Next ]