Introduction [CISMP]
2m 30s
Summary [CISMP]

The course is part of this learning path


An audit is an independent review and examination of records and activities.

The objective is to assess the adequacy of system controls and to ensure compliance with established policies and operational procedures.

Most organisations have an auditing policy that covers how each of these aspects (adequacy, compliance with policies and procedures) of the security service must be met.

Audit information can be collected from almost any component in an operating system, network, or application. As most applications generate audit event information, this event source should also be considered for collection.

The auditing policy should define what information should be collected for each type of event. For example, for logon events, the time of the logon and the workstation used is likely to be collected.

In a large IT infrastructure with many components, managing audit trails can be difficult – so, some organisations have implemented a centralised audit collection service through a Security Information and Event Management – or SIEM (Security Information Event Management) – solution.  This is a system allowing the collection of audit logs from multiple sources that allow for investigation into potential security events.

In all cases, it’s important to have an accurate time source universally used across the infrastructure to allow audit events to be correlated between systems.

Auditing: two colleagues using calculator and computer and documents.

Analysis and Protective Monitoring or SIEM

SIEM (Security Information Event Management) is an application that provides the ability to gather security data from information system components. It presents that data as actionable information via a single interface.

Audit information is generally collected for two primary reasons:

  • To support incident management and forensic examination – if an incident has occurred, the audit information can establish what happened and support further investigations.
  • To enable protective monitoring.

The viewing and analysis of audit logs should be documented in the auditing policy which should also state the type of reports that need to be produced.

Protective monitoring is an emerging capability offered from advanced security operations centres. It is defined as:

'Ensuring that system owners are provided with a real-time feed of information regarding the status of ICT systems, providing awareness of activities of the threat sources and enabling security incidents to be detected, investigated and effectively remediated.'

Real-time is an important concept here. A system with protective monitoring should alert operators when critical events occur. When audit events are sent to a SIEM, they can trigger real-time alerts to an operator located in the Security Operations Centre (SOC).

As you can see it's a two-way street between the organisation and the SOC, in terms of raising the alarm when a threat is spotted, continual monitoring of the network, and constant reinforcement of the system.

What's next?

Next up, you'll be studying protective monitoring.


In this course on IT infrastructure security, we’ll be looking at the SD3 framework and some modern development approaches that seek to incorporate security into the development right from the beginning. You’ll also look at detection and testing in some detail.

About the Author
Learning Paths

A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.