The security audit is a practice that could best be filed under the "necessary evil" category. While no business owner, executive or IT manager relishes the thought of enduring an end-to-end security examination, it's generally understood that an audit is the best and only way to fully ensure that all of a business's security technologies and practices are performing in accordance with established specifications and requirements.
Security audits are typically conducted for the purposes of business-information security, risk management and regulatory compliance. If performed correctly, a security audit can reveal weaknesses in technologies, practices, employees and other key areas. The process can also help companies save money by finding more efficient ways to protect IT hardware and software, as well as by enabling businesses to get a better handle on the application and use of security technologies and processes. As bothersome as security audits are, business owners, executives and IT managers who truly understand them realize that periodic examinations can actually help ensure that security strategies are in sync with overall business activities and goals.
There is no standard security-audit process, but auditors typically accomplish their job though personal interviews, vulnerability scans , examination of OS and security-application settings, and network analyses, as well as by studying historical data such as event logs. Auditors also focus on the business's security policies to determine what they cover, how they are used and whether they are effective at meeting ongoing and future threats.
CAATs (Computer-Assisted Audit Techniques) are often employed to help auditors gain insight into a business's IT infrastructure in order to spot potential security weaknesses. CAATs use system-generated audit reports, as well as monitoring technology, to detect and report changes to a system's files and settings. CAATs can be used with desktop computers, servers, mainframe computers, network routers and switches, and an array of other systems and devices.
While CAATs can provide definitive data on business systems, auditors must also keep an eye on activities and practices that are not easily quantifiable. Some of the key questions that an auditor must ask include:
Many other questions pertaining to the exact nature of the business's operations also must be addressed.
An auditor's skills and affiliations depend on the nature of the audit and the audited company's business focus. An internal audit will usually draw auditors from within the business's own IT and accounting departments. Alternatively, a company may hire a security consultant to handle the job. A financial institution or other business working in a regulated industry will often find itself dealing with federal and state regulators. Auditors may also be sent to a business by private standards-setting bodies and other industry organizations.
Shortly after the audit concludes, the auditors will usually brief a company's owners, executives and managers on what they've discovered and if any immediate remedial action is necessary. A few days or weeks later, the auditors usually issue a formal report. Stakeholders can use both the meeting and the report as opportunities to gain insight into their security practices and make improvements.
While a security audit is usually a specific event, IT security is an ongoing process. As a business designs, deploys and maintains its security policies, technologies and practices, it should strive to maintain a constant state of preparedness that will allow it to pass a security audit at any given moment.
In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more
Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more
For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more
With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more