The security audit is a practice that could best be filed under the "necessary evil" category. While no business owner, executive or IT manager relishes the thought of enduring an end-to-end security examination, it's generally understood that an audit is the best and only way to fully ensure that all of a business's security technologies and practices are performing in accordance with established specifications and requirements.
Security audits are typically conducted for the purposes of business-information security, risk management and regulatory compliance. If performed correctly, a security audit can reveal weaknesses in technologies, practices, employees and other key areas. The process can also help companies save money by finding more efficient ways to protect IT hardware and software, as well as by enabling businesses to get a better handle on the application and use of security technologies and processes. As bothersome as security audits are, business owners, executives and IT managers who truly understand them realize that periodic examinations can actually help ensure that security strategies are in sync with overall business activities and goals.
There is no standard security-audit process, but auditors typically accomplish their job though personal interviews, vulnerability scans , examination of OS and security-application settings, and network analyses, as well as by studying historical data such as event logs. Auditors also focus on the business's security policies to determine what they cover, how they are used and whether they are effective at meeting ongoing and future threats.
CAATs (Computer-Assisted Audit Techniques) are often employed to help auditors gain insight into a business's IT infrastructure in order to spot potential security weaknesses. CAATs use system-generated audit reports, as well as monitoring technology, to detect and report changes to a system's files and settings. CAATs can be used with desktop computers, servers, mainframe computers, network routers and switches, and an array of other systems and devices.
While CAATs can provide definitive data on business systems, auditors must also keep an eye on activities and practices that are not easily quantifiable. Some of the key questions that an auditor must ask include:
Many other questions pertaining to the exact nature of the business's operations also must be addressed.
An auditor's skills and affiliations depend on the nature of the audit and the audited company's business focus. An internal audit will usually draw auditors from within the business's own IT and accounting departments. Alternatively, a company may hire a security consultant to handle the job. A financial institution or other business working in a regulated industry will often find itself dealing with federal and state regulators. Auditors may also be sent to a business by private standards-setting bodies and other industry organizations.
Shortly after the audit concludes, the auditors will usually brief a company's owners, executives and managers on what they've discovered and if any immediate remedial action is necessary. A few days or weeks later, the auditors usually issue a formal report. Stakeholders can use both the meeting and the report as opportunities to gain insight into their security practices and make improvements.
While a security audit is usually a specific event, IT security is an ongoing process. As a business designs, deploys and maintains its security policies, technologies and practices, it should strive to maintain a constant state of preparedness that will allow it to pass a security audit at any given moment.
Any operational business model relies heavily on IT support and the help desk to achieve maximum uptime for all IT systems. This white paper addresses ways for help desk analysts and IT support staff to easily and efficiently handle their workload by simplifying and automating processes to increase time and operational cost savings, enhance productivity, and boost customer satisfaction. more