The security audit is a practice that could best be filed under the "necessary evil" category. While no business owner, executive or IT manager relishes the thought of enduring an end-to-end security examination, it's generally understood that an audit is the best and only way to fully ensure that all of a business's security technologies and practices are performing in accordance with established specifications and requirements.
Security audits are typically conducted for the purposes of business-information security, risk management and regulatory compliance. If performed correctly, a security audit can reveal weaknesses in technologies, practices, employees and other key areas. The process can also help companies save money by finding more efficient ways to protect IT hardware and software, as well as by enabling businesses to get a better handle on the application and use of security technologies and processes. As bothersome as security audits are, business owners, executives and IT managers who truly understand them realize that periodic examinations can actually help ensure that security strategies are in sync with overall business activities and goals.
Audit Practices and Activities
There is no standard security-audit process, but auditors typically accomplish their job though personal interviews, vulnerability scans , examination of OS and security-application settings, and network analyses, as well as by studying historical data such as event logs. Auditors also focus on the business's security policies to determine what they cover, how they are used and whether they are effective at meeting ongoing and future threats.
CAATs (Computer-Assisted Audit Techniques) are often employed to help auditors gain insight into a business's IT infrastructure in order to spot potential security weaknesses. CAATs use system-generated audit reports, as well as monitoring technology, to detect and report changes to a system's files and settings. CAATs can be used with desktop computers, servers, mainframe computers, network routers and switches, and an array of other systems and devices.
While CAATs can provide definitive data on business systems, auditors must also keep an eye on activities and practices that are not easily quantifiable. Some of the key questions that an auditor must ask include:
- Who is in charge of security, and who does this person report to?
- Have ACLs (Access Control Lists) been placed on network devices to control who has access to shared data?
- How are passwords created and managed?
- Are there audit logs to record who accesses data?
- Who reviews the audit logs, and how often are they examined?
- Are the security settings for OSes and applications in accordance with accepted industry security practices?
- Have unnecessary applications and services been purged from systems? How often does this task take place?
- Are all OSes and applications updated to current levels?
- How is backup media stored? Who has access to it? Is it up-to-date?
- How is email security addressed?
- How is Web security addressed?
- How is wireless security addressed?
- Are remote workers covered by security policies?
- Is a disaster-recovery plan in place? Has the plan ever been rehearsed?
- Have custom applications been tested for security flaws?
- How are configuration and code changes documented? How often are these records reviewed?
Many other questions pertaining to the exact nature of the business's operations also must be addressed.
An auditor's skills and affiliations depend on the nature of the audit and the audited company's business focus. An internal audit will usually draw auditors from within the business's own IT and accounting departments. Alternatively, a company may hire a security consultant to handle the job. A financial institution or other business working in a regulated industry will often find itself dealing with federal and state regulators. Auditors may also be sent to a business by private standards-setting bodies and other industry organizations.
Aftermath and Follow-Up
Shortly after the audit concludes, the auditors will usually brief a company's owners, executives and managers on what they've discovered and if any immediate remedial action is necessary. A few days or weeks later, the auditors usually issue a formal report. Stakeholders can use both the meeting and the report as opportunities to gain insight into their security practices and make improvements.
While a security audit is usually a specific event, IT security is an ongoing process. As a business designs, deploys and maintains its security policies, technologies and practices, it should strive to maintain a constant state of preparedness that will allow it to pass a security audit at any given moment.