Mention the word audit to IT professionals and you will probably see their eyes glaze over as
they imagine frightening visions of auditors with pointy tails, pitchforks, and checklists run
ning around and pointing out all of the things they have done wrong to their manager. The
purpose of a security audit is not to place blame or pick apart network design, but to ensure
the integrity, effectiveness, and compliance of corporate security policies. Auditing provides
the ability to test the assumptions companies have about how secure they think they are from
threats and to gauge whether or not policies map to industry best practices and compliance
laws. An organization's level of risk is quantified by placing a value on the assets of the busi
ness and analyzing what impact the exploitation of vulnerabilities can have to the business as
a whole. Auditors find risk and check to see whether the appropriate controls are in place to
mitigate exposure to that risk.
Auditing is not just about running a bunch of hacker tools in an attempt to break into the net
work. There are many types of audits, and the scope of an audit defines what the auditor
inspects and how often. Many organizations require an annual audit of key systems by an out
side firm (external audit), whereas others also mandate internal audits every six months or
before and after any major IT project. If you are subject to PCI compliance requirements, you
might need to have an audit preformed every quarter. The bottom line is if you aren't auditing
today, you will be forced to through regulations or encouraged to by industry best practices.
It simply makes good business sense to measure the effectiveness of your security investment.
The ultimate benefit of auditing is to continuously improve the processes, procedures, and
controls put in place to secure valuable corporate assets. Businesses today have a responsibili
ty to their customers to safe guard their confidential data. Numerous high-profile security fail
ures have shattered that trust through carelessness while handling backup media and allowing
millions of credit cards and financial records to fall into the hands of individuals determined
to illegally profit at the expense of others. It takes only one major breach to appear in the
news for a company to experience significant loss of shareholder value and sometimes even
the total loss of the company itself. Having a policy and enforcing it are essential to protect
ing your business. Auditing that policy plays a key role in making sure that the policy actually
accomplishes the goal of reducing risk and therefore protects key assets from loss. A large
percentage of security failures can be minimized or prevented with a strong risk-based audit
ing program.