Mention the word audit to IT professionals and you will probably see their eyes glaze over as they imagine frightening visions of auditors with pointy tails, pitchforks, and checklists run ning around and pointing out all of the things they have done wrong to their manager. The purpose of a security audit is not to place blame or pick apart network design, but to ensure the integrity, effectiveness, and compliance of corporate security policies. Auditing provides the ability to test the assumptions companies have about how secure they think they are from threats and to gauge whether or not policies map to industry best practices and compliance laws. An organization's level of risk is quantified by placing a value on the assets of the busi ness and analyzing what impact the exploitation of vulnerabilities can have to the business as a whole. Auditors find risk and check to see whether the appropriate controls are in place to mitigate exposure to that risk.

Auditing is not just about running a bunch of hacker tools in an attempt to break into the net work. There are many types of audits, and the scope of an audit defines what the auditor inspects and how often. Many organizations require an annual audit of key systems by an out side firm (external audit), whereas others also mandate internal audits every six months or before and after any major IT project. If you are subject to PCI compliance requirements, you might need to have an audit preformed every quarter. The bottom line is if you aren't auditing today, you will be forced to through regulations or encouraged to by industry best practices. It simply makes good business sense to measure the effectiveness of your security investment.

The ultimate benefit of auditing is to continuously improve the processes, procedures, and controls put in place to secure valuable corporate assets. Businesses today have a responsibili ty to their customers to safe guard their confidential data. Numerous high-profile security fail ures have shattered that trust through carelessness while handling backup media and allowing millions of credit cards and financial records to fall into the hands of individuals determined to illegally profit at the expense of others. It takes only one major breach to appear in the news for a company to experience significant loss of shareholder value and sometimes even the total loss of the company itself. Having a policy and enforcing it are essential to protect ing your business. Auditing that policy plays a key role in making sure that the policy actually accomplishes the goal of reducing risk and therefore protects key assets from loss. A large percentage of security failures can be minimized or prevented with a strong risk-based audit ing program.