First in a series
IT security audits allow companies to critically view and assess how protected they really are.
The basic aim of a security audit is to know who has access to systems, who is using a system and for what purpose at what time. A penetration test early in the audit reveals vulnerabilities that need to be addressed. In other words, a security audit is a snapshot of the security status of an organization at a particular point of time.
Regulations are the major driver for companies to have security audits. Banks and other financial institutions have to comply with federal regulations. Health care-related organizations have audits mandated by the Health Insurance Portability and Accountability Act (HIPAA). Government bodies have auditing mandates as well.
Much of the time, companies have internal staff handle the audit, then have an outside firm spot check the work much like they do for accounting audits, said Umesh Verma, President and CEO of Blue Lance, a Houston-based monitoring software company.
Generally, audits are the domain of large corporations, Verma said. For some, compliance with regulations is the primary mover, yet embrace audits because "it's the fashion," he said.
Some organizations like having the checkmark of having an IT/IS security audit done. "For these companies, security is lip service," he said.
At the other end of the spectrum are the largest corporations that see themselves as leaders in security. They have teams of people who specifically focus on assessing and mitigating security risk, Verma said.
Companies, especially those that are required to have audits, take them pretty seriously. "Bad (audits) automatically affect all IT operational policies," said Eric Etheredge, IT manager for a bankruptcy trustee in Lubbock, Texas. "Good (audits) might reinforce current policies and even spark some policy revisions."
"I think companies spend more time on security after they've failed an audit, whether internal or external," said Peter Lindstrom, director of security strategies at the Hurwitz Group. "This brings exposure all the way up to the board of directors and in some cases a fine if the audit is from a government agency."
Some companies have running audits while others do them at time intervals such as every year. Looking inward is quite important as more than 80% of system compromises come from within, Verma said.
The rise of the Web has posed new challenges to the way auditing is done as the number and kinds of users have increased, said Ronn Bailey, CEO/CTO of Vanguard Integrity Professionals, a security product and services company.
Before the Internet, companies had an easier time monitoring who had access to systems. Often, users had to sign an agreement outlining what they can do. Keeping track of authorized users was also a snap. Security auditing at that time focused on mainframes, where security is very centralized.
Now, a company could literally have a million authorized users as the meaning of that term changes, Bailey said. The way those systems are secured also change. Auditors started looking at the perimeter defense rather than at the big mainframes.
However, Bailey offers a cautionary analogy. Germany never breached the Maginot Line that defended France but it went around it. France fell because it didn't have a country-based way of protecting itself. Such a scenario may be possible for companies who put their emphasis on defending their perimeter without putting similar effort in securing their central systems.
SearchSecurity's series on IT security audits continues tomorrow, with an article focusing on audits from a CEO's perspective.