A Security Audit is a manual or scheduled systematic measurable technical security assessment of a system or application.
What makes up a Security Audit? - Assessments include interviewing staff; performing security vulnerability scans, reviewing application and operating system access controls, and analyzing physical access to the systems. Automated assessments, or CAAT's (Computer-Assisted Audit Tools), include system generated audit reports by using software to monitor and report changes to files and settings on a system such as personal computers, servers, mainframes, network routers, switches.
In the earlier years of mainframe and mini-computing with large-scale, single-vendor, custom software systems from companies such as IBM and Hewlett Packard, auditing was considered a mission-critical function. Since then, commercial off-the-shelf (COTS) software applications and components, as well as PC’s have almost completely replaced custom software and hardware as more cost-effective business management solutions.
Through this evolution, the critical nature of security auditing gradually transformed from mission-critical priority into customer defined low priority. Software consumers, having little else to fall back on, have simply accepted the lesser standards as normal. The consumer licenses of existing COTS software and hardware disclaim all liability for security, performance, and data integrity issues.
However, security audits are not a set-it-and-leave-it sort of thing at all. The worst thing a business could do would be to wait to deploy a security audit until after a successful attack. Consistency in auditing establishes a standard which you can measure progress and develop new and improved plans in the future.
Need help conducting a security audit? Give us a call today!