Skip to main content

A short guide to Security audits

After devoting the effort to define good policies and implementing consistent security processes and infrastructure, many organizations are lulled into a false sense of confidence.

Effective security is a dynamic process that needs continuous maintenance and improvement. How do we know for sure that your security has not been breached, or that the policies are being followed? Are all software patches up to date? The only way to know is to conduct periodic security audits.

Just as financial audits are usually performed by independent external firms, security audits are better conducted by a team that is independent from the people in charge of implementing the security policies.

Many existing security policy weaknesses can be assessed through careful and complete interviews and analysis by a knowledgeable auditor, who documents whether a company is in compliance with its stated policy. Recommendations arising from the auditing process will help to enhance an existing security policy and its implementation.

Special attention is paid during audits to ensure compliance with various laws and government regulations related to privacy and confidentiality.

There are a growing number of tools becoming available to automate part of the auditing process, especially in the security assessment of the infrastructure, for automatic detection of software-related vulnerabilities.

Automated vulnerability scanning and patch management tools do not replace auditors, but can complement and enhance a formal auditing process.

Désiré has been musing and writing about technology during a career spanning four decades. He dabbled in website building and web hosting when DHTML and frames were en vogue and started writing about the impact of technology on society just before the start of the Y2K hysteria at the turn of the last millennium. Following an eight-year stint at ITProPortal.com where he discovered the joys of global tech-fests, Désiré now heads up TechRadar Pro. Previously he was a freelance technology journalist at Incisive Media, Breakthrough Publishing and Vnunet, and Business Magazine. He also launched and hosted the first Tech Radio Show on Radio Plus.