The IT infrastructure is a corporation's most valuable asset, delivering competitive advantages, processing the bulk of business transactions, and storing confidential information on all areas of the company, including financial data, customer and supplier databases, engineering schedules, business plans, human resource records, and email. Today most of this information is accessible online. And it's all vulnerable. It must be protected constantly and thoroughly without interrupting business.
Failure to do so can result in staggering losses, both tangible and intangible. In 2003 it was estimated that businesses lost $1 Billion due to viruses. The projection for 2004 is $2-$3 Billion. Add to that the intangible, such as loss of competitive advantage and customer trust and it's clear: secure your data or be doomed.
Enterprises invest heavily in infrastructure security, often taking a medieval fortress approach: keep the hackers and bad guys out. More often than not, the enemy is within. The Gartner Group forecasts that in the near future 90 percent of all security breeches will originate inside companies.
And even though employees are not stealing secrets, they may be compromising security by flouting IT operating procedures. In one survey, the Gartner Group found that 56 percent of companies had suffered an abuse of computer access controls, and that 78 percent had employees installing or using unauthorized software.
All such activity occurs in what we call the "soft middle," the sections of the enterprise between the firewalls. Particularly vulnerable in this area "inside the perimeter" are servers, switches, routers, and workstations. Common vulnerabilities include:
- Default configurations that are left unchanged
- Default passwords that are left unchanged
- Configuration of unnecessary services
- Latest security patches are not installed
Today more than ever security audits are a fact of life for IT departments. The better we understand what they are and how to prepare for them proactively, the easier they will become.
IT Security Audit Overview
IT Security audits are frequently perceived with fear and intimidation. Often, it is the culmination of accountability for a year’s worth of effort under a magnifying glass, or, an unending series of “spot checks” during the year.
Preparation for security audits includes significant effort, updating systems, checking consistency, and ensuring that all the facts are presented accurately. In place of fear and intimidation, this effort could be embraced with a much more positive attitude. Regular internal audits should be performed to meet specific objectives and used to assist with enterprise security strategy, assessment, and administration.
The work of the auditor is intended to benefit the company as a whole, from shareholders to customers. The effort can provide peace of mind – once it’s complete. Increasingly, it is becoming a requirement. Sarbanes-Oxley mandates infrastructure security controls as it relates to a company’s financial reporting. The HIPAA guidelines, the Gramm-Leach- Bliley Act, the FDIC, FDA, FTC, and the Federal CIO Council’s efforts are just a few more examples… all intending to enforce privacy and accountability requirements that ultimately result in solid IT data integrity. Interestingly, and of significance here, this legislation embraces the audit process.
Security audits can be used by IT administrators and managers to improve or verify their work, but audits can hurt if you aren't savvy about the process.
Security audits can have many facets. Auditors may do ethical hacking to test systems and networks. They may also review projects to make sure they are meeting objectives. Tools and applications being used by an enterprise may also be scrutinized. Source-code reviews of homegrown applications can also be on the agenda.
Security audits are a way of "closing loopholes" within a company's infrastructure and do not pose a threat. Most IT departments do not have the internal expertise to double-check its security, so auditors provide verification.
IT staffers should prepare for audits by becoming aware of the auditing process -- something that, in some cases, could enable them to influence the outcome, expose security issues or push a particular agenda through.
IT managers shouldn't be intimidated by auditors. In fact, most auditors like it when you challenge them, because it shows you really care about your work and processes. Auditors tend to ask for more information than they need. Asking auditors to explain why they are requesting information makes for a better audit.
