Many of the organizations that I have been involved with perform either an annual or a biannual security audit. The stated purpose of these audits is usually to look for security vulnerabilities. In actuality however, the audits are often times performed as a matter of tradition or of dealing with some sort of mandate. That being the case, there is sometimes a failure on the part of the organization to follow through on making use of the audit results.
A security audit can be a very effective tool for determining an organization’s security strengths and weaknesses. However, if an organization is going to undergo the effort and expense of a comprehensive security audit than they need to have a plan in place for dealing with the audit’s findings.
In my opinion, the best time to do a security audit is at the end of the year or near the end of the organization’s fiscal year. That way, any deficiencies that are detected as a result of the security audit can be addressed at the same time that the budget is being created for the following year.
Of course this isn’t to say that every perceived vulnerability must be addressed, or that every security problem can be fixed by throwing money at it. It is usually completely unrealistic to expect to be able to address every known security vulnerability. A better approach is to prioritize the security risks.
The risk prioritization process is actually fairly simple, but it can be a bit time-consuming. The process begins with a thorough review of the security audit results. This review shouldn’t be performed by a single person, but rather by a group of people within your organization who have a good understanding of IT security. It is also a good idea to involve someone from the finance department in the review process. I will explain why in a moment.
For each perceived security vulnerability, there are four things that need to be determined. The first is the likelihood that the vulnerability will be exploited. In making this determination, you might consider if the vulnerability has been widely publicized and if there are other systems in place that would make the vulnerability difficult to exploit.
The second consideration is the impact of the vulnerability being exploited. In other words, what are the consequences to the organization if someone were to exploit the known vulnerability? This is where having someone from the Finance department on hand comes into play. Someone from the Finance department would be better able to help you to estimate the financial impact of a breach than someone from IT might be able to.
The third consideration is what it would take to address the vulnerability. Can the vulnerability be closed by doing something as simple as applying a patch, or will you have to invest in some sort of security product? In some cases, you may find that simply changing the way that IT performs a certain procedure will be sufficient to addressing the vulnerability.
This leads me to the fourth consideration. That consideration is the cost of implementing the proposed solution. Again, having someone on hand from the Finance department could prove to be helpful.
Once all of this information has been compiled, the next step in the process is to present the findings to the powers that be. It will ultimately be up to them to review the findings and determine which vulnerabilities should be addressed based on the threat to the organization and the cost of the solution.
Realistically, most IT professionals are probably smart enough to make such a determination on their own. The reason why it is important to involve executive management in the process is because they will be the ones who ultimately determine the IT budget for the following year. That being said, it is important to make sure that the report is credible, and not sensationalized. Having someone from the finance department to help estimate the financial costs of various types of security breaches will help to enhance the reports credibility.
Although it will ultimately be the executive management team that determines how much of the organization’s budget will be applied to addressing security issues, it is a good idea to include the IT staff’s recommendations in the report. Although the report will largely speak for itself, failing to include IT recommendations could result in a situation in which the executive management team issues a directive for IT to address a larger number of security issues than they have the manpower to handle.
Although an annual security audit might be part of the culture in the organization where you work, the security audit is meaningless unless corrective action is taken. Although it is not always necessary to address every conceivable security threat, it is important to address those threats that are most likely to harm your organization.
About Brien Posey
Brien Posey is a freelance technical writer who has received Microsoft's MVP award six times for his work with Exchange Server, Windows Server, IIS, and File Systems Storage. Brien has written or contributed to about three dozen books, and has written well over 4,000 technical articles and white papers for a variety of printed publications and Web sites. In addition to his writing, Brien routinely speaks at IT conferences and is involved in a wide variety of other technology related projects. Prior to going freelance, Brien served as CIO for a national chain of hospitals and healthcare companies. He has also served as a Network Administrator for the Department of Defense at Fort Knox, and for some of the nation's largest insurance companies.