When should I have a security audit done?
HOME
PAGE
MEMBER RESOURCES
ABOUT US
FORUMS
PARTNERS
PRODUCTS & SERVICES
FREE RESOURCES
LOGIN
HERE
JOIN
NOW!
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

The Streetwise Security Zone Discussion Forums are a great way to see what other managers are doing about security and what problems they have faced. You can find a lot of helpful hints and tips that could save you time and money.

You must join The Streetwise Security Zone (click HERE) in order to reply or post new items in the forums.
Author Message

ScottWright
Group Administrator

Subject: When should I have a security audit done?
HELP!
posted by ScottWright on Sunday, August 31st 2008 @ 11:21 PM

This question was raised to me recently, and I think it is an issue that most managers wonder about. In fact, many fear having a security audit done, for fear of what they might learn. It's a lot like making an appointment for a dental or physical checkup. You want to wait until the time is right to hear the bad news.

Well, you can probably guess my advice. The sooner you know what your security posture is, the better.

[Explanation of Security Posture - a term used by security professionals to describe the suitability of safeguards in place for a system or business relative to the level of risk.]

It is becoming increasingly unacceptable for management to claim they were not aware of a problem, or of any particular type of risk - especially during an incident investigation.

My recommendation is to take a two-phased approach. The first phase would be to do a quick, internal self-audit. This will help you get a sense of how bad things are, and where you need to focus. Then, if you can take action to address some of the known trouble spots, you will have a better showing during a more formal audit. (Note: you can find a free self-assessment for home use in the Download Tools section of The Streetwise Security Zone, which can also be used for small businesses - a specialized small business self-assessment form is coming soon.)

Of course a formal audit is more thorough, and will find more problems. In fact, it is unusual for any organization that has not made a conscious effort to put a security program in place to pass an audit with flying colors.

The best way to look at it is that you should go into an audit expecting to have some weaknesses identified. You should review them, prioritize them and put a firm plan in place to address them over time.

Once you have a record of having had an internal or external audit, and have started taken corrective action, you will feel more in control of your risks. You will also have begun to accumulate evidence that you are taking the responsibility of safeguarding your business information assets seriously.

One final word on compliance. Depending on what regulatory environment you operate in, compliance can be a strict requirement, or it can be a negotiated plan. In many cases, having the plan for corrective measures with definitive dates will satisfy an auditor. Of course, it must be followed up and actions must be recorded. Check with the auditor in advance to understand what they are expecting in terms of compliance for your business situation.

________________________________
Scott Wright
The Streetwise Security Coach

Would your organization be interested in obtaining the right to use my lessons or articles in your enterprise security awareness program? Please email me at the address below...

Email: scott@streetwise-security-zone.com
Twitter: http://www.twitter.com/streetsec
Phone: 613-693-0997
Podcast: http://www.streetwise-security-zone.com/podcast.html