In conversations with large companies and small companies, literature review and looking at best practices for security, one of the most common tools that essentially everyone uses is a security audit. In most cases the security audit is performed regularly – it isn’t just a one time event. OK, this sounds good, but what is it?
Dictionary.com definitions of audit include “an official examination and verification of accounts and records”, “the inspection or examination of a building or other facility to evaluate or improve its appropriateness, safety, efficiency or the like” as well as “to examine and verify an account by references to vouchers”.
A computer security audit means verifying that the system complies with specifications for computer security.
So far we haven’t really said anything – we’ve just laid the foundation for the three big questions:
- What are these magical specifications for computer security? And where do they come from?
- How is compliance against the security specifications measured?
- How is the computer security audit performed?
Missing from this list is the huge question of what is done about lack of compliance against the security specifications. Is fixing any security issues identified in the audit considered part of the audit, or is it a separate exercise?