Computer Security Audits

In conversations with large companies and small companies, literature review and looking at best practices for security, one of the most common tools that essentially everyone uses is a security audit. In most cases the security audit is performed regularly – it isn’t just a one time event. OK, this sounds good, but what is it?

Dictionary.com definitions of audit include “an official examination and verification of accounts and records”, “the inspection or examination of a building or other facility to evaluate or improve its appropriateness, safety, efficiency or the like” as well as “to examine and verify an account by references to vouchers”.

A computer security audit means verifying that the system complies with specifications for computer security.

So far we haven’t really said anything – we’ve just laid the foundation for the three big questions:

  • What are these magical specifications for computer security? And where do they come from?
  • How is compliance against the security specifications measured?
  • How is the computer security audit performed?

Missing from this list is the huge question of what is done about lack of compliance against the security specifications. Is fixing any security issues identified in the audit considered part of the audit, or is it a separate exercise?

About Russell Doty

A technology strategist and product manager at Red Hat, working on the next generation of open source systems.
This entry was posted in Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s