Monthly Archives: November 2014

If you are going to perform a security audit you need a checklist. Let’s spend a minute on this. If you want a predictable outcome, you need a standard process – a standard set of steps to go through to … Continue reading →

So far we have established: Security Guides are a good idea and exist in almost all organizations. Security audits are good and widely used. Security guides are often poorly written, subject to interpretation, and difficult to apply. Security audits are … Continue reading →

We’re now at the point where we can discuss a system audit. We have defined what an audit is, what security requirements are, and what a security guide is. At the most basic level, a system audit involves examining a … Continue reading →

Let’s lay out some basic requirements for a security guide: The security guide must exist. It must be available, updated, and maintained. The security guide must incorporate relevant government and industry requirements. The security guide must be actionable. If it … Continue reading →

In many cases a security guide is a binder full of often vague, occasionally overly specific and sometimes conflicting requirements. It has usually grown and evolved over a number of years and is written by and for people. Thus, many … Continue reading →