The last post laid out guidelines for a security guide.
We’re now at the point where we can discuss a system audit. We have defined what an audit is, what security requirements are, and what a security guide is.
At the most basic level, a system audit involves examining a system to verify that it conforms to specifications. This includes operational specifications for the role the system is performing, verifying the integrity and configuration of the system, and compliance against the company security guide.
In many cases system audits are manual processes. A team of people, either internally or from an external company hired to do the audit, go though a written set of checklists and manually verify system settings and configuration.
These audits are time consuming, tedious, and expensive. They are also error prone…
As a result, companies may only audit a system every six months, once a year, or even every two years.
There has to be a better way!