The Computer Systems Auditing field has really exploded in the last 15 years and this is due to the rise in systems being used at the small business level, handling three times as much data as before. If you are a small business with a network, you should have some type of computer audit program in place.
A computer security audit is a systematic, measurable technical assessment of how the organization's security policy is employed at a specific site. Computer security auditors work with the full knowledge of the organization, at times with considerable inside information, in order to understand the resources to be audited.
Security audits do not take place in a vacuum; they are part of the on-going process of defining and maintaining effective security policies. This is not just a conference room activity. It involves everyone who uses any computer resources throughout the organization.
Once you begin to move beyond basic background information, you begin to realize that there's more to security than you may have first thought.
Computer security auditors perform their work though personal interviews, vulnerability scans, examination of operating system settings, analyses of network shares, and historical data. They are concerned primarily with how security policies - the foundation of any effective organizational security strategy - are actually used. There are a number of key questions that security audits should attempt to answer:
Are passwords difficult to crack?
Are there access control lists (ACLs) in place on network devices to control who has access to shared data?
Are there audit logs to record who accesses data?
Are the audit logs reviewed?
Are the security settings for operating systems in accordance with accepted industry security practices?
Have all unnecessary applications and computer services been eliminated for each system?
Are these operating systems and commercial applications patched to current levels?
How is backup media stored? Who has access to it? Is it up-to-date?
Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the disaster recovery plan?
Are there adequate cryptographic tools in place to govern data encryption, and have these tools been properly configured?
Have custom-built applications been written with security in mind?
How have these custom applications been tested for security flaws?
How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?
These are just a few of the kind of questions that can and should be assessed in a security audit. In answering these questions honestly and rigorously, an organization can realistically assess how secure its vital information is.
As a small business, your audit checklist might not be that detailed but these are some of the questions that you want an outside auditor to ask just in case you decide to have your system audited.
Don't limit yourself by refusing to learn the details about security. The more you know, the easier it will be to focus on what's important.
For help on any Computer Repair related issues contact us immediately, we can help.
For help on any Computer Service related issues contact us immediately, we can help.
For help on any Computer Consulting related issues contact us immediately, we can help.
For help on any Computer Consultant related issues contact us immediately, we can help.
For help on any Computer Support related issues contact us immediately, we can help.
No comments:
Post a Comment