How to Do an IT Security Audit

Computerworld - If you're the IT manager at a small to midsize business, it's only a matter of time until you're asked to do an IT security audit. Even in a larger company, if security is decentralized, you may be the go-to guy in IT. You're neither a security expert nor an auditor, and resources are tight. How will you begin and where will you go from there?
• First, don't panic. "People sell themselves short," says Jay M. Williams, senior vice president and chief technology officer at The Concours Group, an IT consulting firm in Kingwood, Texas. "For the most part, security is common sense."
• Join a security research organization such as the Information Security Forum, says RA Vernon, chief security officer at Reuters America Inc. in New York. "You'll find a group of individuals willing to talk about security issues, share experiences and add some value to any process you may try to implement," he says. They can direct you to software, methodologies and other resources to help you tackle the job.
• Consult with your business executives to be sure you understand which aspects of your business are most vulnerable to security threats.
• Consider your industry. "Too often people think they have to create Fort Knox," Williams says, but in reality, few companies have extremely tight data security requirements. "If you're in the nuclear power business, you're right at the top," he says. "But if you're in baked goods, nobody's looking to knock off the Keebler elf."
• Manage executive expectations. "An IT audit program will not happen overnight," says David Hoelzer, director of Global Information Assurance Certification and manager of the Advanced Systems Audit track of the SANS Institute, a cooperative security research and education organization in Bethesda, Md. Depending on the size of the organization, it will take at least several weeks, he says. "Prepare management for the work that will be required of them to assist you," he adds, because they'll need to help correct any faulty policies and practices that are uncovered.
• Map it out. Work with technology and business analysts to draw a high-level schematic of the vulnerable intersections of technology and business, Vernon suggests.
Consider security tools. There is software that can scan your network and produce a list of areas of exposure. There are also tested methodologies such as OCTAVE from the CERT Coordination Center at Carnegie Mellon University in Pittsburgh that help you build a security program to industry standards. Your colleagues in the security group can help you find the most useful tools