Computerworld - While automated assessment tools and application services can help keep networks running with minimal exposure, they're no substitute for an annual security audit by trained security staff, says Allen Carey, information security analyst at IDC, a Framingham, Mass.-based research firm.
Automated tools fail to take into account people, processes, best practices, physical security and other components of a comprehensive risk assessment sweep across a large organization, says Bill Ferguson, a partner at Tatum CIO Partners LLP, a Pittsburgh-based outsourcer of CIO consulting services. "When we do an audit, we look at 21 factors," says Ferguson. To help companies conduct more comprehensive audits of their own, he suggests that the following points be audited in a companywide assessment:
• Security policy and accountability for its enforcement
• Risk assessment against critical information assets
• Account management and access controls
• Authentication
• Configuration and change management
• Session controls
• Network security, Internet access policies and network services
• Cryptographic technologies for transmission and storage
• Modems
• System administration
• Incident response
• Auditing
• Viruses
• Contingency planning
• Backups
• Maintenance
• Labeling (is sensitive information clearly defined and labeled?)
• Media sanitizing and disposal
• Physical security
• Personnel security
• Training and awareness
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
