Computerworld - Experts say that 80% of security risks are internal, so you want to focus your IT security audit on internal controls. The key to auditing internal controls is to ask the right questions.
For example, if only five people are allowed to access a certain system, check whether those five can access it and also whether anyone else can, says Barbara Buechner, former senior manager for information security at Merck-Medco Managed Care LLC (now Medco Health Solutions Inc.) in Franklin Lakes, N.J., and now on the staff at the Technology Managers Forum in New York.
"Through the years of integration of various platforms, sometimes you think you have all the controls in place, and if you test only for the positive, you may not find the negative," she says. "It may look on paper like you've got it controlled, but you don't really. If you don't ask the right questions, you won't get the right answers."
Tom Watson, project lead for information security at Bayer Corp. Pharmaceutical Division in West Haven, Conn., offers some questions that should be included routinely in an audit of internal IT security controls. They are:
Read more about Security in Computerworld's Security Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
