How to Do an IT Security Audit

Understanding your business will focus your efforts.

If you're the IT manager at a small to midsize business, it's only a matter of time until you're asked to do an IT security audit. Even in a larger company, if security is decentralized, you may be the go-to guy in IT. You're neither a security expert nor an auditor, and resources are tight. How will you begin and where will you go from there?

• First, don't panic. "People sell themselves short," says Jay M. Williams, senior vice president and chief technology officer at The Concours Group, an IT consulting firm in Kingwood, Texas. "For the most part, security is common sense."

• Join a security research organization such as the Information Security Forum, says RA Vernon, chief security officer at Reuters America Inc. in New York. "You'll find a group of individuals willing to talk about security issues, share experiences and add some value to any process you may try to implement," he says. They can direct you to software, methodologies and other resources to help you tackle the job.

• Consult with your business executives to be sure you understand which aspects of your business are most vulnerable to security threats.

• Consider your industry. "Too often people think they have to create Fort Knox," Williams says, but in reality, few companies have extremely tight data security requirements. "If you're in the nuclear power business, you're right at the top," he says. "But if you're in baked goods, nobody's looking to knock off the Keebler elf."

• Manage executive expectations. "An IT audit program will not happen overnight," says David Hoelzer, director of Global Information Assurance Certification and manager of the Advanced Systems Audit track of the SANS Institute, a cooperative security research and education organization in Bethesda, Md. Depending on the size of the organization, it will take at least several weeks, he says. "Prepare management for the work that will be required of them to assist you," he adds, because they'll need to help correct any faulty policies and practices that are uncovered.

• Map it out. Work with technology and business analysts to draw a high-level schematic of the vulnerable intersections of technology and business, Vernon suggests.

Consider security tools. There is software that can scan your network and produce a list of areas of exposure. There are also tested methodologies such as OCTAVE from the CERT Coordination Center at Carnegie Mellon University in Pittsburgh that help you build a security program to industry standards. Your colleagues in the security group can help you find the most useful tools for your company's needs. "They take the best practices and roll them up into a product that the IT manager can plug in," Vernon says. "It may not be all you need, but it will be a far cry from where you currently are."

But don't go tool-happy. "To secure every server and app is not going to have any ROI," says Rick Allen, principal at E-Security Assurance Services in Santa Rosa, Calif. "The level of control has to equal the level of risk. You don't want to put a $500 security tool on an asset worth $50."

• Prioritize. "All vulnerabilities are not created equal," says Larry Rogers, senior member of the technical staff at CERT. "Some fixes are worth the time spent, and some are not." Identify critical information assets by figuring out which could put the company out of business if they were compromised or damaged, says Hoelzer.

• Focus on internal controls. "A Fort Knox firewall in front of your server won't help if someone can still impact that information due to lack of internal controls," says Allen. The five basic internal security controls are authorization, identification of users and systems, authentication, integrity (including backups, checks and balances on data) and monitoring.

• Check that you have reasonable security policies and procedures in place, says Barbara Buechner, formerly senior manager for information security at Merck-Medco Managed Care LLC in Franklin Lakes, N.J., and now on the staff at the Technology Managers Forum in New York. Then make sure that your company's reality matches what you have on paper.

• Write it up. "Address the areas that have been acknowledged as vulnerabilities and put together some documentation as to how you're going to mitigate," Vernon says. Include all the key issues and costs associated with mitigation. "Some vulnerabilities may be accepted by the business because mitigation is too costly," he says. "That's a business decision."

• Stay real. A focused 25-page report with clear action items will accomplish much more than a 1,000-page report that will exhaust everyone's commitment and end up on a shelf, Allen says.

• Consider a pro. For companies with complex security needs, such as a legal obligation to protect customer or patient privacy, it probably makes sense to contract an IT security firm. "Many items that would be obvious to a security professional may be overlooked by a day-to-day administrator," says Tom Watson, project lead for information security at Bayer Corp. Pharmaceutical Division in West Haven, Conn. An outside firm can perform the audit, establish compliance guidelines and help to create security documentation or simply validate that you did your risk assessment correctly and haven't missed anything.

Remember that security is a complex and continuing challenge, and periodic audits are a must. "It's never the end of the story," Vernon says. "Security is an ongoing saga."

Melymuka is a Computerworld contributing writer. Contact her at

Copyright © 2003 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon