Asking the Right Questions

Experts say that 80% of security risks are internal, so you want to focus your IT security audit on internal controls. The key to auditing internal controls is to ask the right questions.

For example, if only five people are allowed to access a certain system, check whether those five can access it and also whether anyone else can, says Barbara Buechner, former senior manager for information security at Merck-Medco Managed Care LLC (now Medco Health Solutions Inc.) in Franklin Lakes, N.J., and now on the staff at the Technology Managers Forum in New York.

"Through the years of integration of various platforms, sometimes you think you have all the controls in place, and if you test only for the positive, you may not find the negative," she says. "It may look on paper like you've got it controlled, but you don't really. If you don't ask the right questions, you won't get the right answers."

Tom Watson, project lead for information security at Bayer Corp. Pharmaceutical Division in West Haven, Conn., offers some questions that should be included routinely in an audit of internal IT security controls. They are:

  • What's your password policy? (Number of characters, complexity, aging, account lockout)
  • Is there a procedure for identifying users before resetting passwords?
  • Is there a method of authorizing new accounts and getting rid of old accounts?
  • Is there a process to limit access based on job function and/or roles?
  • How often do you review your access-control lists?
  • Do you give individuals only enough access to do their jobs?
  • Is there a firewall?
  • What type of connectivity do you have to the Internet or to outside partners? Are these connections protected?
  • Do you use antivirus products? If so, are they updated regularly?
  • Do you use laptops? If so, are users trained on how to properly protect them both physically and electronically?
  • Do you allow remote connectivity? If so, do you use strong authentication for remote access into your network?
  • Is your voice-mail system secured with passwords?
  • Are your network and systems administrators trained in security?

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon