Why your company needs a security audit

The headlines dominate the press:

"Hackers gain access to 8 million credit card numbers"

"Slammer Worm Propagates Across the Globe"

Hackers, viruses and worms are wreaking havoc and causing significant monetary, competitive and psychological damage. For corporations, mitigating the potential loss involves timely detection, effective communication and a plan for resolution. Unfortunately, security teams are feeling the squeeze caused by reduced staffs who have to deal with larger enterprises, networks and systems.

Organizations are slowly realizing that merely purchasing or installing a firewall or intrusion-detection system will not secure their systems and critical data assets from external attack. They are realizing that enterprise security isn't plug and play, and those that continue to treat it that way will incur even larger and often catastrophic losses.

One answer is the employment of information security programs such as a security event management solution, an outsourced vulnerability scanning service or a managed security services provider. Centralized security management solutions are gaining popularity because of their ability to aggregate, standardize, analyze and report security event information in a succinct and real-time manner, all via one central console. They are proving valuable for managing and evaluating the data flow across all installed security devices and continuously auditing security controls.

The ramifications

The increased prevalence of cyberattacks has caused cyber-insurance rates to skyrocket. At the same time, insurance companies are receiving more hacking-related claims and are thoroughly investigating cyberattacks to ensure that a company has met all of its liability requirements by properly installing and maintaining its security infrastructure. Those that haven't met liability requirements won't be covered by insurance. Conversely, those who exceed requirements may soon enjoy a discount in their premiums.

Network risk insurance premiums range from $5,000 to $30,000 per year, per $1 million in coverage, and the hacker insurance market is expected to jump from $100 million in 2003 to $900 million by 2005, according to industry reports. Insurance premiums are going to whittle away at corporate profits unless companies can show that they have employed all possible network controls, procedures and audits to mitigate liability. Lacking security control auditing capabilities is equivalent to installing a steel door at your house with no deadbolt locks. Sure, an insurance inspection will confirm that the conditions were met for the premium, but with no lock, all the controls are wasted.

The solution

Information security organizations and audit organizations have the same goal: to see that mission-critical information is properly protected from unauthorized access and/or update. It is wise for security practitioners to bring audit guidance into a security project -- to include deploying firewalls and intrusion detection systems -- during the early planning stages. This will help to ensure that the resulting controls will be appropriately implemented, both technically and operationally, for protection as well as compliance with security policies that govern the overall security program.

Reed Harrison

Companies, government agencies and service providers need to implement a security event management solution that provides:

  • Evidence of an attack or security violation

  • Indications that it is time to initiate an incident response team or plan

  • Cases of noncompliance to regulatory or audit requirements

  • Possible breakdowns or weaknesses in the security defenses

Such auditing provides a clear picture of security control performance and allows organizations to make necessary changes, tweaks and purchases to prevent a large-scale attack. Corporations have made a significant investment in a wide variety of security products, but without auditing, it's nearly impossible to obtain a comprehensive view of a distributed enterprise security system.

The auditing and monitoring of security controls checks the condition and administration of security point products and offers numerous benefits including the following:

  • Measuring efficiency of operations -- for example, how many viruses were detected vs. how many were cleaned.

  • Evaluating compliance to security policy or standards. For example, antivirus standards state that all desktop antivirus .DAT files will be current. By looking at antivirus logs, security administrators can determine who has and who hasn't downloaded the latest .DAT file.

  • The ability to determine which assets are most mission-critical.

  • The foundation for a comprehensive incident response plan.

There is no substitute for vigilant monitoring of security controls. Relying on increasingly expensive network risk insurance as an offset to diligent security monitoring and risk-mitigation practices can be risky and possibly lethal to a corporation. Implementing a vigorous and repeatable security auditing process will help to minimize external and internal threats while reducing insurance premiums, increasing customer trust and preserving corporate profits.


Copyright © 2003 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon