Information security audit overview
by sammiller on 2007-09-23
As long information is the most valuable resource of the company, then it's
obvious that when we talk about auditing security, we should focus on IT
security audit. Getting information about the security procedures in your IT
department is critical to your business.
Are there any common IT security issues that we should pay attention to? IT
security auditor should check that the information you are using is securely
kept and managed.
Keeping information secure is not a kind of art. There are some major issues
your admin should remember about. First, keep data in secure place, such as
encrypted hard disk. Second, make sure only authorized persons can access
certain information. Third, make sure it's not possible for intruder to get your
data.
To make an audit of backup process it's enough to emulate the system crash.
How long will it take to recover the whole system? Will all the data be
recovered? What will be data lost? Once, auditor have these data, it's necessary
to compare it against common industry, e.g. benchmark your backup process
metrics against your colleagues.
What about controlling, if only authorized person can access sensitive data?
It's harder than checking up backup. The thing you should start with is making
sure that authorized administrator have a clear structure of who have access to
the sensitive data, there might be a levels of access, but the whole system must
be described clearly. This is the key part of secure authorization and
information sharing.
The most important - how do your people manage secure information? If there
is a chance of copying secure information, e.g. possible information leakage? If
there are some persons who is unaware about security measures that are used
within company? Do users follow an appropriate password policy?
There are much more questions about possible security leakages and the
must-scan issues. How to get known what should security expert scan? Well, it
depends on how can potential intruder get your data. It's necessary to use file
shredder (better if it would be background mode) to make sure it's not possible
to recover data.
How to check if users are managing files in a proper way? Try to find
possible breaks in security. For instance, someone can keep files not in
document management system, which is protected with strong encryption, but on
local hard disk, protecting them with easy to crack password.
Can people at your company use a flash drives? It's very dangerous, as it
would be easy to copy the sensitive data and take it out the company, but again,
some business really require information to be copied on flash drives? What is
the solution? Try to monitor the actual information that is copies on these
drivers. For instance, if user copies a password protected files, then it might
be a possible security issue.
Checking the passwords is another task. Short or known password will not
work. Make sure there is a copy password policy which tells what passwords are
good and why. Make sure people follow this policy.
obvious that when we talk about auditing security, we should focus on IT
security audit. Getting information about the security procedures in your IT
department is critical to your business.
Are there any common IT security issues that we should pay attention to? IT
security auditor should check that the information you are using is securely
kept and managed.
Keeping information secure is not a kind of art. There are some major issues
your admin should remember about. First, keep data in secure place, such as
encrypted hard disk. Second, make sure only authorized persons can access
certain information. Third, make sure it's not possible for intruder to get your
data.
To make an audit of backup process it's enough to emulate the system crash.
How long will it take to recover the whole system? Will all the data be
recovered? What will be data lost? Once, auditor have these data, it's necessary
to compare it against common industry, e.g. benchmark your backup process
metrics against your colleagues.
What about controlling, if only authorized person can access sensitive data?
It's harder than checking up backup. The thing you should start with is making
sure that authorized administrator have a clear structure of who have access to
the sensitive data, there might be a levels of access, but the whole system must
be described clearly. This is the key part of secure authorization and
information sharing.
The most important - how do your people manage secure information? If there
is a chance of copying secure information, e.g. possible information leakage? If
there are some persons who is unaware about security measures that are used
within company? Do users follow an appropriate password policy?
There are much more questions about possible security leakages and the
must-scan issues. How to get known what should security expert scan? Well, it
depends on how can potential intruder get your data. It's necessary to use file
shredder (better if it would be background mode) to make sure it's not possible
to recover data.
How to check if users are managing files in a proper way? Try to find
possible breaks in security. For instance, someone can keep files not in
document management system, which is protected with strong encryption, but on
local hard disk, protecting them with easy to crack password.
Can people at your company use a flash drives? It's very dangerous, as it
would be easy to copy the sensitive data and take it out the company, but again,
some business really require information to be copied on flash drives? What is
the solution? Try to monitor the actual information that is copies on these
drivers. For instance, if user copies a password protected files, then it might
be a possible security issue.
Checking the passwords is another task. Short or known password will not
work. Make sure there is a copy password policy which tells what passwords are
good and why. Make sure people follow this policy.
About The Author: