CMP Network Computing
Log In to Network Computing
   Techweb
 
Top 11 List Security Channel SpamOmeter Internet Threat Level
Live Lab Cams Storage Channel IT Pro Downloads Network Design Manual
 Site Map |  What's New |  Current Issue |  Past Issues |  Article Index |  Newsletters |  Content Feeds |  Subscribe
Welcome to Network Computing Networking News Product Reviews, Sneak Previews, Analysis Workshops, Primers, Tutorials Site Content According to Technology Covered Forums, Blogs, Opinions Site Tools for IT Professionals Centerfold Case Studies Interactive Buyer's Guides


IT Knowledge Made Simple
Stay on top of strategic IT infrastructure trends with our special IT StrategyCenter, powered by StudioOne Networks.
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Boardroom Strategies / Enterprise Smarts

The Role of Auditing in IT and Security

By Elizabeth Wasserman

The health of a business these days depends largely on the ability of executives and employees to access data - data about customers, products, finances, and employees. Increasingly, companies are also under pressure from government, investors, and the marketplace to keep that data secure. For the CIO, securing data means keeping out hackers and other intruders, preventing the theft of data by insiders, and ensuring that information technology systems avoid business disruption. New laws and regulations such as the Sarbanes-Oxley Act of 2002 require that executives continually be aware of the security of their data and -- particularly in the health and financial services sectors -- protect personal information about customers.

In order to meet these demands, a number of companies are undertaking regular data security audits. Nearly 82 percent of organizations responding to the 2004 Computer Crime and Security Survey, conducted jointly by the Computer Security Institute and the Federal Bureau of Investigation, said they conduct security audits as their first line of defense. The survey found that 53 percent of the organizations responding suffered attacks -- both from inside and outside the company -- on their computers. Losses totaled nearly $150 million.

A security audit can be one of the best tools to help a CIO thoroughly understand the flow of information and develop a plan for properly securing a company's data. Audits come in a myriad of types, frequencies, and purposes, and it is essential that a CIO know the ropes before trying to scale them:

Full strategic audit  An external audit of policies and procedures explores how executives manage the IT side of the business. Chad Robinson, a consultant with the Robert Frances Group, says the high-level audit will delve into who deploys systems and how, and what type of procedure is in place to review new applications, among other issues. A full strategic audit gives an enterprise a deep understanding of its IT operations and security, in addition to a roadmap for improving security. The executive team can also use the audit to ensure that a business is complying with new regulations impacting data security. Conduct the audit every few years or more frequently if triggered by events -- such as data loss or theft.

Penetration testing  A thorough, time-consuming "pen test" attempts to breach security and compromise computer systems. It looks for unprotected computer ports, a wireless local area network that managers never knew existed, and other pathways intruders can use to penetrate a network. However, Robinson warns that penetration testing can be costly and can also alienate some in the IT staff because it can actually crash computer systems. He recommends it for companies in which security is of paramount concern. Conduct the penetration test every year or two.

Vulnerability scan  An ongoing assessment of vulnerabilities to known forms of attack can determine whether a business has patched holes or updated commercial software. Vulnerability scans may be conducted by internal staff or consultants. A number of companies have developed software programs that allow organizations to conduct vulnerability scans automatically. Run this on a regular basis, usually monthly, although some programs can be run every night.

The CIO needs to make the case for a security audit strategy to C-level peers. The most salient points to convey are that IT audits support enterprise security and that security is fundamental to business in today's economy. A leak of confidential data almost always tarnishes the reputation of a company, and it can exact a toll in the form of lost future business, a depressed stock price and government fines. Data audits mitigate risks in the following ways:

  • Monitor weak spots on the network  Audits can detect security breaches and point out to the company various ports and pathways that could make a computer network vulnerable to attack from hackers, competitors, or foreign countries. They can also pinpoint places where an overload of data may lead to a system breakdown and even track the age and return on investment of different systems.

  • Identify and trace attacks  An organization can use audits to pinpoint and track insiders who create, delete, or access certain data. Audits can help a company protect sensitive company information and confidential customer data, and fight fraud. Potential perpetrators may be dissuaded by the mere existence of a data audit.

  • Help comply with regulations  Data audits can provide businesses with a plan for complying with new legislative mandates, monitoring data properly, and reporting breaches in accordance with the new laws.

The threats to data security are not going away. Companies are relying more on their data and increasingly sharing it with business partners. They also need to secure data as a measure of good corporate governance -- not only because it's now the law. "There's an old joke among IT professionals that the best security is a pair of wire cutters," said Robinson. CIOs need to consider data security audits as a proactive measure to keep their organization running smoothly -- and securely.

Elizabeth Wasserman has written about technology and business for Inc., the San Jose Mercury News, and CIO Insight. She is a freelance writer based in Fairfax, Virginia.

IT Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Initiatives
Peers and Superiors
Enterprise Smarts
Related Content

Features

View More


Metrics

View More

Fast Fact

"82 percent of responding organizations conducted security audits as their first line of defense."

--2004 Computer Crime and Security Survey.
Sponsor Tools

White Papers

View More


Resources
Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


CIO Interview: CIO of Port of Portland, Michelle Gaines
Playtime: 7 min 59 sec



Download | Subscribe

Copyright © 2008 Studio One Networks. All rights reserved.
Advertisement
Site Navigation
Home | Article Index | Newsletters | RSS Feeds | Site Map | IT Tools | Reviews | Technologies | Workshops/Tutorials | News | Forums/Blogs/Opinion | Bookstore | Jobs | RFP/RFQs | White Papers | Audio | Downloads | Editors | Webmaster | Sales and Marketing | Magazine Media Kit | Online Media Kit | Events | Reprints | Editorial Calendar
Technology News and Opinion
Small Business Pipeline | IT Utility Pipeline | Business Intelligence Pipeline | Desktop Pipeline | Compliance Pipeline | Server Pipeline | Storage Pipeline | Security Pipline | Mobile Pipeline | Linux Pipeline | Advanced IP Pipeline
Companion Sites
Independent Testing Services | Network Magazine | IT Pro Downloads | UnixWorld | Interactive Buyer's Guide | InternetWeek | InformationWeek | Transform Magazine | Pipeline Technology Sites | Intelligent Enterprise | TechWeb | Shop-Marketplace.com



TechWeb is brought to you by CMP Media LLC, Copyright © 2004
Privacy Statement | Terms Of Service