The audit trial
- Reduce text size Decrease text size
- Increase text size Increase text size
- Print article Print
- Jump to comments Comment
- Share this article Share
- Email article to a friend Email
Security audits help identify areas of weakness in the IT infrastructure and prioritise investments.
There are few, if any, business leaders today that are not aware of the potentially devastating impact that an IT security breach can wreak on a company.
The potential for financial loss, damage to brand value and the consequences of breaching compliance regulations have all contributed to a heightened awareness of the need for robust security.
Yet at the same time, there is still a suspicion that hangs over security spending. Much like the Year 2000 bug there is a feeling that investments are not entirely justified. Security spending is always easier to get sanctioned after a catastrophic event; the more proactive approach produces few events that grab attention.
To get management buy-in for security spending, CIOs need to talk about risk, linking spending to business outcomes, says Andrew Wilson, project manager at blue chip user group, the Information Security Forum. "Too often security spending is driven by hype, reacting to the latest big scare story, rather than based on a sound analysis of risk."
To a large extent, evaluating risk is not a technical project: it demands that IT and business managers carefully evaluate the business impact of losing specific elements of the technical infrastructure. This will then identify the priority areas for security investment.
Finding weaknesses
Having identified the essential systems to protect, organisations must then establish what the threats to these systems are. The most common approach is a penetration test, often conducted by an accredited third-party specialist. This deploys techniques straight from the script kiddies' repertoire, such as port scanning and ping sweeps, to identify weaknesses in corporate IT security.
This phase of the security audit often throws up an unexpected source of potential risk, says Roy Hills, technical director at vulnerability testing company NTA Monitor. "Businesses often find they have exposed some system that really has no need to be connected to the Internet. If it doesn't add value to the business, it should be blocked off at the firewall."
| ||
Once the penetration tester has completed this 'zero knowledge test' and built up a picture of the target systems, they then attack the known vulnerabilities. While responsible testers stop short of damaging the system, businesses need to be prepared for this type of activity. It may be better to conduct the test out of working hours, as it can slow down important systems.
Alongside external threats it is important to consider the internal threats, says Gavin Cartwright, testing team manager in BT's security practice. Typically, disgruntled employees are considered the main risk, but the problem is far wider. So called 'ghost accounts' can allow former employees to gain access.
Increasingly, IT systems are being opened up to third parties, partners and even customers; outsourcing also widens the number of users with access to corporate systems. "It's easy to overlook the internal threat. In fact the potential for damage is far greater," says Cartwright.
Having highlighted weak spots, businesses can then look to patch systems according to business priorities. However, too often security audits are carried out on an ad-hoc basis, and vulnerabilities remain unpatched. And while 'policy, process, procedure' may have become the mantra of the embattled security officer, it needs board-level support to ensure that good practice flows from the good intentions.
Security accreditation
Bibles of best practice have been developed - the BS7799 security standard is a case in point - but gaining accreditation for these standards can be onerous, says Mike Small, director of eTrust strategy at Computer Associates. "Does it set a useful benchmark? I think the answer is yes. Should your organisation become accredited? Only if it has to."
In thinking about IT in these terms, businesses leaders can relate to security investments in much the same way as they would other investments, says Small. For example, managers can decide whether they want the 'insurance' of having up-to-date virus definitions, much in the same way as they decide on the level of insurance for fleet cars. "For big businesses, they're used to doing those sorts of calculations, once they understand what's involved," says Small.
However, others believe that regulatory compliance will drive adoption of standards like BS7799. While accreditation can be tortuous, it is a useful way of checking that partners - explicitly those that are granted access to some part of the IT infrastructure - operate in a secure fashion, says Keith Foggon, director of security services at penetration testers Sapphire. "The rule is simple: If someone connects to my system, I'm going to demand that their system is secure."
