Preparing for a Security Audit

Preparing for a Security Audit

The topic of security comes up a lot in IT circles. We see headlines every day about breaches and fear that our company could be next. Ok, that may not be exactly our response. However, hackers are real and a threat to every business that is online. That makes the idea of a security audit attractive to many managers and business owners. They want to be comfortable with where they stand and any associated risks. This may even be a requirement as part of due diligence for an acquisition or investor.

A Security Audit is Not Scary

The word “audit” seems to strike fear in the hearts of many. I get it and feel the same trepidation every time I hear it. We seem to think an audit always points to our flaws, and that is a bad thing. To the contrary, an audit of this sort provides a way for us to get better. Yes, it points out flaws and weaknesses. However, it also provides feedback on how to eliminate or overcome those shortcomings. That means that we will be better off, more secure, once we go through an audit and learn from it. It also helps to go into an audit, knowing that imperfections will be highlighted. No system is perfect, so all we can do is look for ways to get better.

Get Your Ducks In A Row

The first step to take before a security audit is to clean up the flaws you already know about. This action will make the process more valuable. Less time will be spent on going over the “things you already know.” That means your time and money will be better spent. Why would you pay someone to tell you what you already know. There is another side effect of taking this action. Sometimes weaknesses or flaws are masked by another problem upstream. Think about a dirty window that blocks a view of a dirty room. You will not know about the room until you clean the window. Similarly, clean up the issues you know about, so there is less chance of hiding those flaws you need to understand. Security is a prime area of this sort of environment. By its nature, most IT security is built in layers or walls. Thus, it is by design that a flaw in one level may be masked or even corrected at another level.

Ask The Experts

We are not all security masters. That is not a problem. There are plenty of resources available on the Internet to guide us implementing best practices for security no matter what environment we have built. You can bring in security consultants, but you can save a lot of money by hitting some of the cornerstone security sites. One of the best sources of this information is the OWASP site. You can find white papers that cover overall security concerns as well as detailed tutorials for hardening your systems. Many of this documentation is source material for security audit procedures and processes. Therefore, you will be able to educate yourself about these measures while getting a head start on how the security audit will expect your environment to look.

Yes, It Is That Simple

You may be amazed at how short this article is. However, the details that you will find in those security tutorials can take hours or days (or more) to implement. The plan is simple. It is the execution that can be a challenge. Nevertheless, there are a lot of security recommendations that are quick and easy to implement. Even a little investment of time can make your security audit experience enjoyable and educational. That statement may seem laughable but do not take my word for it. Give it a shot and see how much more secure your systems are as your confidence about them soars.

Leave a Reply