Importance of Network Security Audits and Assessments

You wouldn’t want to fly on a plane that hasn’t had its regular safety inspection. Or miss an annual trip to the doctor — would you? Similarly, periodically assessing your IT security is an important part of your organization’s preventive maintenance plan.

Security is mostly an invisible attribute. We tend to set it up and then forget about it. But each of us has our blind spots, causing us to miss things. Our infrastructure changes over time, possibly opening it up to new vulnerabilities. And new methods of attack are invented daily, so what was secure yesterday may not be secure today.

Just as every car comes with a list of scheduled maintenance items, your IT organization should have a list of security features to audit on a periodic basis. You can do many of them yourself, but there’s no substitute for having an independent expert occasionally check for your blind spots.

Why undertake periodic assessments?

There is a long list of reasons why you want to do periodic assessments, and an equally long list of reasons why you should. An increasing number of organizations are bound by governmental regulations that dictate what security measures you should have in place and how they should be audited. HIPAA, PCI, FISMA, Sarbanes-Oxley, and Gramm-Leach-Bliley all dictate how to secure different types of data and the systems that manage it. They also require regular security posture assessments, though they vary on specific requirements and time frames.

If you’re not actually bound by any of these governmental regulations, you still might want to use them as resources to help guide your own IT security practices. ISO 27002 is a good generic security standard, and we discussed the value of FISMA to every organization in the Q4 2006 issue of The Barking Seal.

There are many benefits to doing periodic assessments beyond simply complying with government regulations.

Undertaking regular assessments can help you to:

  • Find out whether your security has already been compromised. You might not know unless you look, and you will sleep better at night if you know.  Stay on top of the latest security threats — with new attacks coming on the scene every day, you could become vulnerable even if nothing has changed since your last assessment!
  • Make sure that your staff is being vigilant by maintaining a focus on IT security.
  • Increase awareness and understanding of security issues throughout your company.
  • Make smart security investments by prioritizing and focusing on the high-importance, high-payoff items.
  • Demonstrate to your customers that security is important to you — this shows them that you care about them and their data.