Infosecurity-magazine.com brings up an excellent point – that network security threats come in two forms: external and internal. External threats, such as those from hackers, should be addressed by effective use of firewalls, antivirus systems and data encryption technologies. And, if your industry comes under regulatory oversight, you can face significant penalties if you don’t effectively address these threats.
But, what about internal threats to security? These can be deliberate or accidentally-taken actions by your own team, perhaps caused by “unauthorized access by internal staff, password guesses, unwanted changes, incorrect permission assignment and even accidental changes and deletion.” You can manage some of this through Active Directory and Group Policy Objects to control user rights and access permissions, but how will you know of its effectiveness? Through audits!
ComputerWeekly.com echoes the need for internal security audits, stating that they “fulfill an important role in ensuring policies and procedures are being followed and the business is in compliance with relevant standards and legislation.”
Fortunately, there are numerous free self-assessment tools available online to self-audit the security of your company’s network, and another article by ComputerWeekly.com provides resources. This article offers guidance on how to use them, as well. Each time an internal security audit is conducted, make sure you follow the same process and document all relevant findings. These reports will play a crucial role if security breaches occur, especially important if regulatory bodies oversee your industry.
Goals of an internal audit should include determining how well security controls are working, how they can be improved upon, effectiveness-wise, and how they can be improved upon in ease of use. Where, for example, are security controls impractical to the degree they affect worker productivity? Where are these controls not working optimally?
Successful audits are carefully planned with the purpose explicitly communicated to all relevant parties. All key participants must agree upon the goals and scope of the network security audit, as well as who is involved in doing the audit, using what technologies. How much time should this audit take? When is the least disruptive time to schedule this internal audit? When is the target completion date? Any leeway?
If your company is large enough, you may already have an internal audit team in place. If not, what members of your team should participate? What kind of training do they need? What additional access to data will need to be given? Security clearances?
There is significant value in conducting regular internal security audits that take place entirely within your own organization. This allows you to assess and manage risk, and to improve upon your security controls before disaster strikes.
External network audits are conducted by those independent of your company. Independent auditors can evaluate internal audits and controls, and provide a fresh look at processes, controls and results. They can provide an objective opinion on your company’s security status and, many times, external audits are required by statute.
Vidius Solutions IT provides network audits, along with gap and risk analyses. When needed, we also provide network security solutions to provide the controls your network needs. In fact, we offer comprehensive network management services following IT best practices. Contact us today to discuss how we can help or call 800.518.8230.