What is a Security Audit?

A computer security audit is a systematic, measurable technical assessment of how the company's security policies are employed within a business environment. Our auditors work with the full knowledge of your company and at times with considerable inside information, in order to fully understand the resources to be audited.

Security audits are part of the on-going process of defining and maintaining effective security policies. Security audits involve anyone who interacts with any computer resource within the company. Our auditors have tools; which allow a fair and measurable way to examine how secure a site really is.

Our security auditors perform their work though personal interviews, vulnerability scans, examinations of computer systems, analysis of network and historical audit data. They are concerned mainly with how security policies - the foundation of any effective organizational security strategy - are actually used. There are a number of key questions that security audits should attempt to answer:

• Are passwords difficult to crack?
• Are there access control lists in place on network devices to control which users have access to shared data?
• Do you keep audit logs for data access?
• How often are the audit logs reviewed?
• Are the security settings for operating systems in accordance with the widely accepted industry security practices as a guide?
• Have all unnecessary applications, services and ports been eliminated for each computer / system?
• Are these operating systems and commercial applications patched with the latest updates?
• How and where is backup media stored? Who can access the data? Is it up-to-date and how often are they made?
• Is there a business continuity plan in the case of a natural disaster?
• Have the business participants and stakeholders ever rehearsed the disaster recovery plan?
• Do you employ adequate cryptographic tools to govern data encryption? Have these tools been configured adequately?
• Have custom-built applications been written with security considerations?
• Have these custom applications been assessed for security flaws?
• Do you document configuration and code changes at every level? When are these reviewed and who conducts the review?

These are a few of the kind of questions that should be evaluated in a security audit. In completing these questions honestly and in depth, a company can realistically evaluate how secure its vital information is.

Please email us on This e-mail address is being protected from spambots. You need JavaScript enabled to view it .ukand one of our consultants will be in touch to discuss these issues about your company.