The Role of Auditing in IT and Security

By Elizabeth Wasserman

The health of a business these days depends largely on the ability of executives and employees to access data - data about customers, products, finances, and employees. Increasingly, companies are also under pressure from government, investors, and the marketplace to keep that data secure. For the CIO, securing data means keeping out hackers and other intruders, preventing the theft of data by insiders, and ensuring that information technology systems avoid business disruption. New laws and regulations such as the Sarbanes-Oxley Act of 2002 require that executives continually be aware of the security of their data and -- particularly in the health and financial services sectors -- protect personal information about customers.

In order to meet these demands, a number of companies are undertaking regular data security audits. Nearly 82 percent of organizations responding to the 2004 Computer Crime and Security Survey, conducted jointly by the Computer Security Institute and the Federal Bureau of Investigation, said they conduct security audits as their first line of defense. The survey found that 53 percent of the organizations responding suffered attacks -- both from inside and outside the company -- on their computers. Losses totaled nearly $150 million.

A security audit can be one of the best tools to help a CIO thoroughly understand the flow of information and develop a plan for properly securing a company's data. Audits come in a myriad of types, frequencies, and purposes, and it is essential that a CIO know the ropes before trying to scale them:

Full strategic audit  An external audit of policies and procedures explores how executives manage the IT side of the business. Chad Robinson, a consultant with the Robert Frances Group, says the high-level audit will delve into who deploys systems and how, and what type of procedure is in place to review new applications, among other issues. A full strategic audit gives an enterprise a deep understanding of its IT operations and security, in addition to a roadmap for improving security. The executive team can also use the audit to ensure that a business is complying with new regulations impacting data security. Conduct the audit every few years or more frequently if triggered by events -- such as data loss or theft.

Penetration testing  A thorough, time-consuming "pen test" attempts to breach security and compromise computer systems. It looks for unprotected computer ports, a wireless local area network that managers never knew existed, and other pathways intruders can use to penetrate a network. However, Robinson warns that penetration testing can be costly and can also alienate some in the IT staff because it can actually crash computer systems. He recommends it for companies in which security is of paramount concern. Conduct the penetration test every year or two.

Vulnerability scan  An ongoing assessment of vulnerabilities to known forms of attack can determine whether a business has patched holes or updated commercial software. Vulnerability scans may be conducted by internal staff or consultants. A number of companies have developed software programs that allow organizations to conduct vulnerability scans automatically. Run this on a regular basis, usually monthly, although some programs can be run every night.

The CIO needs to make the case for a security audit strategy to C-level peers. The most salient points to convey are that IT audits support enterprise security and that security is fundamental to business in today's economy. A leak of confidential data almost always tarnishes the reputation of a company, and it can exact a toll in the form of lost future business, a depressed stock price and government fines. Data audits mitigate risks in the following ways:

• Monitor weak spots on the network  Audits can detect security breaches and point out to the company various ports and pathways that could make a computer network vulnerable to attack from hackers, competitors, or foreign countries. They can also pinpoint places where an overload of data may lead to a system breakdown and even track the age and return on investment of different systems.
  
  
• Identify and trace attacks  An organization can use audits to pinpoint and track insiders who create, delete, or access certain data. Audits can help a company protect sensitive company information and confidential customer data, and fight fraud. Potential perpetrators may be dissuaded by the mere existence of a data audit.
  
  
• Help comply with regulations  Data audits can provide businesses with a plan for complying with new legislative mandates, monitoring data properly, and reporting breaches in accordance with the new laws.

The threats to data security are not going away. Companies are relying more on their data and increasingly sharing it with business partners. They also need to secure data as a measure of good corporate governance -- not only because it's now the law. "There's an old joke among IT professionals that the best security is a pair of wire cutters," said Robinson. CIOs need to consider data security audits as a proactive measure to keep their organization running smoothly -- and securely.

Elizabeth Wasserman has written about technology and business for Inc., the San Jose Mercury News, and CIO Insight. She is a freelance writer based in Fairfax, Virginia.