The demand for security auditing has shown its ugly head and now demands respect. Recent, well-documented events provide an image of why security auditing is necessary. If security audits had been carried out, and management had confirmed the results and taken action, some of these organizations might not be in the current predicament they are in. Security audits are needed no matter what business you are in. If you are dealing with consumers' information, credit card data, or healthcare details, then there is need to do a security audit on your business, process and overall security posture. Where you can start is at the hardware level and work your way up – starting somewhere is better than starting nowhere. The further you go down the stack, the more you will find and the more people might become involved. Security audits are important because they allow to see where your potential threats are, establish a baseline of where you are, determine where you need to be, and accordingly define a plan. This might seems like a lot of “fluff" but in reality, it needs to be addressed. Audits are important for your system because something might be out of alignment and need adjustment. There might be new services, accounts, and/or files that need to be accounted for. This will allow you to determine the risk and how impactful it could be. They are also important to managers, executives and system operators because they allow them to hold each other accountable and address the concerns. For executives, it is extremely important to understand where weaknesses are and what is going to be done about it. Ignoring the issues doesn’t mean it goes away; it means it will just get compounded. At the same time, managers need to light a fire at the feet of system owners. All parties are accountable to each other, and some have more burden than others to bear. It is recommend that organizations conduct regular assessments on their patch management, vulnerability management and overall system security best practice management processes. Tackling these one by one and starting anywhere is a good place to start. Some of the questions one can ask include the following: What policy do we have in house? Are we really upholding them? Then it's up to personnel in the organization to hold someone accountable for these action items; if they do not fulfill what is needed, then they must find an alternative means to get the job done. No more hiding behind anyone or finger-pointing. Just be accountable and make it happen.
About the Author: Ricoh Danielson is a U.S. Army Combat Veteran of Iraq and Afghanistan. As a digital forensic expert in cell phone forensics for high profile criminal and civil cases, Ricoh has a heavy passion for information security and digital forensic that led him to start up his firm (Fortitude Tech LLC) in the middle of law school to become Phoenix’s heavy hitting digital forensic power house. He is also a graduate of Thomas Jefferson School of Law, Colorado Tech University, and UCLA Anderson School of Management. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
