| It is a well-known fact that in the Internet-connected | | | | want thorough periodic audits, this requires the use |
| world networkperimeter vulnerabilities do exist that | | | | ofoutside security experts as the most cost-effective |
| allow unauthorized individualsaccess to networks and | | | | choice. Outsourcing tosecurity professionals offers |
| provide the ability to disrupt business continuance. | | | | many advantages over in-house testing, suchas having |
| Well-prepared companies do know about many of | | | | a team of experts dedicated to current security |
| these vulnerabilities andthey correct them whenever | | | | matters, armedwith proven best practices or entire |
| appropriate. However, there are a large numberof | | | | methodologies, and equipped with asuite of security |
| new, as well as older vulnerabilities that the average | | | | auditing products instead of a single commercial tool. |
| company is justnot aware of. If these vulnerabilities are | | | | Companies must also consider the value of the audits |
| known, companies usually, and Iemphasize usually, | | | | deliverables/results. |
| allocate resources to them. Unfortunately, too | | | | Deliverables must not only detail all of the current |
| manycompanies either do not have the resources to | | | | vulnerabilities, butalso prioritize what issues are |
| track such security-relatedmatters or do not have the | | | | important, document proven methodologiesfor |
| trained internal personnel to allocate towardsidentifying | | | | remediating the vulnerabilities, and provide |
| and remediating the vulnerabilities. Obviously knowing | | | | cost-effective methods tomitigate the risk. The |
| aboutor being able to detect the vulnerabilities is half | | | | majority of companies cannot afford to maintain |
| the battle, but notacting on the known issues for any | | | | thestaff and application software necessary to |
| reason is almost a guarantee to lose thebattle. | | | | conduct an audit at this level. |
| An alarming fact is that many companies do not | | | | Even those companies that do have such a significant |
| prioritize informationsecurity because it does not | | | | security budget oftenuse an outsourced firm to |
| generate revenue for the company. However, aswe | | | | validate their own efforts. |
| have seen in the headlines and trade journals, the lack | | | | Some additional benefits of a professional outsourced |
| of a propersecurity program can and does affect the | | | | audit are: recordingan objective baseline and changes |
| bottom line. Some organizationsare now investing | | | | on a periodic basis, having a trustedsecurity partner to |
| larger budget dollars and resources into | | | | turn to as issues arise, and the ability to meetindustry |
| informationsecurity, and they’re starting by | | | | requirements for objective third-party auditing. For |
| assessing their present level of riskwith an audit. If your | | | | thosecompanies outsourcing audits as a secondary |
| company relies on the Internet and was one of | | | | check, it also assists injustifying security budgets, by |
| vastnumber that missed the vulnerability used by the | | | | validating the current security-relatedexpenditures. |
| Code Red virus, you knowhow the lack of an active | | | | Although it was mentioned that companies are |
| security program can affect the bottom line. Inaddition | | | | sometimes challenged withprioritizing security matters, |
| to unknown vulnerabilities, there are many stories of | | | | based on our own experience there is a trendwith |
| techniciansperforming routine network maintenance | | | | technology executives, to place a higher priority on |
| and unintentionally leaving creditcard database or other | | | | network security. |
| proprietary information open for would be hackers. | | | | The newfound emphasis applies to both internal and |
| Finding the vulnerabilities in your environment is vital to | | | | external audits andreally comes into play with those |
| the success ofyour security program, but knowing | | | | companies that have a great reliance onthe Internet |
| how to prioritize and perform properremediation is | | | | and business continuance. |
| often impossible without properly trained personnel. | | | | Finding all of your vulnerabilities is increasingly difficult |
| Letsconcentrate on the value of the audit process and | | | | without afull suite of auditing tools, but remember, |
| deliverables for amoment. | | | | finding the vulnerabilities isonly half the battle. In order |
| Whenever we think of audits, the first thing that comes | | | | for audit deliverables to be trulyeffective they have to |
| to mind is thefinancially related IRS visit. They are | | | | include professional feedback on what issues |
| looking for holes in the integrityof income and expense | | | | areimportant, remediation efforts detailed and |
| reporting for individuals and companies. Theseaudits | | | | prioritized, as well asdescribe how all of the effort and |
| are required because if the system, in this case the | | | | expense will affect the level of risk. |
| tax system, hasenough vulnerabilities, then the whole | | | | If you feel your systems environment could pass a |
| system fails. The audit acts as thepolice to either deter | | | | security audit, but haven |
| the vulnerabilities or find them so they can beeventually | | | | ’t had one, our experience shows you might be |
| removed. Removing vulnerabilities in your information | | | | surprised by a failing grade. |
| network isjust as key, but can you find them, which | | | | If you have had an audit and the vulnerabilities were |
| are important, and how do youremove them efficiently. | | | | exposed, hopefullyyou have an action plan you are |
| Much like the IRS audits, finding informationnetwork | | | | utilizing to eliminate the vulnerabilities. |
| security vulnerabilities requires a trained professional. | | | | Once the action plans are complete, you might |
| Mostcommonly, the security professionals trained in | | | | consider outsourcing yournext audit to validate your |
| auditing are full timein-house employees of only the | | | | efforts. |
| largest companies. For the majority ofcompanies who | | | | |