As I prepare to conduct my next IT security audit at a client’s site, I realize some things have not changed in the past few years. The client’s reaction towards the security audit is always amazing the day before the on-site visit as they exhibit a sense of fear. For the most part, it has always been the same issues. The client deciding to wait until the last minute to prepare for the security audit.
From my experiences, the client will start applying required security patches that should have been applied months ago the weekend before the audit. Sometimes, it works out fine, and as you may know, sometimes it does not and causes additional issues for the system administrators. Many times, the Security Point-of-Contact (SPOC) will use a security scanning tool such as Nessus to conduct their own network scan to get a view of how they fair up. Conducting your own security scans are fine, being proactive is a good thing, but the day before an audit may not the best time to do so. Then the disclaimers start rolling in from the client. “Well… We know of this issue and that issue.”
I guess I cannot blame their anxiety. It’s not a good feeling to have strangers (IT Security Auditors) come into your organization to review the controls and practices you put in place and possible tell you that you are doing it wrong.
However, IT Security Audits are a necessary process that needs to occur to ensure compliance to organizational and/or federal regulations. Some of the more notable regulatory compliances are FISMA, HIPAA and the Sarbanes-Oxley Act that specifies how organizations must deal with information.
Unfortunately, many organizations treat security and audit as an after thought rather then a process … Preparation is the key to successfully passing a security audit.
For a full detail review on security assessments and IT security audits, check out www.securityorb.com.