Security Assessments & Planning

Security Assessments & Planning

A security audit is cooperative work to examine a company’s network, computers and applications with the goal of determining what the risks are to the company’s revenue streams and proprietary/confidential information. Some industries, such as financial and healthcare, require due diligence in the care of client information and compliance with regulations such as Sarbox, HIPPA or ISO.

By identifying actual risks and vulnerabilities and the likelyhood of an event occurring we can prioritize and mitigate many risks; sometimes quite inexpensively.

Usually the end result is a report that can be used to implement the recommendations made as well as an executive summary if desired.

Most in-house IT departments do not have dedicated security staff and their IT personnel tend to focus on desktop, application, systems and/or network support and seldom have experience in dealing with intrusions & data loss. It is difficult for systems or network staff to do a comprehensive audit against the systems that they set up since they tend to implement things they know as opposed to designing a network based on security needs or threats.

The best security assessments are quantitative and assign potential dollars lost vs the likelihood of loss. This allows good prioritization of limited dollars in limiting exposure to various risks.

See this wiki page for a bit of extra information about security audits