Security Assessments & Planning
A security audit is cooperative work to examine a company’s network, computers and applications with the goal of determining what the risks are to the company’s revenue streams and proprietary/confidential information. Some industries, such as financial and healthcare, require due diligence in the care of client information and compliance with regulations such as Sarbox, HIPPA or ISO.
Usually the end result is a report that can be used to implement the recommendations made as well as an executive summary if desired.
Most in-house IT departments do not have dedicated security staff and their IT personnel tend to focus on desktop, application, systems and/or network support and seldom have experience in dealing with intrusions & data loss. It is difficult for systems or network staff to do a comprehensive audit against the systems that they set up since they tend to implement things they know as opposed to designing a network based on security needs or threats.
The best security assessments are quantitative and assign potential dollars lost vs the likelihood of loss. This allows good prioritization of limited dollars in limiting exposure to various risks.
See this wiki page for a bit of extra information about security audits http://en.wikipedia.org/wiki/Information_Technology_Security_Assessment