Over the past few months, I have received a number of questions that seem to focus on the difference between a security assessment and a security audit. These are two significantly different things. In fact, most organizations tend to have a security assessment done prior to having a formal security audit conducted.
A security assessment is a formal, systematic process of data gathering with regards to security measures
that are in place against an established set of criteria (ISO 27000) to determine what needs exist. A security assessment is a systematic analysis of the way things are and the way they should be. Typical methods for conducting a security assessment include:
- Record reviews
A security audit is a systematic evaluation of the security
of a company’s information system accomplished by measuring how well it conforms to an established set of criteria that results in a factual record. The audit activities typically focus on assessing the security of the system’s operations, configuration and environment, software, information handling processes, as well as user practices. The security audit also results in the determination of regulatory compliance in the wake of legislation (such as HIPAA, Sarbanes-Oxley, and the Data Breach Notification laws) that specifies how organizations must deal with information. Typical methods for conducting a security audit include:
- First hand (independent) observations
- Custom designed testing of security controls
- Independent monitoring of security controls
- Placing historical information under scrutiny
- Evidentiary collection via forensic analysis
The assessment looks at the completeness of the security initiatives
or program. By conducting the assessment first, the organization can remediate any significant shortcomings before a security audit, which is a formal record of the security status of an organization, is performed.
An example illustrating the difference between assessing security and auditing security might help clarify this point. Let’s look at access controls. One component of access control security is a strong password policy. An assessment would check to see if the organization has a strong password policy while a security audit would actually attempt to set up access with a weak password to see if the control actually has been implemented and works as defined in the policy.
Brian Martin from Spy-Ops, a security training company said, “Identifying issues in a security assessment is a lot less painful and has far less implications than failing a security audit.” He went on to say, “While you have to address the shortcomings uncovered during the assessment, the reporting and notification requirements that often accompany failing a security audit are not there.”
Given that insight, it is important to point out that, in an assessment, you have great flexibility to respond to issues and less reporting responsibility than with an audit. Security assessments should be conducted routinely, and certainly after a major technology upgrade. Failure to conduct these assessments could leave you ill prepared for a security audit that often accompanies financial audits or compliance investigations or data breaches.
Kevin G. Coleman, a consultant and advisor with Technolytics Institute, writes the Data Security column for TMCnet. To read more articles by Kevin, please visit his columnist page.
Edited by Erik Linask