By Barracuda Networks
It’s not every day we give thanks for security breaches, political hacking scandals and cybercriminals profiting from holding big name brands to ransom; however, all of these attention-grabbing headlines have helped shift the focus of attention at board of director’s level onto IT security…for that we can be thankful.
Long overdue, IT security personnel have been struggling to get the spotlight so they can demonstrate why they need increased funding and investment in order to match an organisations defence to the likely level of threat. And now, the moment in the limelight has arrived….
Predictably, the response to the appeal is one of research and reporting with documentary proof and evidence to demonstrate the current state of play and the intended level of security required. In short, the board of directors want an audit.
The Dreaded Audit
No IT professional enjoys the prospect of an audit and is widely viewed as an unnecessary waste of time in which more important things could be being completed. As an industry with limited time and personnel, the process of an audit is one that many departments can ill afford to commit valuable resources to.
A Model Audit
The ISACA (Information Systems Audit and Control Association) model is a relatively straightforward audit that helps companies to check off 98 individual tasks that should be tackled in a security audit and, if you have not performed an IT security audit before, it is essential reading.
Incorporate Security Audits in Process Engineering
One way to avoid this potentially crippling but necessary chore is to start thinking about audits as a continual part of the process rather than standalone, milestone events. With the right planning, an audit at any time should just be a simple matter of reporting on existing processed rather than having to reinvent the wheel.
The discovery process can be helped with the use of visualisation tools and using network virtualisation software can help organisations pass an audit. Enabling network traffic across data centres to be constrained within secure microsegments is an example of the importance of embedding security within the design of an IT environment rather than being bolted on afterwards. Network virtualisation is moving fast with some vendors now offering Nano-segmentation
Beyond the Audit
Whilst an audit is likely to cripple any IT security department for the duration of its process, the welcome focus should result in additional capital being committed to address the problems raised. Part of the audit should therefore address the ongoing maintenance of the IT environment and its own ability to pass subsequent audits without having a detrimental effect on security economics.