- Arcane BookStore
- Security Jobs
- Security Resources
|Are Security Audits necessary ?|
|Blog Articles - Articles|
|Written by Administrator|
|Sunday, 12 April 2009 15:24|
A Security Audit is a valuable tool for all corporations. First of of all,a is a way of identifying the actual levels of security into a business. What policies, procedures and controls exist and if and how well they are followed by corporate employees.
A second advantage is that It helps organisations to be compliant with the relevant International Standards (i.e. ISO27001,SoX,PCI,HIPPA) and local laws. This is a double advantage for corporations. Corporations can prove, that they have an accepted level of security both to their Governments and to their Customers. Especially today , customers, are very concerned with the security of their personal data (especially for E-Businesses)and thus Security can work as a great Marketing tool which can greatly differentiate a company from its rival competitors.
Thirdly , Security Audits, help Senior Managers and especially CSOs to identify the weak points in their architecture. Having such information at hand, senior managers can develop a better Mitigation Plan, and spend only the money required to fulfil the Plan. This gives them greater control of the money expenditure and thus no budget is lost in mitigating small risks . We must always remember that Security is all about protecting critical corporate information ( A corporation cannot spend a few thousands dollars protecting a Server that holds the Cafeteria Menu, while leaving their Internal Network Flat). This could greatly strengthen the case of requesting Security budget especially in a time of Business Crisis.
Depending on different Countries Laws and Regulations , doing regular Security Audits, is a fact that can be used in a Court of Law. This could be used as evidence, in lawsuits that are related with Security Incidents. The Senior Managers can prove that the company did its best to fulfil the necessary protection requirements. Having such evidence could greatly reduce fines and money claims produced from Security Incidents.
One more thought that I also would like to add, and I have seen during my experience, is that in many cases Security Audits also enhance the employee Security Awareness. During the audit process, Managers and Employees understand better the importance of ensuring that their everyday activities do not compromise the Security of the Business. Even users that see Security Audits as a bad thing for their working day to day life, they will be obliged in many cases to preserve Security, because they will be afraid of loosing their jobs.
Security Audits can greatly help Businesses advance their Security Infrastructure. Having better Security means saving money from Industrial Espionage (i.e. Customers Lists, Industrial Designs) and Marketing Expenditure after a Security Event. Security is not another technical BuzzWord. It is a business requirements and thus must be treated as one. Many Bussiness people cannot see the ROI on investing in Security. We could say that security is similar to an insurance plan. You see the returns of your investment only when a problem arises.
But Health problems is almost easier to detect. If you have a health problem your body shows the necessary signs and so you visit a doctor. But with security, how can you detect that internal or external adversaries steal you most top secret information, if you do not have detective controls installed ? Most corporations ussually detect such events when it is to late, and the damage has already be done.
A security strategy and plan can save corporations millions of dollars every year. It should be part of any corporate bussiness plan for expansion.