Security policies: Only as good as the audit

No matter how thorough your security policies seem, only an audit can identify your weaknesses. Here's why an IT policy audit is essential, and how to conduct one.
Written by David Southgate, Contributor on

If you think you have a sound IT policy because your administrators clamor about the continual need to update security patches, you might want to think again.

Consider these questions:

  • Does your security policy sufficiently address governmental regulations that might apply to your specific industry?
  • Are you meeting global IT security standards, such as ISO17799?
  • Has the CEO and the governing board signed off on your security policies?

One way to answer all these crucial questions and gauge true security preparedness is to undertake an IT security policy audit. Why an audit is essential

Without a security audit, an organization risks "computing anarchy," said Pete Lindstrom, director of security strategies at Hurwitz Group, a Framingham, MA-based analyst, research, and consulting firm.

"Policy audits and vulnerability assessments are the blocking and tackling of computer security," he said. Yet, the assessments, he noted, often don't occur frequently enough to be useful. Even when they do, follow-up may take a great deal of time.

An IT security policy audit, whether conducted internally or by a third-party security auditor, should include the following elements.

A review of the policy strategy. What business reasons underlie the current policies? In the analysis step, experts can determine whether policies have been well prepared and serve a valid purpose. Auditors can easily tell whether top management and the board of directors approved the policies or the policies were merely a rush job by administrators.

Because security policies are so vital, key people at the top of organizations need to approve and sign off on them, explained Steve Addison, CEO of BinaryNine Ltd. The company develops and sells corporate information security products, including ISO17799-compliant security policies. Upper management review helps ensure that policies are on target and will serve the enterprise's goals.

A review of the policies in place. Policies should be reviewed for thoroughness and to ensure that they reflect corporate strategy. A flawed policy set can leave a company vulnerable to all kinds of human errors-from selecting a password that's too easy to guess to installing software that may cause security gaps. Policies that are developed or distributed in a random fashion indicate a problem. In the best scenario, policies are posted on an intranet so that employees and managers can access and read them when required.Once auditors have the policies in hand, they critique them and determine whether they cover all the organization's needs. There are two basic types of policies, Lindstrom said: those for end users, which focus on elements such as appropriate usage, and those aimed at administrators, which cover aspects such as patch management procedures.

Other user-based policies might cover data and application ownership, appropriate use of equipment, e-mail, and the Internet, user account and password management and selection guidelines, security awareness training and testing, incident reporting, and virus handling.

Administrator policies cover the management of standard and privileged user accounts, security configurations, exception handling, and incident reports and responses, among other things.

"Policies should be written to be applicable to all scenarios within the organization," Addison said. "It is surprising how many people write policies biased toward their own technology knowledge. For example, if the security policy writer has a background with mainframe computers, guess what slant the policies will have."

An assessment on policy awareness. Auditors should also talk with different enterprise divisions and query employees on policy knowledge. Simple interviews with various members of the front and back office staff often reveal whether employees have a good awareness and understanding of various IT security policies as they might apply to them.

An examination of the policies in action. It's not enough to establish policy strategies, write them up, and educate the staff. To be effective, policies must also be implemented.

"People generally have a sense for what types of policies are necessary, but they don't follow through into their environments," Lindstrom explained.

To ease the implementation process, he advocates using automated solutions, such as PoliVec's Scanner, Builder, and Enforcer software. This tool allows administrators to define, deploy, and evaluate IT security policies across the network.

A review of policy compliance data. The last step of an audit, according to experts, is a deep review of documentation that demonstrates how effective the policies are once they're operational. Tests and reports generated from automated systems can quickly reveal whether policies have been effectively integrated and updated as needed.

Wrapping up the audit. No matter how dedicated an enterprise has been in its security efforts, a policy audit typically reveals some flaw that requires corrective action, Addison said.

"The board should also be made aware if there are serious problems, not necessarily viewing the full audit, but certainly the main thrust. They can then mandate the necessary remedial actions with sufficient authority to ensure that the actions themselves are taken."

Audit IT policies to ensure their effectiveness
First published on August 12, 2002
By David Southgate

Has your company performed a security audit? What improvements did you make a result? TalkBack below or e-mail us with your thoughts.

Editorial standards