How to Do an IT Audit
Understanding your business will focus your efforts.
Story by Kathleen Melymuka
FEBRUARY 03, 2003 ( COMPUTERWORLD ) - If you're the IT manager at a small to midsize business, it's only a matter of time until you're asked to do an IT security audit. Even in a larger company, if security is decentralized, you may be the go-to guy in IT. You're neither a security expert nor an auditor, and resources are tight. How will you begin and where will you go from there?
 First, don't panic. "People sell themselves short," says Jay M. Williams, senior vice president and chief technology officer at The Concours Group, an IT consulting firm in Kingwood, Texas. "For the most part, security is common sense."
Join a security research organization such as the Information Security Forum, says RA Vernon, chief security officer at Reuters America Inc. in New York. "You'll find a group of individuals willing to talk about security issues, share experiences and add some value to any process you may try to implement," he says. They can direct you to software, methodologies and other resources to help you tackle the job.
Consult with your business executives to be sure you understand which aspects of your business are most vulnerable to security threats.
Consider your industry. "Too often people think they have to create Fort Knox," Williams says, but in reality, few companies have extremely tight data security requirements. "If you're in the nuclear power business, you're right at the top," he says. "But if you're in baked goods, nobody's looking to knock off the Keebler elf."
»read more |
Media alert and events 