Corporate Security Auditing

Before you can embark on any IT security project, you need to understand the current environment. As we've stated several times, in project management, you should start with a problem statement. The problem statement for corporate security can be as general as, "We currently have no clear understanding of our network's vulnerabilities." However, the more specific you get, the better your solution will be. If you say, "Our network consists of servers, network storage devices, end user computers, Web services, wireless access and sensitive corporate and customer data. We do not have a detailed approach to securing these network resources" You are getting closer to defining the real problem and closer to identifying the real need. One way to develop a solid security project plan problem statement is by conducting a thorough security audit. Since knowing your starting point is the logical genesis of any security plan, we're going to delve into the details of conducting a security assessment or audit.You can conduct your assessment as one of the first major objectives of your corporate IT security plan, or you can create a separate security assessment and auditing project plan to be conducted and concluded prior to the development of your corporate IT security project plan or any of your ISAPs. Either method is acceptable as long as your projects build upon the results of your audit. In this chapter, we'll use the terms assessment and audit interchangeably.

Auditing means different things to different people but we'll use a definition commonly used in the IT security world: a thorough and methodical review of systems and technologies focused on finding vulnerabilities. Some companies hire outside security consultants to assist with their security auditing. If you choose to perform your own network security audit, you're going to need several tools and a lot of expertise to do so effectively.You'll also need one or more people on your team to volunteer to think like hackers so you can discover vulnerabilities hackers would likely exploit.

Ethical Hackers?

The term "ethical hackers" seems like a bit of an oxymoron, however, it's actually a growing field of interest these days. In order to effectively thwart hackers, you need to have the same or better skills as hackers. There are numerous companies that train people to hack systems so they can use their skills for the benefit, not detriment, of the company. Numerous organizations provide ethical hacker training and certification programs and you can find many listed using a quick online search. These courses teach participants to use the same tools, techniques, and thought processes that hackers use in order to exploit vulnerabilities and to force their way into computers, networks, and other electronic corporate resources. However, there's good news and bad news. The good news is that having these skills on your IT team can be valuable in keeping your corporate network safe. The bad news is that it's always a bit unnerving to teach your employees how to hack a network. However, if you look at the open source model for software development, you find a similar logic. Open the knowledge to many and you have a better chance of exposing and addressing vulnerabilities. And, while you can send your employees for training, you can also hire an outside consultant who is a certified ethical hacker to teach your IT staff how to hack. Remember, though, your employees may choose to learn on their own, so keep all of your options open and keep an eye on your network through various, independent methods.

Hackers, like robbers or car thieves, will attack the easiest targets first. For example, in the case of wireless networks, hackers will certainly take an unsecured wireless network over a protected one any day. Just like the car thief, the easiest cars to steal are ones that are (in this order):

Project Management Made Easy

Project Management Made Easy

What you need to know about… Project Management Made Easy! Project management consists of more than just a large building project and can encompass small projects as well. No matter what the size of your project, you need to have some sort of project management. How you manage your project has everything to do with its outcome.

Get My Free Ebook

Post a comment