| As long information is the most valuable resource | | | | manage secure information? If there is a chance |
| of the company, then it's obvious that when we | | | | of copying secure information, e.g. possible |
| talk about auditing security, we should focus on IT | | | | information leakage? If there are some persons |
| security audit. Getting information about the | | | | who is unaware about security measures that are |
| security procedures in your IT department is | | | | used within company? Do users follow an |
| critical to your business. | | | | appropriate password policy? |
| Are there any common IT security issues that | | | | There are much more questions about possible |
| we should pay attention to? IT security auditor | | | | security leakages and the must-scan issues. How |
| should check that the information you are using is | | | | to get known what should security expert scan? |
| securely kept and managed. | | | | Well, it depends on how can potential intruder get |
| Keeping information secure is not a kind of art. | | | | your data. It's necessary to use file shredder |
| There are some major issues your admin should | | | | (better if it would be background mode) to make |
| remember about. First, keep data in secure place, | | | | sure it's not possible to recover data. |
| such as encrypted hard disk. Second, make sure | | | | How to check if users are managing files in a |
| only authorized persons can access certain | | | | proper way? Try to find possible breaks in |
| information. Third, make sure it's not possible for | | | | security. For instance, someone can keep files not |
| intruder to get your data. | | | | in document management system, which is |
| To make an audit of backup process it's enough | | | | protected with strong encryption, but on local |
| to emulate the system crash. How long will it take | | | | hard disk, protecting them with easy to crack |
| to recover the whole system? Will all the data be | | | | password. |
| recovered? What will be data lost? Once, auditor | | | | Can people at your company use a flash drives? |
| have these data, it's necessary to compare it | | | | It's very dangerous, as it would be easy to copy |
| against common industry, e.g. benchmark your | | | | the sensitive data and take it out the company, |
| backup process metrics against your colleagues. | | | | but again, some business really require information |
| What about controlling, if only authorized person | | | | to be copied on flash drives? What is the solution? |
| can access sensitive data? It's harder than | | | | Try to monitor the actual information that is |
| checking up backup. The thing you should start | | | | copies on these drivers. For instance, if user |
| with is making sure that authorized administrator | | | | copies a password protected files, then it might |
| have a clear structure of who have access to the | | | | be a possible security issue. |
| sensitive data, there might be a levels of access, | | | | Checking the passwords is another task. Short or |
| but the whole system must be described clearly. | | | | known password will not work. Make sure there is |
| This is the key part of secure authorization and | | | | a copy password policy which tells what |
| information sharing. | | | | passwords are good and why. Make sure people |
| The most important - how do your people | | | | follow this policy. |