| As long information is the most valuable | | | | The most important - how do your people |
| resource of the company, then it's obvious | | | | manage secure information? If there is a |
| that when we talk about auditing security, we | | | | chance of copying secure information, e.g. |
| should focus on IT security audit. Getting | | | | possible information leakage? If there are |
| information about the security procedures in | | | | some persons who is unaware about security |
| your IT department is critical to your | | | | measures that are used within company? Do |
| business. | | | | users follow an appropriate password policy? |
| | | | |
| Are there any common IT security issues that | | | | There are much more questions about possible |
| we should pay attention to? IT security | | | | security leakages and the must-scan issues. |
| auditor should check that the information you | | | | How to get known what should security expert |
| are using is securely kept and managed. | | | | scan? Well, it depends on how can potential |
| | | | intruder get your data. It's necessary to use |
| Keeping information secure is not a kind of | | | | file shredder (better if it would be |
| art. There are some major issues your admin | | | | background mode) to make sure it's not |
| should remember about. First, keep data in | | | | possible to recover data. |
| secure place, such as encrypted hard disk. | | | | |
| Second, make sure only authorized persons can | | | | How to check if users are managing files in a |
| access certain information. Third, make sure | | | | proper way? Try to find possible breaks in |
| it's not possible for intruder to get your | | | | security. For instance, someone can keep |
| data. | | | | files not in document management system, |
| | | | which is protected with strong encryption, |
| To make an audit of backup process it's | | | | but on local hard disk, protecting them with |
| enough to emulate the system crash. How long | | | | easy to crack password. |
| will it take to recover the whole system? | | | | |
| Will all the data be recovered? What will be | | | | Can people at your company use a flash |
| data lost? Once, auditor have these data, | | | | drives? It's very dangerous, as it would be |
| it's necessary to compare it against common | | | | easy to copy the sensitive data and take it |
| industry, e.g. benchmark your backup process | | | | out the company, but again, some business |
| metrics against your colleagues. | | | | really require information to be copied on |
| | | | flash drives? What is the solution? Try to |
| What about controlling, if only authorized | | | | monitor the actual information that is copies |
| person can access sensitive data? It's harder | | | | on these drivers. For instance, if user |
| than checking up backup. The thing you should | | | | copies a password protected files, then it |
| start with is making sure that authorized | | | | might be a possible security issue. |
| administrator have a clear structure of who | | | | |
| have access to the sensitive data, there | | | | Checking the passwords is another task. Short |
| might be a levels of access, but the whole | | | | or known password will not work. Make sure |
| system must be described clearly. This is the | | | | there is a copy password policy which tells |
| key part of secure authorization and | | | | what passwords are good and why. Make sure |
| information sharing. | | | | people follow this policy. |
| | | | |