| As long information is the most valuable | | | | manage secure information? If there is a |
| resource of the company, then it's | | | | chance of copying secure information, |
| obvious that when we talk about auditing | | | | e.g. possible information leakage? If |
| security, we should focus on IT security | | | | there are some persons who is unaware |
| audit. Getting information about the | | | | about security measures that are used |
| security procedures in your IT | | | | within company? Do users follow an |
| department is critical to your business. | | | | appropriate password policy? |
| Are there any common IT security issues | | | | There are much more questions about |
| that we should pay attention to? IT | | | | possible security leakages and the |
| security auditor should check that the | | | | must-scan issues. How to get known what |
| information you are using is securely | | | | should security expert scan? Well, it |
| kept and managed. | | | | depends on how can potential intruder |
| Keeping information secure is not a kind | | | | get your data. It's necessary to use |
| of art. There are some major issues your | | | | file shredder (better if it would be |
| admin should remember about. First, keep | | | | background mode) to make sure it's not |
| data in secure place, such as encrypted | | | | possible to recover data. |
| hard disk. Second, make sure only | | | | How to check if users are managing files |
| authorized persons can access certain | | | | in a proper way? Try to find possible |
| information. Third, make sure it's not | | | | breaks in security. For instance, |
| possible for intruder to get your data. | | | | someone can keep files not in document |
| To make an audit of backup process it's | | | | management system, which is protected |
| enough to emulate the system crash. How | | | | with strong encryption, but on local |
| long will it take to recover the whole | | | | hard disk, protecting them with easy to |
| system? Will all the data be recovered? | | | | crack password. |
| What will be data lost? Once, auditor | | | | Can people at your company use a flash |
| have these data, it's necessary to | | | | drives? It's very dangerous, as it would |
| compare it against common industry, e.g. | | | | be easy to copy the sensitive data and |
| benchmark your backup process metrics | | | | take it out the company, but again, some |
| against your colleagues. | | | | business really require information to |
| What about controlling, if only | | | | be copied on flash drives? What is the |
| authorized person can access sensitive | | | | solution? Try to monitor the actual |
| data? It's harder than checking up | | | | information that is copies on these |
| backup. The thing you should start with | | | | drivers. For instance, if user copies a |
| is making sure that authorized | | | | password protected files, then it might |
| administrator have a clear structure of | | | | be a possible security issue. |
| who have access to the sensitive data, | | | | Checking the passwords is another task. |
| there might be a levels of access, but | | | | Short or known password will not work. |
| the whole system must be described | | | | Make sure there is a copy password |
| clearly. This is the key part of secure | | | | policy which tells what passwords are |
| authorization and information sharing. | | | | good and why. Make sure people follow |
| The most important - how do your people | | | | this policy. |