"Internet security is a colossal problem which threatens not only businesses but also critical national infrastructures which are dependent on e-government."
—Paddy Ashdown, member of Parliament, United Kingdom
Your manager has told you that, in light of recent events in the United States, it is your job to ensure that your system's security is up to scratch. Where do you start? Get in a security consultant? Do it yourself? Get a member of your staff to do it? Before you can decide, it will be useful to know what is involved in carrying out a security audit of your systems so that you can decide which option is best to take—for example, whether you have the skills required in house (and, if not, whether the security consultant you hire does!). This article looks at the business aspects of a security audit. The second article in this series looks at the technical aspects.
Requirements
The first thing a security audit needs to take into account is what your system requirements are:
Are the systems required to be available 24 x 7? Many e-business systems are required to have 99.99%–plus availability because they are used by users all over the world.
What are the access requirements? Is access to systems/data restricted within the company to senior management? Are customers/business partners/competitors allowed access to any part of the system (especially for e-business systems)?
How many users use the system on average and at peak times?
How much data is stored?
Are there legal requirements to store data for a certain period of time?
Are there legal requirements to protect data from intruders?
How sensitive is the data stored? How badly would it affect business if competitors or other intruders had access to that data or destroyed the data?
How sensitive is the system itself? How badly would it affect business for an unauthorized user to gain access to different parts of the system?