#
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
8 Questions to Ask Your Security Auditor
Here at Redspin, Inc. we get asked all sorts of questions, most of which can be answered with, “Down the hall, take a left, second door on the right.” After that, here are the eight most important questions we think you should be asking your independent security auditor.
1. Are you an independent security auditor?
This is the most important question you can ask your security auditor. Are they a pure, independent auditor, or are they a company with something else to sell who also happens to do audits? You don’t want a company that sells solutions to do your security audit, because the odds that they find a problem that their solution fixes just went way up.
2. Do you do real analysis, and provide useful reports?
Beware the security auditor that gives you a 100-page report. Quantity in no way signifies quality in a security audit. What you want from a security auditor is a thorough report that focuses on issues that are relevant to you. Any security audit can find 100 trivial problems. You want an audit that tells you which 5 issues are important.
3. Do you have a quality team?
Consulting firm guys straight out of college are useful for some things, but understanding complicated computer networks and the vulnerabilities associated with them is best left to dedicated security engineers.
4. Hey, aren’t you the guys who sell us our IT?
Don’t hire the same guys who set up your system to audit your system. As much fun as it would be for them to grade their own work, you probably won’t get the most honest results from them. Be especially wary if they say that a “separate branch” of their company does the security audit, and yet another “separate branch” of their company offers solutions. This is what we like to call a “perfect storm of subjectivity.”
5. Do regulators like you?
Mostly this matters if the answer is “no.” Otherwise, it’s a nice thing if the company doing your security audit is recognized by regulators as one that does excellent work, because they’re much more likely to give you the quick okay.
6. How much do you cost, and why is that more/less than other firms?
You can pay a little, and have a guy run an automated tool that looks at everything indiscriminately and checks off some boxes. You can pay a huge amount, and get a few guys in suits from a consulting firm where this isn’t really their focus – again, they’re just there to complete a checklist. What you want is an independent security auditor who takes your business seriously, understands it completely, and can help you prioritize security risk and vulnerabilities in the context of your business.
7. Why do I need a security audit?
The easy answer is because a regulator is making you. The harder question to answer is “Why do I need a good security audit?” The answer to that depends on what industry you’re in. It’s obvious that industries like banking, casinos and e-commerce are especially attractive to mischief, and would want to make sure that their networks are completely secure. If you’re running an on-line palm reading business, maybe it’s not as big a concern.
8. Have you ever done a security audit before?
Experience counts. Make sure that your security auditor has done a number of audits, and check with some of the companies they’ve done audits for to make sure that they do good work.
About The Author
John Abraham
Redspin specializes in security audit and security assessment services, which help identify potential threats. www.redspin.com
#
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
|
|
 | PopulateMSI | 
The easy and
powerful way to
create Windows
Installer Packages
(*.MSI files).
Building setup
progra... |
| Allok Video to iPod Converter | 
Allok Video to iPod
Converter is a
powerful and handy
video converter for
Apple iPod Movie
and iPod ... |
| ArchiCrypt Shredder | 
Securely deleting
files is not quite
as easy as it
appears at first.
The operating
system does not r... |
| Wondershare DVD Slideshow Builder | 
The slideshow
software for
creating slide
shows with motion
effects, music and
captions to watch
on ... |
| Any Outlook Express Backup | 
Any Outlook Express
Backup is an
easy-to-use tool
that allows you to
backup and restore
your Outlook... |
|
You can get our free e-mail newsletter that highlights the latest software news and updates enter your email address and hit OK.
|
|
|
|
