Lock found Broken..................................... IT’S STILL SECURED if you have a monitored system
Security Policy Defined
A security audit is essentially an assessment of how effectively the organization's security policy is being implemented. Of course, this assumes that the organization has a security policy in place which, unfortunately, is not always the case. Even today, it is possible to find a number of organizations where a written security policy does not exist. Security policies are a means of standardizing security practices by having them codified (in writing) and agreed to by employees who read them and sign off on them. When security practices are unwritten or informal, they may not be generally understood and practiced by all employees in the organization. Furthermore, until all employees have read and signed off on the security policy, compliance of the policy cannot be enforced. Written security policies are not about questioning the integrity and competency of employees; rather, they ensure that everyone at every level understands how to protect company data and agrees to fulfil their obligations in order to do so.
Natural tensions frequently exist between workplace culture and security policy. Even with the best of intentions, employees often choose convenience over security. For example, users may know that they should choose difficult-to-guess passwords, but they may also want those passwords to be close at hand. So every fledgling auditor knows to check for sticky notes on the monitor and to pick up the keyboard and look under it for passwords. IT staff may know that every local administrator account should have a password; yet, in the haste to build a system, they may just bypass that step, intending to set the password later, and therefore place an insecure system on the network.
The security audit should seek to measure security policy compliance and recommend solutions to deficiencies in compliance. The policy should also be subject to scrutiny. Is it a living document, accurately reflecting how the organization protects its assets on a daily basis?