NWME: How is Emitac looking at security audit as an area of focus?
EJ: We give the security audit area of IT a lot of focus and this focus comes from the company’sunderlaying importance of IT security in general. In addition, Emitac has a number of top level vendor partnerships, as well as IT security specialisations with most of the traditional security and networking vendors.
Having said that Emitac also has experienced and well trained consultancy and Implementation capabilities. It must be kept in mind that as utilisation, security standards, applications and organisations evolve, their security structures will change as well. With this in mind, the IT security audit is not a one-time task, but a continual effort to improve data protection. The audit measures the organisation's security policy and provides an analysis of the effectiveness of that policy within the context of the organisation's structure, objectives and activities. At Emitac, we do keep track of the industry and accordingly we partner with the most effective and reputed vendors.
NWME: What are the best practices that are required for a successful security audit?
EJ: The audit should build on previous audit efforts to help refine the policy and correct deficiencies that are discovered through the audit process. Whereas tools are an important part of the audit process, the audit is less about the use of the latest and greatest vulnerability assessment tool, and more about the use of organised, consistent, accurate, and scalable data collection and analysis to produce findings that can be measurably corrected. We can put the following 14 points as best practices for a security audit:
· Take in consideration your old security audit results and your current security policy
· List Security Audit scope definition; assets and security perimeters.
· Create a Threat list
· List expected Future threats and why they due to occur
· Put Priority for Your Assets & assign Vulnerabilities level
· Choose Security products with a leading vision according to international references like Gartner.
· Implementing Network Access Controls
· Implementing Intrusion Prevention
· Implementing Identity & Access Management
· Creating Backups
· Email Protection & Filtering
· Readiness with Physical Intrusions Prevention
· Scalable Security Audit with needs, internal capabilities, Cost and time frame.
· Reflect it into your security policy and Repeat starting step 1 after 1 or 2 years
NWME: What are the challenges and opportunities organisations face in the area of security audits?
EJ: The first major challenge is that of growth. As divisions within organisations are expanding, and accordingly policies and practices should scale; this is why we say: security is many things to many people. The opportunity comes in the way of deeper security audit level reaching the application and software level like HP Software – Application Security Centre.
Another challenge is the proper implementation and compliance of the security policy coming after the security audit. The opportunity it presents is security audit compliance automation Software like STRM from Juniper Networks.
NWME: Education and raising awareness is key in this area. What has been your approach towards educating the market and organisations on how best they can undertake a successful audit process?
EJ: We do use several ways to educate and attract customers towards security related matters that include explaining in details that such products will make any security audit easier in the future as it will comply with two to three requirements before selling any security audit solution to them.
Email campaigns with specific practises and threats explained like Web versus 2.0 with Secure Computing and DLP with McAfee Workshops for CIOs and CTOs are other initiatives we are using to raise education awareness in this space.