Security audit: a case study [information systems]

This paper presents the basics of an information systems security audit, through a real security audit carried out on a medium-sized organization. The audit was the 1^st security audit done on the company and would serve as a security baseline for future audits. An effective security audit should not be a one-time event but rather an ongoing process. Security is a delicate balance between protection, availability and user acceptance. We start the security audit at the outside of the network and gradually work our way inward. We performed a vulnerability check on the exposed IP addresses and ports. Each of the vulnerabilities found was carefully assessed to see if it violated the security policies of the organization. An analysis of firewalls and various remote access methods of the organization were also evaluated. Using a wireless network sniffer, we found the footprints of the wireless LAN and some interesting results were obtained. Finally, some sensitive managerial issues and findings of an awareness survey of information security were presented.