There are two distinct processes: audit and assessment. An assessment is intended to look for issues and vulnerabilities that can be mitigated, remediated, or eliminated prior to a security breach. An audit is normally conducted after an assessment with the goal of measuring compliance with policies and procedures. Typically, someone is held accountable for audit results. Some people don t like the term auditing; perhaps it s too reminiscent of ol Uncle Sam scouring through your tax return from three years ago when you claimed that one vacation as a business trip because you talked to your boss on your cell phone while waiting at the shuttle to your beachfront hotel. Though the terms assessment and audit are often used interchangeably, in this chapter we focus on assessments.

As we ve discussed throughout this book, there are three primary components of IT security: people, process, and technology. A balanced approach addresses all three areas, because focusing on one area to the exclusion of others creates security holes. People, including senior management, must buy into the importance of security, and they must understand and participate in their role in maintaining security. Process includes all the practices and procedures that occur and reoccur to keep the network secure. Technology obviously includes all hardware and software that comprises the network infrastructure. Part of the technology assessment required to assess and harden infrastructure security includes deploying the right technological solutions for your firm and not the...