ADT’s reference library contains Five Reasons Every Business Should Audit Their Security Once a Year. The article, obviously an advertisement for their physical and network security services, is still worth a read. Why?
The article lists several reasons for and the benefits of assessing each area of the business, and if you’re having trouble getting approval for an assessment, these bulleted lists may provide some ammo.
Although the 5 reasons are geared more to physical security than information security, it does touch on the latter. Besides, when was the last time you considered the physical side of security?
The 5 reasons, according to ADT, for auditing your business are:
1. Evolving Business Environments
2. Updated Recommendations for Emergency Planning
3. Trends in Workplace Violence [how often have you seen this on a list?]
4. New Governmental Codes and Regulations
5. Improvements in Security Technologies
I would add two more reasons to audit business security:
6. Changes in Personnel
When key positions in some departments change, you can lose your security gatekeepers. For example, if Human Resources loses the person that ensured managers promptly processed employee terminations, IT won’t be notified that account access needs to be terminated. Keep a list of key people, and keep in touch with them periodically.
If a key manager leaves, that can leave a big hole in his area of expertise. More holes can appear if key individuals follow him to his new company.
7. Changes in Management Direction
If management decides to quit requiring all employees to wear ID badges, outsource the security guards, or allow the use of social networking tools on the network, your risk factors have changed. Stay in touch with management and their reasons behind their decisions.
Obviously, security reviews should occur more frequently than once a year because the business (and the associated risks) is constantly changing.
Read the full article here.