What is the Difference Between a Security Assessment and a Security Audit?
Many tech professionals will tell you that a Security Assessment and a Security Audit are the same thing. Unfortunately, this assumption isn’t valid. To get an answer, I spoke with Ben Howard, a Senior Technician at NSK Inc who is CISSP Certified and is in the process of becoming CISA Certified. An expert on system security, he clearly explained the difference between Security Assessment and Security Audit.
The truth is Security Assessment isn’t a valid term! Most people associate “Security Assessment” with “Vulnerability Assessment” which is actually just one part of a Security Audit. So what exactly is a Security Audit?
A Security Audit is an extensive and formal overview of an organization’s security systems and processes. The audit is an all-encompassing, in-depth, review of not only physical attributes (networks, firewalls, hardware, etc.) but other areas including policy and standard operating procedures.
The term Security Assessment is generally referring to a Vulnerability Assessment which scans an organization’s infrastructure and identifies vulnerabilities (faulty firewall, lack of system updates, malware, etc.). With the assessment results, the technician can recommend steps to remedy the problems within the system.
Keep in mind, a Vulnerability Assessment is only a part of a Security Audit. Assessments can be performed individually, but they only cover one specific area. However, a Security Audit looks at all aspects of an organization’s security rather than just scanning the systems currently in place.
A Security Audit consists of:
- Looking for holes in policy
- Physical Assessment (hardware, etc.)
- Access Control Assessment
- Vulnerability Assessment
- Design Controls/Processes
- Review of Standard Operating Procedures and Policies
- Review of Backup Disaster Recovery/Disaster Recovery Plan
- This includes a Risk Assessment
- Configure Management
- Compliance Audit
- 201 CMR 17
- PCI DSS
Put simply – a Security Audit consists of both a technical and conceptual overview of an organization’s security systems and practices. A Vulnerability Assessment solely scans the organization’s infrastructure and identifies flaws within the system.
Looking For a Security Assessment For Your Business?
Contact Focus Technology today for a complimentary security assessment.