A security audit is an analysis of the adequacy of the security in an information technology system. Types of general security audits include an IT audit for the total IT systems of the company, or a computer security audit for a partial IT system or process. These types of internal audit processes are done to ensure that security is sufficient for any type of IT system within a business.
Those conducting a security audit may look at encryption or other elements of online or computerized security. They may do interviews of computer users to determine whether the human factor is a weak link in terms of security. A security auditor may pursue a penetration test, or other type of security assessment, to judge how secure an IT system may be.
Some types of security audits are ordered by the business leadership as part of protecting the bottom line for a business. Other security audits are done in order to provide compliance with federal, state or local laws when corporate data includes a public risk element. In these cases, government agencies may require periodic security audits to show that a business is safeguarding public data.
The legislation known as the Health Insurance Portability and Accountability Act or HIPAA is a main driver of security audits for medical businesses. HIPAA rules provide for stringent patient data security, and every medical related facility or business has to comply with HIPAA regulations. Security audit tasks may include specific attention to making sure that HIPAA is followed within the company or network.
Financial or other businesses may conduct a security audit under the regulations imposed by the Sarbanes-Oxley act. Though Sarbanes-Oxley was designed as a protection against corrupt accounting practices, its legislation may include elements like security audits as part of an overall auditing process. In other cases, consumer protection legislation may require a business to conduct a security audit.
A business may often have a security policy that mandates when and how a security audit should be done. The security audit may also involve looking at "checks and balances" within a department or business system. All of this effort goes toward the overall goal of safeguarding data, and providing competent security for any kind of enterprise. Professional auditors are trained in the precise metrics that show whether a security system is reliable and reasonably protected against outside attacks.
