In less than a decade, Internet security has evolved from an almost esoteric topic to become one of the more important facets of modern computing. And yet it's a rarity to find companies that actually consider information security to be an important job function for all workers -- and not just the IT department's problem.
Unfortunately, it's the general opinion of most companies, particularly at the management level, that their computer systems are secure. However, one of the only ways to determine whether this is actually true is by performing a thorough audit of computer systems. But most companies don't make it a habit of performing regular security audits, if they perform them at all.
In my experience, many companies base their Internet and information security strategy entirely on assumptions. And we're all familiar with that old saying about making assumptions.
But I don't entirely blame companies for failing to conduct periodic computer security audits. Frankly, the complexity and variability of administering and interpreting a comprehensive computer systems audit is equal to the complexity and variability of the systems used in corporations.
Several dozen popular commercial network and computer security auditing programs are currently available. While I've used several myself, I've honestly found no favourites. These tools produce mountains of useful information, but understanding what to do with the data is no simple job.
Most computer network and system security audits begin the same way. An automated program gathers information about hosts on the corporate network, identifying the type of network device. If applicable, it also scans the TCP and UDP services that are present and "listening" on the host, and it might even determine the versions of the software supplying an Internet service.
In most cases, the process involves at least two automated scans -- one of internal networks, which are generally behind a firewall, and one of the Internet subnet used by the corporation. If a security audit doesn't include both an interior and exterior scan, then you're not getting a complete picture of what hosts are on your organisation's network.
In addition, I also recommend that companies perform their own auditing whenever possible. If not, it's vital that you select an Internet security vendor you don't currently do business with.
Talkback
It was just a thought and i don't know whether it will be useful but anyway here goes;
Since all hackers get into your computer mostly through e-mail messages, why not having a seperate hard disk maintained for internet downloadings, email, etc. This drive shouldn't communicate with other drives on the computer. So even if a virus is downloaded, it would not harm system files or effect other important files.
once again, I WAS JUST A THOUGHT...
I think a useful security audit shoud take the users into account.
If this is an audit about the usual worms, zombies and viruses fauna, having a look at what the user's privileges are versus what they need to be is an efficient step.
If the goal is to avoid things such as leak of important documents, it's good to lay out what are the policies for that too.