Security audits produce a huge amount of data, and you need to be prepared to review this information in order to truly benefit from the audit. It's also important to understand that a computer security audit may report potential problems where no real issue exists.
For example, an isolated switch from 1998 in an internal network could quite possibly be running firmware that's vulnerable to a denial-of-service flood. Should you replace it? Probably not. Nor should you be too concerned about the ancient Windows NT 4 system running outdated voice mail software that's subject to an obscure TCP sequence number exploit. It's not running anything other than a specialised application for voice mail services, and it's behind the firewall.
But some issues should concern you. For example, it's a good idea to disable guest accounts on dedicated Windows servers. Don't run IIS on Windows domain controllers, and DNS servers should not be running services other than DNS either.
However, a security audit may not always identify these issues, and one could debate whether it's actually a security problem. When there's doubt, disable unused services, or determine a secure solution.
The major problems with security audits are that they typically produce either too much data or not enough. A dearth or an excess of data can lead to misinterpretation and even exploitation of the information. Fear remains a very effective way to sell unnecessary equipment and services to companies that don't truly understand security.
For example, one company's recent Internet security audit completely ignored the security issue of direct VPN connections to the internal network and a dial pool, both of which completely bypassed the firewall. Coincidentally, while the same vendor that performed the audit was busy replacing functioning internal network equipment due to "vulnerable" firmware, one of the many recent Bagle flavors was busy spreading internally, sourced from a remote office connected via a VPN.
Knowing what is and what isn't a significant issue goes to the very core of understanding Internet and information security. While assumptions can be correct, in many cases, they're dead wrong. Perform regular security audits on your organisation's network to be sure. And if you're not using a particular TCP or UDP service, shut it off.
Talkback
It was just a thought and i don't know whether it will be useful but anyway here goes;
Since all hackers get into your computer mostly through e-mail messages, why not having a seperate hard disk maintained for internet downloadings, email, etc. This drive shouldn't communicate with other drives on the computer. So even if a virus is downloaded, it would not harm system files or effect other important files.
once again, I WAS JUST A THOUGHT...
I think a useful security audit shoud take the users into account.
If this is an audit about the usual worms, zombies and viruses fauna, having a look at what the user's privileges are versus what they need to be is an efficient step.
If the goal is to avoid things such as leak of important documents, it's good to lay out what are the policies for that too.