Home » Security of IT systems » Security audits
Security issues are regulated by some of the ISO standards, such as e.g. ISO 27001 (Information Security Management System), ISO 27002 (formerly ISO 17799 - Practical principles of information security management), ISO 27005 (Information security risk management), ISO 24762 ( Guidelines for the services of restoring ICT technology after a catastrophe).
The Act on the Protection of Personal Data, the Regulation of the Council of Ministers of October 11, 2005 or the Regulation of the Council of Ministers of April 12, 2012 on the National Interoperability Framework are just some of the legal provisions that impose certain obligations on private sector companies and public entities. e.g. with reporting personal databases to GIODO, implementation of security policies or annual security audits.
Regardless of the implemented procedures, standards and security policies, penetration testing is an indispensable element of control that examines the security level of the IT environment in a practical way and exposes its weaknesses. The tests include: such infrastructure elements as cable and wireless networks, servers, network devices, workstations. The tests also cover electronic communication channels (e-mail, IP telephony, instant messaging), points of contact with the Internet, websites.
System users are always the weakest link in the security chain. Regardless of the systems, devices and procedures used, a man whose vigilance may be put to sleep is an easy target of attack for potential intruders. Employee inattention or ignorance is the most common cause of malware activation, unauthorized access, data leakage and other security-critical incidents.
Lack of control over the software installed and used in the company, apart from the legal consequences resulting from license violations, also entails the risk of activating Trojan horse tools aimed at spying, remote control and theft of information (e.g. access data to bank accounts). One of the elements of the audit should therefore be a thorough inventory of applications installed on workstations and verification of their legality.