As an outsource security partner BAI provides managed security, managed firewall, managed ids, content filtering, internet security, network security, penetration testing, and vulnerability testing.

As a top level executive, can you say that you are supremely confident you’re not going to be the victim of an attack against your business continuance or confidential data? If you can, you are definitely in rare company these days.

Was your last security audit performed by an objective third-party, conducted using the latest tools and techniques, and conducted on a periodic basis with trending? As in many companies today, top executives often assume all of these important factors are being considered by their IT groups. However, as a top executive, isn’t the company’s well being really resting in your hands?

If you haven’t thought about initiating an audit yourself as a sort of checks and balances or to even validate the good word from the internal IT trenches, now is your time to act. You can’t avoid reading at least some of the headlines today regarding negative security events happening around the world. In the last month alone there were literally hundreds.

Hackers, viruses and worms are in fact wreaking havoc and causing significant monetary, competitive and psychological damage. For corporations, mitigating the potential loss involves timely detection, effective communication and a plan for resolution. Unfortunately, security teams are feeling the squeeze caused by reduced staffs that have to deal with larger enterprises, networks and systems. As an executive, one of your primary concerns has to be whether of not you really know your company’s level of risk.

One answer is information security auditing that is accurate, comprehensive, and tailored to executives. Another cost effective option growing is popularity is outsourced monitoring, response, and auditing in the form of Managed Security Services. Centralized security management solutions are gaining popularity because of their ability to aggregate, standardize, analyze and report security event information in a more cost-effective manner. Managed Security reports can also be tailored to executives to validate internal feedback from managers or to present directly to their board of directors.

Executive Considerations

Negative public perception because of the new forced disclosure laws on the books is one of the latest and more widespread concerns. The law, called "SB 1386," is intended to combat identity theft. It passed last September in the wake of a high-profile computer intrusion into a California state government system in which some 200,000 victim employees were not warned that their personal information was stolen until weeks after the incident. While the law is on the California books, the impact is national and many experts believe the law will be adopted in a more widespread fashion in the coming years.

The increased prevalence of cyber attacks has caused cyber-insurance rates to skyrocket. At the same time, insurance companies are receiving more hacking-related claims and are thoroughly investigating cyber attacks to ensure that a company has met all of its liability requirements by properly installing and maintaining its security infrastructure. Those that haven't met liability requirements won't be covered by insurance. Conversely, those who exceed requirements may soon enjoy a discount in their premiums.

Network risk insurance premiums range from $5,000 to $30,000 per year, per $1 million in coverage, and the hacker insurance market is expected to jump from $100 million in 2003 to $900 million by 2005, according to industry reports. Insurance premiums are going to whittle away at corporate profits unless companies can show that they have employed all possible network controls, procedures and audits to mitigate liability.

While the sophistication of hacking tools has grown and has contributed to non-hackers being able to penetrate and disable systems, it’s the worm and virus growth that has made the news. Worms today are growing dramatically in their ability to propagate themselves, collect and forward data, as well as create backdoors for other hackers to attempt access. When audited many companies are finding themselves behind in security patches that have been out for months.

A Viable Action Plan – Know Your Current Level of Risk

Having an independent accounting firm perform a thorough audit of your organization’s financial records is customary; in fact, for a publicly held company, it’s required. In today’s connected society, it's equally important to conduct independent testing to assure that your organization's systems and security policies effectively protect your assets and are correctly implemented in your environment. An information security audit provides an assessment of the vulnerabilities in your security and as an executive gives you validation of your own teams efforts by an objective third party.

Why Outsource?

Anyone can scan your network perimeter and probe look for vulnerabilities. So why pay an outsider to do it? Here's why: a penetration testing consultant or organization (the “auditor”) employs staff trained in anti-hacking, and provides comprehensive reports and recommendations to help you improve your security posture. They use a well-conceived test plan that can be repeated (a) to verify that corrective measures you take following an initial "base-line" report are properly implemented, and (b) to distinguish between new vulnerabilities versus deviations from the baseline that are legitimate policy changes.

In addition, the auditor is an objective participate in determining the risks associated with your environment. If they are your sole means of evaluating your systems then they can be seen as simply the experts performing what they do best. When used in addition to internal efforts, using an outsource partner is an excellent way to validate your internal efforts and allow your internal staff to benefit from the knowledge transfer regarding the latest tools and techniques employed by the experts.

Choose Carefully for Maximum Benefits

There are many competent security auditing companies willing and able to perform security audits for you. You can find some of the most competent testers in some of the smaller companies. Investigate carefully and contact several of their references for feedback on the process and the deliverables. Choose the company that will take time up front to describe the testing process thoroughly, in plain-speak, until you are comfortable. When budgeting, factor in the cost and effort of following through with the recommendations the auditor makes.

Remember, security is an ongoing process. A security audit provides you with a snapshot of your current security posture. Your network will evolve; new vulnerabilities will be identified and your risk will increase again over time. A security audit is not a magic bullet, but it indicates whether you've got everything buttoned down tightly, or whether your company is low-hanging fruit for attackers. Either way, you're better off finding out under controlled circumstances. As an executive, you do not have wait until your IT department has the time to audit their own environment, take steps to ensure the stability of your company, as well as your own longevity, by commencing your own security auditing initiative.