by Thomas Wailgum

Make Sure To Run IT Security Audits

Apr 25, 20071 min

CIOs asked to monitor workers in their companies need to look at their own departments first

Before CIOs start worrying about other parts of the business, they need to make sure their own hatches are battened down.

Richard Hunter, a vice president and analyst on security and privacy with Gartner, says that CIOs should regularly run IT security audits on the “practices and procedures related to IT operations,” including checking on passwords, logging capabilities, reviewing how systems are monitored and other access control mechanisms. The audit needs to be an objective “examination of records by an impartial third party,” Hunter says.

In addition to ensuring that he has appropriate checks and balances in his IT group, John Halamka, CIO of CareGroup and Harvard Medical School, retains Third Brigade, a white-hat hacking company, to conduct periodic vulnerability assessments. Besides providing a checkup on his security systems, Third Brigade can also tell Halamka what his IT staff could do to his systems, if they so chose. (Halamka says he’s never had to fire an IT person for abusing his IT access privileges.)

“What I always say is, if you don’t think you have security problems, you haven’t looked hard enough,” says Halamka.