Guide helps auditors assess computer security efforts

Federal inspectors general and information technology executives have a new weapon in the fight against computer hackers. A new guide from the General Accounting Office and the National State Auditors Association (NSAA) describes how to create or enhance an information security auditing program. Security professionals have long relied on independent penetration tests and ethical, or "white hat," hacking to test the effectiveness of an agency's security measures. But until now, very little has been done to measure the effectiveness of computer security initiatives. "Computer security has…become much more important as all levels of government utilize information security measures to avoid data tampering, fraud, disruptions in critical operations and inappropriate disclosure of sensitive information," wrote Comptroller General David Walker and NSAA President Ronald Jones, who is also Alabama's chief auditor, in the introduction to the guide, "Management Planning Guide for Systems Security Auditing." In order to remain accountable, auditors must be able to evaluate the effectiveness of information security programs, the guide said. The guide includes information on how to create a security auditing program, when to use consultants, and how to identify what security skills consultants lack. "Security is a big problem," said Alan Paller, director of research at the System Administration, Networking and Security Institute, a technology research and education group based in Bethesda, Md. According to Paller, security auditors can make ineffective security even more of a problem if they are not adequately trained. "The nontechnical auditor becomes part of the problem," he said. "Technical auditors are key." While the guide is aimed at use by auditors, federal agencies can use its recommendations, too. The guide points out common security program weaknesses such as ad hoc or poorly defined responsibilities in technology offices, lack of education and awareness in technical staff, failure to take full advantage of installed software, inadequate contingency planning and lack of oversight by senior management.