Hardening by Auditing: A Handbook for Measurably and Immediately Improving the Security Management of Any Organization

Developing an internal auditing capability within an organization is as important to the continued success of that organization as any other initiative or process. An "audit" is a systematic, independent, and documented process for obtaining evidence and evaluating it objectively to determine the extent to which audit criteria are fulfilled. "Internal audits" are audits conducted by on behalf of the organization itself for internal purposes, and can form the basis of the organizations self-declaration of conformity or compliance. A well-planned, effective, internal auditing program should consider the relative importance of the processes and areas to be audited. Don't waste time on the unimportant. The success of an organization is the sum of the effectiveness of Management authority, responsibility, and accountability. They are, in turn, the sum of the manner in which Management deals with the findings of the internal audits. The premise of this book and my reason for creating it is simple: 1. Our organizations (large and small - public and private) and, in fact, our lives are in danger from both physical and cyber-attacks, because we remain incredibly uneducated, unstructured, and vulnerable, when it comes to threats to their security. 2. Organizational Security can be upgraded profoundly through a well-developed program of internal and outside audits. 3. Similar or co-located organizations can combine resources synergistically. That is, the whole of the effort will be greater than the sum of its parts. I have kept this work as compact as possible, so as to minimize reading time and maximize productivity. I write for no-nonsense managers with big responsibilities and limited resources. I refer often to four excellent ISO International Standards. They offer guidance for structuring effective management programs rapidly, regardless of whether or not organizations desire certification by accreditation bodies. I invite you to use my approach to Risk Management, as explained in the pages that follow. You will find it an effective and uncomplicated method for developing and monitoring your strategic plans. Developing a security "mindset," using the checklists provided, and taking action on your findings will improve your security posture - immediately and continuously. Good luck, and now let's get to work.