Testing, Auditing, and Training

The chapter discusses the basic diligence efforts needed to keep a security program healthy. The purpose of a security audit is to assess the quantity of risk and the effectiveness of the organization's risk management processes as they relate to the security measures instituted to ensure the confidentiality, integrity, and availability of information and to instill accountability for the actions taken on the organization's systems. Information security is the process by which an organization protects and secures systems and media, facilities that process, and maintains information vital to its operations. The security of systems and information is essential for the privacy of organizational and corporate customer information. Security professionals must maintain effective security programs adequate for their organization's operational complexity. These security programs must have a strong board and senior-management-level support, integration of security responsibilities and controls throughout the organization's business processes, and clear accountability for carrying out security responsibilities. The chapter provides guidance to security professionals and organizations on determining the level of security risks to the organization and evaluating the adequacy of the organization's risk management.