November 2012 IT Business Consulting Newsletter

IT Security Audits

By Tom K

Company Security Audits are huge undertakings, encompassing all of your company’s physical, electronic, and intellectual assets, reviewing and creating policies, and assessing security awareness training programs.

Rather than attempt even outlining this monster in a single article, this month’s newsletter will provide guidance on performing a critical subset of a Company Security Audit... the IT Security Audit.

The PCI Compliance Program

Most of you already accept and process credit cards as part of your normal business. The PCI/DSS compliance program, developed for those businesses processing credit cards, is a very comprehensive resource to initiate a security audit of your IT resources.

The PCI Security Standards Council is an open forum that is “responsible for the development, management, education, and awareness of the PCI Security Standards”. As such, they have developed excellent Self Assessment Questionnaires (SAQs) that are great templates for performing IT Security Audits.

There are 9 different SAQs that are applicable to different types of merchants. In the VRM industry, the three that are most applicable are SAQ-C, SAQ-C-VT and SAQ-D-MER. SAQs C and C-VT were developed for businesses with simple business networks that transmit Credit Card data over the Internet but don’t store/save ANY CC data locally. SAQ-D-MER was developed for businesses that transmit Credit Card data over the Internet and DO store/save CC data locally, or have complex networks.

The PCI Security Standards Council provides a tremendous amount of information on compliance, and numerous documents and tools to help businesses work through the SAQs and become compliant. You can visit their home page here and download the SAQs and SAQ Instructions and Guidelines here

I suggest that you download and review the SAQ that applies to your business and begin working through the sections. Use SAQ-C if you don’t currently accept credit/debit cards.

Since the questionnaires are very comprehensive they can be somewhat overwhelming. The guides on the PCI site can be very helpful. Additionally, my previous newsletters can be helpful as many relate directly to sections in the SAQs, like antivirus and software update solutions, secure passwords, and secure banking practices. But, if you don’t have an experienced IT staff in your office, you may want to consult with your IT providers.

In any case, the benefit of performing an IT Security Audit is very much worth the effort.

Additional Benefits

The most obvious benefit is knowing that your IT systems and practices are secure. An additional benefit is positioning your company for PCI Compliance. Finally, if you apply for business insurance that has clauses for Information Security or specialized eCommerce Merchant Insurance, you will be required to complete compliance documents very similar to the PCI SAQs.

Network Vulnerability Scans

Although Internal and External Network Vulnerability Scans are requirements of the SAQs, I also view them as an initial verifier of the IT Security Audit, as well as an ongoing verifier.

The completed SAQ infers that your systems and processes are secure. The Security Audit is verified by testing your systems with vulnerability scans. If you have an experienced IT staff in your office you may be positioned to run Internal Network Vulnerability Scans without outside assistance. If you are working towards PCI compliance you may want to have this scan performed by an outside agency. The External Network Vulnerability Scans are typically performed by outside agencies.

If you currently accept and process credit cards, your CC processor can recommend companies they certify to perform Network Vulnerability Scans. In many cases, the CC processor will provide quarterly scans via their security partners as part of their services.

As ever, if you need help setting up or performing a general IT Security Audit, need help with PCI Compliance, or have any questions or comments concerning this article, I’d be happy to discuss this with you at your convenience. Feel free to contact me at, or via my cell 443.310.5110.

Next month I’ll review Best Practices to utilize when providing wireless access to your Private Business Network. See "Provide Wireless Access to Business Systems???"