Security Auditing and Due Care

Auditing is the process of examining systems and/or business processes to ensure that they’ve been properly designed and are being properly used. Audits are frequently performed by an independent third-party or an autonomous group within the organization. This helps to ensure that the audit results are accurate and are not biased because of organizational politics or other circumstances.

Audits are frequently performed to ensure an organization is in compliance with business or security policies and other requirements that the business may be subject to. These policies and requirements can include government laws and regulations, legal contracts, and industry or trade group standards and best practices.

Business-critical systems need to be subject to regular audits as dictated by regulatory, contractual, or trade group requirements.

Due care requires that an organization operate using good business practices — usually a set of standards formally or informally stated by industry trade groups. An organization can be liable if it fails to exercise due care (see Chapter 12 for more on due care).