State the purpose of an IT security audit and briefly discuss the key elements of such an audit

---

An important prevention tool is a security audit that evaluates whether an organization has a well- considered security policy in place and if it is being followed. For example, if a policy says that all users must change their passwords every 30 days, the audit must check how well the policy is being implemented. The audit also should review who has access to particular systems and data and what level of authority each user has. It is not unusual for an audit to reveal that too many people have access to critical data and that many people have capabilities beyond those needed to perform their jobs. One result of a good audit is a list of items that need to be addressed in order to ensure that the security policy is being met.

A thorough security audit also should test system safeguards to ensure that they are operating as intended. Such tests might include trying the default system passwords that are active when software is first received from the vendor. The goal of such a test is to ensure that all such "known" passwords have been changed.

Some organizations will also perform a penetration test of their defenses. This entails assigning individuals to try to break through the measures and identify vulnerabilities that still need to be addressed. The individuals used for this test are often contractors rather than employees. The contractors may possess special skills or knowledge and are likely to take unique approaches to test the security measures.