What is a computer-network-security audit
and why should I care?

Introduction:

FIRST and FOREMOST - make sure you understand some TERMS by clicking here.

This home-page (and it's companion page about the "AuditColorChart tool") is the out-growth of a project, like many, that started with my need for a tool to help me in my job / company.   It has grown to have a life of it's own, and others now share in the use of the tool.   Herein, I explain the how's & why's in order to give you the benefit of my experience, hoping you can learn something and "leverage" off of my work - to help you in yours.

IN 'general':   the reason(s) to Audit your computers, networks, and the intellectual property that they contain,  is the same as the reason to audit anything else:

"To verify the compliance of your protection mechanisms with a standard model (policy or list of audit-items)."

More specifically: you compare a number of audit-points against a standard model of 'givens'.   The financial community (at least in the USA) uses something called "Generally Accepted Accounting Principles" or "GAAP" for short.  We, in the computing world, typically use something similar called "Generally Accepted Computing Principles" (typically based on the "O'Reilly" publishing house set of books).  

In the auditing process it is very useful to have a published "Audit Policy" to use as the basis / model-comparison.  Here are a couple of examples of Audit Policies that have been used, with success, in the past. Introduction to: the AuditColorChart.tool - whys and hows of adapting & using the tool itself.

last updated:  Tuesday, 12 May 2015 _revID: 4h