Ask the Expert

What's the difference between a network assessment and an audit?

What?s the difference between a network assessment and an audit?

    Requires Free Membership to View

That's a good question. Let's start with some definitions as commonly found on the Web.

Educause.edu defines an assessment as "the process of identifying technical vulnerabilities in computers and networks as well as weaknesses in policies and practices relating to the operation of these systems."

TechTarget.com defines an audit as "a systematic evaluation of the security of a company's information system by measuring how well it conforms to a set of established criteria. Many times audits are often used to determine regulatory compliance, in the wake of legislation (such as HIPAA, the Sarbanes-Oxley Act, and the California Security Breach Information Act) that specifies how organizations must deal with information."

As you can see, these definitions are actually very similar. But one difference is that assessments can take on an adversarial role. One example would be "Eligible Receiver." This 1997 internal security assessment initiated by the Department of Defense was designed to simulate what a team of hackers could do if they targeted the Pentagon's computer system.

Audits do not typically take on such an adversarial role. While it's true that audits assess the strength and effectiveness of controls that are designed to protect information and safeguard assets, they usually look more at existing policy and controls. They also seek to determine if these policies are being followed by employees. When controls are not in compliance, the auditor may report who and what is not in compliance.

That brings us to a second difference between an assessment and an audit. Assessments tend to practice non-attribution.

Finally, while audits tend to measure performance against existing polices and best practices like HIPAA, the SOX's, and the California Security Breach Information Act, assessments go a step further and actually seek out vulnerabilities and may even exploit them. This is something you will not usually see during an audit.

This was first published in October 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: