Q

What's the difference between a network assessment and an audit?

What?s the difference between a network assessment and an audit?
That's a good question. Let's start with some definitions as commonly found on the Web.

Educause.edu defines an assessment as "the process of identifying technical vulnerabilities in computers and networks as well as weaknesses in policies and practices relating to the operation of these systems."

TechTarget.com defines an audit as "a systematic evaluation of the security of a company's information system by measuring how well it conforms to a set of established criteria. Many times audits are often used to determine regulatory compliance, in the wake of legislation (such as HIPAA, the Sarbanes-Oxley Act, and the California Security Breach Information Act) that specifies how organizations must deal with information."

As you can see, these definitions are actually very similar. But one difference is that assessments can take on an adversarial role. One example would be "Eligible Receiver." This 1997 internal security assessment initiated by the Department of Defense was designed to simulate what a team of hackers could do if they targeted the Pentagon's computer system.

Audits do not typically take on such an adversarial role. While it's true that audits assess the strength and effectiveness of controls that are designed to protect information and safeguard assets, they usually look more at existing policy and controls. They also seek to determine if these policies are being followed by employees. When controls are not in compliance, the auditor may report who and what is not in compliance.

That brings us to a second difference between an assessment and an audit. Assessments tend to practice non-attribution.

Finally, while audits tend to measure performance against existing polices and best practices like HIPAA, the SOX's, and the California Security Breach Information Act, assessments go a step further and actually seek out vulnerabilities and may even exploit them. This is something you will not usually see during an audit.

This was first published in October 2005
This Content Component encountered an error

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close