A security audit is an independent review and assessment of an organization’s security protocols, processes and systems. An outside party conducts the audit and typically includes a detailed review of the organization’s security policies, procedures, and practices, as well as an assessment of its overall security posture. The goal of a security audit is to identify any potential security gaps or vulnerabilities and to make recommendations for correcting issues and improving the organization’s security posture.
In the “Scandal in Bohemia”, Sir Arthur Conan Doyle’s consulting detective Sherlock Holmes says to his friend and companion Dr. Watson, “don’t see, observe.” Owners and managers of businesses of varying sizes are constantly working to “see” their business operations and the effectiveness of these operations to help assess how processes help or hinder the success and profitability of the business. This “seeing” includes their employees, visitors, their product, their company facilities, and additional assets, on top of their business operations and everything else going on within the business.
Why a Security Audit is Critical
When outside vendors are used to provide security, an audit determines if your organization is “getting what you pay for”.
“An audit can really show if the terms are being met,” according to Jeff Palmer, Managing Partner of Florida-based Lion’s Den Consulting. “You want to be sure that the personnel that is being supplied under the contract meet the training and experience requirements required by the contract”.
Palmer, a former senior physical security specialist and regional regulatory inspector with the Transportation Security Administration, adds: “As human beings, there will be many things we ‘see’ daily without ‘observing’. We are only human. People and events may impact the business and its operations and, subsequently, its current and future profitability and remain ‘unseen.’ Because of their daily responsibilities, even the best-dedicated employees of the business will not observe when they, too, are seeing.”
He continues; “The many parts of a company sometimes need a set of outside “eyes” to keep. These outside eyes have no territory or jobs to protect. They are independent of all the parties involved in the company and only report to the owner or company management, i.e., the client. These outside eyes will look for successes and potential issues not observed by those who work at the business.”
These outside or “clean” sets of eyes should be experienced personnel whose sole job is to see and observe one particular part of the business. They will then report both positive and negative outcomes through their observations or audit of the identified business operations. Audits of information technology, supply, and logistics systems, for example, are done for loss and liability requirements. An audit of the security policies, methods and personnel, tasked to ensure the safety of the company's employees, visitors, products, facilities, and other identified assets, is just as crucial to the company's operation and financial well-being.
What a Security Audit Entails
The security audit should identify the security's Return on Investment (ROI). Spending money on security issues can be a difficult sell to management since security operations generally do not generate profit. However, a solid security program will reduce loss, which in turn helps to maintain a healthy organizational bottom line. ROI ensures that the money spent to secure and protect the company is performing as intended.
When working well, the various security domains are interlaced to enhance and support each other. So their audit will include a thorough review of multiple areas within the company to ensure this interlacing.
A thorough audit will review documents, policies, plans and contracts pertaining to the company's security operations. Detailed interviews of both company personnel and contractors should identify the negative and positive results of the security operations. These interviews assist in unbiased and concise reporting following the audit. Though the auditor may know who within the company provided the information during the interview, all reporting on the interviews should remain anonymous to prevent attempts of "killing the messenger".
The audit should conduct passive observations or surveillance of the company's security operations. The audit process and subsequent observations are usually most effective when done prior to company personnel and contractors' learning of the audit. A clean analysis will help to ensure that the audit observations and ensuing reporting are an accurate and true reflection of the company's security functions.
Audits in today’s world should include reviews of social media sites for negative comments or allegations regarding the company’s security posture by current or former employees, management or vendors.
When completed, the audit should address the things that are working and the positive results from personnel or systems. But more importantly, the audit (through its documentation) must address potential loss to the company and any potential liability and opportunities to decrease potential litigation by detailing “positive actions taken”.
Most importantly, the audit personnel should be independent consultants. They should have no connection to any manufacturers, vendors, or installers of security equipment or systems. This policy ensures the client can be comfortable that the audit is independent and not being used as a sales pitch to sell security products. Having an outside source conduct the audit provides an added layer of accountability. An internal audit can be subject to manipulation and cover-ups by the organization, while an outside audit will be more likely to adhere to the standards of the industry. This can help to confirm that the audit is conducted appropriately and that any security risks identified are addressed correctly.
When looking for someone to audit your facility, you should look for five things:
1. Expertise: Look for a security auditor with expertise in the specific type of security audit you need. Ensure that the auditor is certified and has verifiable experience in conducting security audits.
2. Proven Track Record: Look for a security auditor with a proven track record of successful audits. Ask for references and read customer reviews to get an idea of the quality of work they provide.
3. Comprehensive Approach: Look for a security auditor that takes a comprehensive approach to the security audit process. This means looking at the entire security infrastructure, including the network, hardware, software, and people.
4. Transparency: Look for a security auditor that provides clear and concise reports of the audit findings. This will help you understand the recommendations and take the necessary steps for improvement.
5. Cost: Look for a security auditor that offers competitive pricing. Make sure that the costs are within your budget and that the services provided are worth the price.
A comprehensive audit may cost money, but in the long run, will reduce loss and assure you that your operation is operating at an optimum efficiency level.
About the author: Jeff Dingle is a Senior Consultant with the Florida-based Security Advisory Group. A former federal Special Agent and Security Specialist, he has managed security operations and provided security training for high-risk enterprises in the private sector, Federal Government, casinos and a FORTUNE 15 company. Dingle can be reached at [email protected]
