The Security Cycle

Before discussing how and what to audit, you need to understand why to audit. There is a natural cycle associated with security that begins with prevention, moves to detection, and finishes with response. This cycle is described very well in Secrets and Lies: Digital Security in a Networked World by Bruce Schneier (John Wiley & Sons, 2000). What is important about understanding this cycle is that it helps you understand that security isn’t exclusively about access control.

Prevention, which includes access control, is the first process in the cycle. It describes all of the measures put in place to control who can do what and how they can do it. In the nondigital world, you see examples of this everywhere, such as locks on doors, electric fences, and security guards restricting access to buildings and building corridors. Many people refer to a system’s security to mean only the preventative security measures. While this may seem intuitive, it is incorrect.