Central to a comprehensive security policy, and the components that unify procedures and response, is the discussion of monitoring and auditing. Security monitoring verifies the configuration guidelines and technical requirements outlined in the security policies. Security auditing entails a consistent set of practices that enforce the security policies set forth for the organization.

Monitoring is the policy action that becomes part of the ongoing standard security process in the company. The installation of a firewall is one element of the security monitoring system—it focuses on the network access points. Other aspects of monitoring are the use of security cameras, anti-virus software, server disk quotas, intrusion detection devices, and network management software. The monitoring component of a security policy enhances the security in an organization by validating the other elements in the policy, ensuring their existence and correctness.

Monitoring capabilities also affect the safety and effectiveness of incident responses. It provides evidence for legal issues and an informative basis for post-mortem analysis of incidents. This analysis is very useful to assist in prevention and understanding of problems.

Finally, security monitoring provides the capability for the organization to recover from incidents by providing in-depth information about it. Network attacks can be monitored and defended against, spurious hardware failures can be traced and rectified and the actions of unauthorized intruders can be watched and recorded.

The monitoring methods for a server, network, or other computer equipment are often those that gather and analyze statistics. The statistics gathered provide the reference point for normal operation and for that which is abnormal. This information is often gathered by hand, or eye, in the case of security cameras and monitoring. The level to which the monitoring is automated increases its effectiveness. To allay the fears that this task is incredibly difficult, it is important to note that many operating systems and software have the capabilities to perform a large portion of the monitoring and auditing functionality—the features simply need to be enabled. Authentication policies including the identification of password criteria, the use of password aging, and keeping a password history to avoid repetition are enforced by common features in most operating systems. Access control methods and auditing capabilities are inherent parts of server operating systems. Network management protocols allow for special alerts and notices to be sent under special conditions. An example is SNMP, which can be configured to notify administrators when special events occur. SNMP has weak security and should be investigated prior to its implementation, and is mentioned here due to its wide use. An alarm company, monitors the alarm system, and the proper authorities are notified automatically when it is set off.

Company Z's Security Monitoring Policy reads

·        Closed-circuit television cameras are installed throughout the organization and at entry/exit points.

·        This video information is recorded and monitored by the security group.

·        Network equipment management and monitoring occurs via automated management software that notifies administrators via pager in the event of anomalous issues.

·        Anti-virus software monitors all programs, documents, and email messages for viruses and automatically cleans discovered viruses.

·        Users and administrators are automatically notified via email when a virus is discovered.

·        All servers are monitored via monitoring programs and built-in functionality that complies with the established security policy.

Auditing ensures that the security policy is in place and followed. The measures used to audit include the services of contract security firms to analyze the an organization's networks, systems, and policies—often unbeknownst to the employees. Other forms of auditing include random and frequent verification of the policies by administrators or special internal teams designed for such tasks. The reference to auditing in the security policies of an organization also has a psychological affect that helps foster greater security awareness and action. Employees are less likely to adhere to security policies if they feel there is no enforcement. By outlining the presence of auditing methods, without necessarily clarifying the exact procedures, frequency, or schedule, an organization makes its employees more aware of security issues. A greater emphasis on secure thought and use is the natural result. Consider Company Z's Security Policy for Enforcement and Auditing:

·        Periodic and random security audits will be performed on servers and network equip ment to ensure proper configuration, diligent updates and application of patches, and compliance with other security policy regulations.

·        These audits may be performed by internal staff or external agencies with or without the knowledge of the administrators and users of the systems.

·        Desktop systems and users will be audited for compliance with the Site and Infrastructure Policy, with regard to configuration, up-to-date software, and network services.

·        Audits of users for compliance with the Acceptable Use Policy will also be conducted to assure the safety and security of the computing environment.

Notification to employees of the audit policy enforces compliance of security policies and also forewarns them of repercussions for compliance failures. Administrators have the largest responsibility and expend the most effort to enforce adherence to security policies. Audits might seem forceful, but an environment with so many security components requires dedication and diligence to maintain security.