Talk:Information technology security audit

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Computer Security / Computing  (Rated Start-class, Top-importance)
WikiProject icon This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 Top  This article has been rated as Top-importance on the project's importance scale.
Taskforce icon
This article is supported by WikiProject Computing (marked as Mid-importance).
WikiProject Computing (Rated Start-class, Mid-importance)
WikiProject icon This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
Start-Class article Start  This article has been rated as Start-Class on the project's quality scale.
 Mid  This article has been rated as Mid-importance on the project's importance scale.


This started as part of a section of Security breaches that AlMac thinks ought to have its own Wiki article. After this article seems to no longer have so many grievances against it, AlMac plan was to return to Security breaches and make Computer security audit a main article there, eliminating some of the redundant content. Additional main articles later. AlMac 7 July 2005 14:16 (UTC)

Computer security audit is both a noun and a process. There is not much point doing one audit then assuming the problem is fixed, because Computer security is a moving target. We need to check our systems, see what needs fixing, do the audit again, fix again, then when all identified problems ahve been fixed, raise the bar on the standards we are trying to achieve. Periodically there is evolution in the Computer insecurity threats out there, so we need to ugrade our audit tools to deal with the new threats. Also, any time something new is added to our systems, we need to run the audit process again, to make sure the new thing did not mess anything up.

In Wikipedia:Votes for deletion/Computer Security Audits, there was the cirticism that how to do audits is in here, while that does not belong in an Encyclopaedia. One reason I put some in was that I saw a grievance on another person's article in that the author was accused of writing nonsense, and needed to prove assertions. There are a lot of people who assert that Computer security is an Oxymoron, or too expensive to achieve. I wanted to include examples of technologies that make good Security doable. AlMac 7 July 2005 19:12 (UTC)

Similar sounding topics[edit]

AlMac studied the Auditing information security article before starting Computer Security Audits. AlMac conclusion was that Auditing information security is rather dated and for a narrow spectrum of the Computer security field. It describes a reality of large comapnies, like those traded on the stock market, that can afford to have a team of humans from some audit firm, perform certain tasks. Most small businesses, which are most enterprises period, cannot afford this, and certainly not home users.

Auditing information security is a valid topic, of great interest to many enterprises, but while the work they do is more intensive than Computer security audit focus, the former's market share is microscopic compared to the latter. This needs to be explained, like the Computer security and Computer insecurity articles point at each other.

  • Computer security article focuses on Design for Good Security in the first place, which most computer vendors should do, but far too many do not.
  • Computer insecurity article focuses on victims in the "Oh Hell, what a mess we are in, how do we get out of this?"

Similarly (except first need to clean up this language)

  • Auditing information security article focuses on what the giants of industry do to identify security issues in need of remediation.
  • Computer Security Audits (which may need a slightly different title) article focuses on what the little guy, and small business can do, to identify security issues that are easily repaired.

Now many enterprises do not think they need Security Audits, but one of the outputs of these automated tools is an education that can lead some companies to conclude that they do need professional help, because the remediation effort is more than can be handled by their staff. AlMac 7 July 2005 20:04 (UTC)


Note that AlMac is attempting to make repairs to satisfy various notices, as I hope to share my know-how in a form that will fit in with this community. I have lots more I intend to include in Security breaches and related articles, once I have resolved the complaints about lack of neutrality in my point of view, without becoming too wordy in space to many different POV.

AlMac is having a lot of trouble knowing when to use upper case lower case, singular plural, in this Wikopedia.

Several kind and supportive individuals have posted to AlMac talk page some areas for AlMac to study, so as to get better at meeting the community goals. Please keep these suggestions coming. I am working my way through them, in hopes that I can fix all the problems, and become a valued member of this community. AlMac 7 July 2005 20:10 (UTC)

Keep up the good work, get rid of all the lists and the article should be all right. I strongly suggest you read Wikipedia:Guide to layout and Wikipedia:How to edit a page, if you haven't already—they're very insightful, as are the other articles in the style book.
Be aware that Wikipedia is not an FAQ. Don't refer to the reader or yourelf directly; sentences like Company-A has personal information on you and me. are considered bad style. The article shouldn't be a how-to: Go to Steve Gibson Research site, scroll down to Shields Up, run tests are improper. A better version would be something like Software to detect vulnerabilities is available from organisations such as Gibson Research Corporation, and arguably anything more detailed in a how-to way might not be proper here on WP. Avoid (though not at all costs) external links inside the main article body, the proper place is in its own section the end of the article. Try to give more than one alternative if there is one.
Last but not least, of course the article does not have to be perfect. Others will improve on what you write, especially if you make a decent start. Once you get rid of
  • all
    • the freaking
      • lists
I'll try editing it, too. ;) Note that I'm a newbie, too. Cheers. --Moritz 7 July 2005 21:33 (UTC)

Thanks, I know I have lots to get done. I feel like I am making progress, but have lots more content I want to add, and get it into the community style. Lots of stuff Y"all have suggested I study. I have looked at some, but still need to wrap my mind around a lot more. AlMac 8 July 2005 12:16 (UTC)

Opening section[edit]

The opening section, above the contents, are crying out to me for a sub-head like "Introduction" or "Overview". I not know how big the statement above start of "Contents" is appropriate here.
The first half of this top section seems to me to be lacking clarity. I need to both consolidate it, and solve that problem.

AlMac 8 July 2005 12:16 (UTC)

The introduction section should be long, and untitled, above the table of contents. It can be three paragraphs long. There is a style guide for this section here: Wikipedia:Guide to writing better articles#Lead section.--Fenice 8 July 2005 12:59 (UTC)

What the Audits NOT do[edit]

I think this section now has met the requirement to be prose rather than outline format, and now it needs to have links added, where appropriate, to other stuff in Wikipedia.
Also, I think each section may need polishing of the summary statements of what we learn from all this, how it fits into the larger picture.

AlMac 8 July 2005 12:16 (UTC)

What the Tools do[edit]

I have your guidance, I know what needs to be done, but I am out of time again for another session. I will have to get back to this later. AlMac 8 July 2005 12:16 (UTC)


Since Wiki is NOT about individual companies and their products, and should not have external links until the external link section, I plan to put extreme summary info about major players in this marketplace at the bottom, then if no other person has done any article on what these outfits offer, I will then have link available to bottom of this article, to avoid external linkage in main body. AlMac 8 July 2005 12:43 (UTC)

Note that Wikipedia can be about individual companies or products, as long as they are notable companies/products and the article is "written in an objective and unbiased style". I don't think there's anything wrong with what you suggest, although the summary in the external links section should be very brief, one sentence, two or three short ones at the most. --Moritz 8 July 2005 13:18 (UTC)

More Content[edit]

This is not the whole story. It is just how far I got before being asked to clean up my style. AlMac 8 July 2005 12:16 (UTC)

Once this has been leaned up, perhaps it should be marked {{current}} due to current security breaches in the news and what is needed to protect against being a victim of them. AlMac|(talk) 21:59, 22 July 2005 (UTC)

Failed vfd vote[edit]

Wikipedia:Votes_for_deletion/Computer_Security_Audits. --Woohookitty 23:37, 19 July 2005 (UTC)


I have not forgotten about needing to clean up this article that I started here, and I am pleased to see that other editors have made some improvements while I have been pre-occupied. I think there's a lot of places where I have used capitalization in middle of sentences inappropriately, perhaps because when I first wrote parts of this I had not yet learned as much about Wikipedia standards and what's practical as I now know.

I plan to add a few more sections, then after we see the flow, may feel that they need moving to somewhat different placement. User:AlMac|(talk) 08:11, 17 January 2006 (UTC)

Types of risk assessment[edit]

You can take a qualitative or quantitative approach to risk assessment. It might be worth mentioning both and compare them.

Changed Tag[edit]

I was tempted to label this POV and mark it AfD, but I see a lot of good work. As such, the other tags should suffice.

On POV, the article tone assumes that it is a white paper of sorts, making the assumption the end-user is clueless and requires some sort of oversight. Tone is very bad. This on my watch list. --meatclerk 22:41, 23 July 2006 (UTC)

Reassessment Comments[edit]

To move the article above Start-class I would consider the follow at a minimum:

  1. Incorporate as many of the "see also" items into the article as would be logical; don't just shove them in anywhere.
  2. Consider including sources with inline references.

§ Music Sorter § (talk) 07:29, 17 November 2010 (UTC)