Putting a security policy in place and applying security measures takes some effort, but is relative easy compared to keeping the security at the same level.You need procedures to check if the measures you have taken to curtail risks are fully implemented and maintained.This is where auditing comes into play.There are several different types of auditing:
■ Collegial review Colleagues can check each other's work; for example, with XLANG schedule diagrams.This should not be used to place blame for making mistakes, but instead to catch errors while they are still at an early stage.This saves money and raises the quality of work. Another example is that after a BizTalk server is fully installed and tuned, another system engineer could check the server to see if the configuration is complete according to the security standards set in the security policy.
■ Internal audit The IT department, with outside expertise if necessary, runs a full check of the complete BizTalk infrastructure, both the technical issues and the procedures. To enhance the value of the internal audit, you can run tests to determine if these procedures, like full BizTalk server recovery, actually work.You can also check if backup tapes are useable and complete.This is something we will discuss in more detail later. Another example is to check if the XLANG schedules running on the BizTalk server are the correct ones, and see who has access to these files. Perform an internal audit at least once a year. An even better policy is to run two partial audits, in which you revisit the shortcomings of the previous audit.
■ External audit This is also called the independent audit.You hire an IT audit organization to run a full audit.They deliver a report with all the plusses and minuses, in addition to a large bill. Perform an external audit at least once every two years.
The dynamics of the organization or business will quickly bring the security level down. Audits are the perfect way of improving your security of the BizTalk infrastructure. Remember, security policies are never perfect in any organization, but through critical review and auditing, you can bring them to a higher level.
Was this article helpful?