Best Practices | Microsoft Windows Security Resource Kit

Best Practices

Use security assessments to evaluate the security of your network.
Security assessments will help answer the question, How do I know that my network is really secure? You can also track progress toward improving the security of your network by repeating a security assessment after you have addressed the weaknesses discovered in the initial security assessment.
Choose the appropriate type of security assessment for your business or technical requirements.
The security assessments discussed in this chapter are very different: each attempts to assess different areas of security, requires special areas of expertise, and calls for different levels of investment from your organization. To ensure that the security audit you perform meets the needs of your organization, choose the appropriate security assessment. For example, conducting a vulnerability scan probably will not reveal issues with IT security policies and procedures, just as an IT security audit probably will not reveal that weak passwords are used on servers.
Take time to carefully plan your security assessment project.
As with most IT projects, the major reason that security assessments fail is poor planning. To avoid this pitfall, take time during the planning stage to create a project vision and a scope to guide the security assessment. Do not conduct a security assessment without executive sponsorship.
Document in detail the methodology used to conduct the security assessment.
To ensure that the security assessment results can be independently reviewed and reproduced if necessary, carefully document the methodology used to conduct the security assessment.