There is no goal or conclusion to the security policies and procedures involved in hardening your network. Security is a process that has no end. As a result, your security policy should be a living document that is reviewed on at least an annual basis to ensure that it adequately addresses the security threats and exploits that exist against your network infrastructure. You should ensure that your security policy is being adhered to and that it puts forth an effective solution to the security issues in your environment. You also should test and verify that your organization s security posture is in line with the expectations your security policy defined. A simple and effective method of validating and reviewing your security policy and posture is through the use of auditing. Internal audits can be used for everything from simple, basic validation and vulnerability-assessment testing to detailed security auditing, penetration testing, and vulnerability assessment through the use of a dedicated internal auditing staff. On the other hand, external audits can provide a substantial amount of information that can be used as an agnostic outside recommendation and validation of your organization s security goals and objectives. We will talk more about this last point when we look at methods to justify the expense of increased security in Chapter 15.