A computer security audit is a systematic, measurable technical assessment of how the organization's security policy is employed at a specific site. Security audits do not take place in a vacuum; they are part of the on-going process of defining and maintaining effective security policies.

There are a number of key questions that security audits should address:

• Are passwords difficult to crack?
• Are there access control lists (ACLs) in place on network devices to control who has access to shared data?
• Are there audit logs to record who accesses data? Are the audit logs reviewed?
• Are malware defenses in place?
• Are the security settings for operating systems in accordance with accepted industry security practices?
• Have all unnecessary applications and computer services been eliminated for each system?
• Are these operating systems and commercial applications patched to current levels?
• How is backup media stored? Who has access to it? Is it up-to-date?
• Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the disaster recovery plan?
• Are configurations secure for Network Devices such as firewalls, routers and switches?
• Have custom-built applications been written with security in mind?
• How have these custom applications been tested for security flaws?
• Is an inventory of all authorized and unauthorized devices?