A security audit as standard practice will be done by a 3rd party company that will audit your policy, procedures, infrastructure, and source code. The security auditor should be a 3rd party company with specialization in security hardening and compliance.
As best practice, the audit will review the following information:
- Review a list of users and roles with access to the product environment
- Review compliance of password and credit card info(storage, transmission lockout and reset policy)
- Penetration testing
- Review policy related to passwords and data story
- Review network topography. (Verification firewall is set up and secured)
- Review security of data communication and storage of sensitive data
- Verify load balance setup for denial of service attacks
- Review current installed software and identify missing security patches and out of support software
- Review firewall setup
The audit should be done before and after a major website release and once a year. The yearly audit will on average not find any new surprises and verify the established policy are being followed.
If the audit identifies any issues they will provide steps to resolve the issue. Majority of the issues will be resolved with quick and cost effective victory.
After completing the security audit and fixing any security issues, you have verified with a 3rd party audit of your security system. This will allow you to give the board and executive leadership the trust and verification that website is secure.