You may see the phrase "penetration test" used interchangeably with the phrase "computer security audit". They are not the same thing. A penetration test (also known as a pen-test) is a very narrowly focused attempt to look for security holes in a critical resource, such as a firewall or Web server. Penetration testers may only be looking at one service on a network resource. They usually operate from outside the firewall with minimal inside information in order to more realistically simulate the means by which a hacker would attack the site.
On the other hand, a computer security audit is a systematic, measurable technical assessment of how the organization's security policy is employed at a specific site. Computer security auditors work with the full knowledge of the organization, at times with considerable inside information, in order to understand the resources to be audited.
Security audits do not take place in a vacuum; they are part of the on-going process of defining and maintaining effective security policies. This is not just a conference room activity. It involves everyone who uses any computer resources throughout the organization. Given the dynamic nature of computer configurations and information storage, some managers may wonder if there is truly any way to check the security ledgers, so to speak. Security audits provide such a tool, a fair and measurable way to examine how secure a site really is.
Computer security auditors perform their work though personal interviews, vulnerability scans, examination of operating system settings, analyses of network shares, and historical data. They are concerned primarily with how security policies - the foundation of any effective organizational security strategy - are actually used.
It must be kept in mind that as organizations evolve, their security structures will change as well. With this in mind, the computer security audit is not a one-time task, but a continual effort to improve data protection. The audit measures the organization's security policy and provides an analysis of the effectiveness of that policy within the context of the organization's structure, objectives and activities. The audit should build on previous audit efforts to help refine the policy and correct deficiencies that are discovered through the audit process. Whereas tools are an important part of the audit process, the audit is less about the use of the latest and greatest vulnerability assessment tool, and more about the use of organized, consistent, accurate, data collection and analysis to produce findings that can be measurably corrected.