For most organizations, the security and protection of its information ranks high on the list of importance, however, often times there’s an assumption by leadership that its “taken care of.” And while your IT department may work diligently to make sure proper security measures are in place, it’s critical for the organization to go beyond simply installing security software and applications, but also to develop specific processes designed to assess risks and institute controls and countermeasures to mitigate them. By conducting regular security audits, managed by a team with technical and business knowledge of the company’s IT assets, your organization will be able to take security to the next level and preventively protect valuable company information.
Generally speaking, these audits consist of interviewing key personnel, conducting vulnerability assessments, creating catalogs of existing security policies and controls, and examining assets covered by the scope of the audit.
In many cases, audits rely on technology tools to conduct the audit and focus on answering questions such as:
- Are passwords in place and are they hard to crack?
- Are there access control lists for network assets?
- Are there access logs that specify who can access what information?
- Are adware and malware regularly scanned for on personal computers?
- Who can access backed-up media?
Of course, this is only a sample list of questions that a security audit should cover. Auditing should be an ongoing process that helps your organization make continuous improvements that optimize IT performance. It should not only address security compliance, but also the quality of the policies and controls that are in place since technology is rapidly changing and security measures can quickly become obsolete.
The basic components of your audit should include:
Defining the perimeters of the audit
Perimeters may be organized around logical groups like datacenter specific LAN or around business processes such as financial reporting. This allows the auditors to easily manage and focus on the assets, processes and policies being audited.
Defining the process scope of the audit
Make sure the process scope is not too broad or too narrow because this can lead to stalls in the audit process or inconclusive assessments of risks and controls.
Conducting historical assessments
Another critical aspect of the audit is to do your due diligence in assessing historical events like known vulnerabilities, security incidents that caused damage in the past, and any recent changes to IT infrastructure and business processes. Past audits should also be reviewed and taken into consideration.
Developing the audit plan
A good audit is guided by a comprehensive audit plan that includes a description of the scope of the audit, timelines, and project ownership.
Assessing security risks
The core of the audit is the risk assessment phase. It should cover:
- Prioritization of the assets to be audited
- Identification of potential threats
- Vulnerabilities/deficiencies for each asset
- Current security controls
- Specific risks and probability of occurrence
- Potential impact of a threat
- Risk calculations
Reporting audit results
All of the information gathered should be reported in detail and presented for review. Documentation should include an executive summary, findings, determinations, required updates/fixes and supporting data.
Developing new and/or updated security controls
Ultimately, your security audit should result in specific recommendations for improving business security. Your organization should come away from an audit with recommendations for new or updated controls, as well as deadlines and ownership for deployment.