The idea of an audit – any audit – often makes businesses uncomfortable. And IT security audits are no exception. Having outsiders come in looking for discrepancies and oversights can make those responsible for IT security feel defensive and judged, and no one likes getting caught out.
But an IT security audit shouldn’t be viewed as a punitive measure – after all, if your organization is hacked, or loses sensitive data to a preventable vulnerability, you’ll be the one having to answer to clients, and in many cases, the authorities.
The first step is to adopt a more positive attitude towards IT security audits – after all, they provide you with a second set of eyes to identify and rectify issues (hopefully) before they create problems. And IT security auditors genuinely want to share – and use – their knowledge to help your business become a more secure organization.
Then, you need to find an auditor and get to work.
Security Audit Do’s
Establish a Security Baseline Through Annual Audits.
Security audits aren't a one-and-done deal. And you shouldn’t be waiting for a successful attack to spur you into action. Annual audits establish a security baseline against which you can measure progress and evaluate the professional advice provided by the auditor – and help measure the effectiveness of the audit team.
Even if you choose to use different auditors every year, the level of identified risk should (ideally) be dropping, or at the least, remaining relatively constant.
Choose Auditors with "Real" Security Experience.
While you might be tempted to rely on internal staff to conduct your security audit, an outside perspective will almost always identify problems that you may miss. Why? It’s not only because they tend to be dedicated IT security specialists, but also because they have experience working with other organizations in your field, giving them exposure into trends, patterns and developments that your staff may not be aware of.
And while credentials are valuable, experience counts. When hiring an auditor, consider how much experience they have in the field. Do they serve your industry? Have they been involved in security projects that have enabled them to implement their recommendations?
Prepare (and Involve) Business Unit Managers from the Start
Returning to the idea that people don’t like surprises and being caught out, it’s important that the managers of the systems being audited are in the loop from the start. Auditors may come in with the assumption that they will have access to specific data and information, such as policies, system configuration data, and passwords.
If the auditors arrive and have to fight to obtain access to information required to perform their duties, the process can be long, difficult, and potentially jeopardized. With some foresight and preparation, a level of mutual understanding and cooperation can be reached, resulting in an effective and efficient process.
Security Audit Don’ts
Accept Surface-Level Reports
Okay, the audit has finally been completed. What were you given? A templated checklist that could apply to any company? Pages of vulnerability reports without any supporting analysis to tie them together? If so, you didn’t’ get your money’s worth.
The point of an IT Security Audit is to provide you with expert analysis, context, risk assessments and a plan of action. This means the final report should include:
- The different types of threats from internal or external vulnerabilities.
- The probability that these flaws will be exploited.
- The fallout from this type of attack (loss of data, financial risk, damage to reputation)
- Specific recommendations on how to address the cybersecurity flaws. Specifically, your auditor be able to advise how much time and money you will need to spend on these improvements.
Keep Putting them Off
Okay, this one is pretty obvious, but an ounce of prevention is worth a pound of cure. You might want to think of IT security audits like you do an oil change – you can put it off for a little while, but eventually things will blow up in your face. And it’s fair to say that you’ll be spending much more money dealing with the aftermath. Even more frustrating, it’s something that likely could have been prevented with some basic maintenance.
Determining Your Risk Exposure
Did all this talk of security audits get you thinking about your businesses readiness? Here are some good questions to ask to determine if your business has a handle on its IT security:
Are you spending too much time putting out fires, rather than preventing them and advancing your business instead? Do you have trained security experts on staff? Is your team able to watch the network 24/7/365 and carefully evaluate each potential threat that is identified?
It’s not a matter of IF you’ll face a breach, but when. How confident are you that your network can withstand the latest threats? How long will it take before you even know you have been compromised? How do you know if you already have been compromised?
Are your systems experiencing unnecessary amounts of downtime reacting to problems that could have been detected earlier or prevented entirely?
In addition to HIPAA, SOX, PCI and PIPEDA every state and province has information security laws. Are you faced with compliance changes that can come quickly and leave your organization off guard? How would you fare in an audit?
If the answers make your heart drop, don’t worry. We’re here to help!
In addition to performing a variety of IT audits and assessments, Discovernet provides a full suite of Managed IT Security Solutions.
Our extensive experience and expertise coupled with exposure to the challenges and requirements of our client’s industries enables us to develop and implement comprehensive security solutions that address today’s ever-changing cybersecurity landscape.