Listen up. We aren’t going to sugarcoat it. A strong security audit is a super-powerful defense against data breaches, a shot reputation, and business underperformance. Here is how to perform one.
Audits Sound Bleh. Why Should I Bother?
Look, audits are heroic and important because they’re what grownups do to identify problems, gaps, and potential “oh crap” moments in systems of all flavors. An IT security audit gives you the skinny on the IT ecosystem security you actually have, rather than the one you’d like/need/should have. If you’re doing anything at all worthwhile, including paying your mortgage, your business should get into them.
An IT security audit helps you:
- Identify what’s wrong and what’s right with your IT ecosystem.
- Establish a methodology for continually improving IT security.
- Establish a baseline for future comparison.
- Comply with external regulatory frameworks or your own (hopefully high) corporate standards.
OK, But When Do I Need to Perform This Security Audit Thing?
The universally annoying answer is “it depends,” but usually it’s good practice to perform a security audit when change happens, either planned or unplanned. For instance, you’d perform a security audit:
- After a data breach: what happened and how can you stop it from happening again?
- After introducing a new system, system upgrade, or data migration: are there any gaps in system interfaces? Does everything work properly?
- When you’re working towards regulatory compliance schemes such as HIPAA or SOC 2, or if new requirements are introduced. Does your system satisfy all the regulatory requirements? Your security audit will find out.
- When you’re working towards corporate compliance, e.g., a big customer demands that your IT complies with their security requirements.
- In preparation for a chunky change in your business, e.g., if your customer base grows exponentially, you’re expanding into different regions, or you’re transitioning to a new way of working such as going fully remote.
Is an Audit the Same Thing as a Test or Assessment?
Kind of, but not totally. Audits, vulnerability assessments, and penetration tests are like family – connected but different. They’re all security diagnostics, but:
A security audit demonstrates how far your IT ecosystem adheres to a set of standards, rules, or criteria. The end result is a gap analysis that shows the difference between what you have and what you’re aiming for.
A vulnerability assessment is a scan for weaknesses in your software, systems, or processes. The end result is a broad list of vulnerabilities to triage and fix.
A penetration test is a check on a particular security issue that tries to break it, much as a meanie hacker would. It identifies the technical risks to your business of hardware and/or software vulnerabilities.
How Do I Get Started?
Step 1: Decide your audit goals
What do you want to get out of your audit? If you’re aiming to ace a regulatory framework, then there is your goal. It’s always important to know what you’re aiming for, otherwise, you won’t know if you’ve got there.
Step 2: Decide your audit criteria
Going for SEC, ISO 27001, PCI DSS, or another daft acronym? Cheer up, because all these give you a ready-made set of shiny criteria to work towards. If you’re going for an internal audit to check that your IT ecosystems comply with your own corporate standards, dust off those standards and take a look. Maybe your IT strategy or governance covers it, or perhaps you’ll need to start from scratch. But at least it’s a start.
Step 3: Identify the scope of the audit
Your framework of criteria will help you identify what assets – hardware, software, data, and/or people – you’ll include in your audit and what will escape it. An IT security audit will usually include:
- What security controls you have in place, e.g., file encryption, MDM configuration, and how effective they are.
- Where sensitive data resides and who has access to it.
- Whether you have an up-to-date IT asset register and how you manage the asset lifecycle.
- Business processes such as onboarding, offboarding, and cloud collaboration.
- Whether your audit covers just your own people or extends to suppliers or freelancers who have access to your data.
Step 4: Identify the people and plan
Your IT ecosystem won’t audit itself; you have to select your audit team and prep your people (and your suppliers, if your audit includes them). If you’re aiming to satisfy an acronym like HIPAA, you’ll work with external HIPAA-framework-qualified consultants, because auditing yourself is an ethical no-no.
Your goals, scope, and criteria will inform your audit plan, which will identify:
- Who is carrying out the tests and when they’re doing it.
- What tests and comparisons will be carried out, and on which areas of your IT ecosystem.
- Who’ll be reporting on the results and in what format.
- How you’ll tackle the results.
Step 5: Conduct the security audit
Wait, what? We’re doing the actual audit only now? Yep, actually conducting the darn thing is the easiest part, but it’s not the first thing in the audit process. Which is what we’ve been trying to tell you.
Audit activities might check over:
- The physical security of mobile devices, servers, and other hardware as well as whether your physical security policies a) exist, b) are any good, and c) are respected.
- Whether your anti-virus software exists in the right places and is configured correctly.
- Firewalls: Do you have one? Does it include intrusion detection? How often is it updated, if at all?
- Are user accounts encrypted and controlled tightly or left dormant and open? (Ouch!)
- Are passwords strong, enforced, and managed correctly?
- Does the alert system work? Does it cover unplanned modification alerts as well as unauthorized access? Are alerts monitored 24/7?
Step 6: Weep over the report
After Step 5, you’ll be presented with an audit report, which is usually in the form of a gap analysis and recommendations for action. No matter how bad it looks, you’ve bitten the armadillo and know where you stand. Good for you! But what now?
Gap Remediation Is Your Friend and So Are We
Now, here’s the thing. We don’t like to brag, but our gap remediation services are the bee’s knees. That’s because, under the guidance of a third-party assessor, we undergo rigorous self-audits annually and we coach our clients through the same process. Give us your security audit report or tell us how you suck at IT security and we’ll fix it – and keep it fixed. Twenty-four years of ecstatic clients can’t be wrong. Call us.
Ignition is Silicon Valley’s best (and friendliest) IT security, compliance, and support team. Contact us now – chatting about IT support and cybersecurity is our favorite thing to do!