How can your business manage a successful security audit? IT audits—no one enjoys them, but they are a critical part of today’s IT security solutions. Audits are necessary to keep your company’s network and assets safe and secure.
While it is true audits are necessary, dealing with outside auditors can be a less than pleasant experience. What happens if they make a mistake? What if they don’t do their work properly? Then as the leader of the IT department, you’ll bear the responsibility, especially if an intruder subsequently makes their way into your systems.
Is there a way to have a successful audit, even when bringing in outside auditors? The answer is yes, when the audit is done in the right way and with the right auditor. In a recent article by Mark Weir from from Techrader, he asks how much security is enough?
Establish security through annual audits
While security audits are important, many companies fail to conduct annual audits on their networks. The reasons for this are many. Some view this as unnecessary—if they’ve not suffered an incident, then they must have strong enough security. Another reason could be the expense of having an audit each year.
While these reasons may seem understandable, the fact is that businesses are facing more security breeches than ever before. This is true for businesses of all sizes—from corporations down to small businesses. Now is the right time to ensure your network is secure, rather than waiting to be hacked.
If your company has never conducted a security audit, then it’s time to implement annual audits. You might think of an annual security audit as being similar to having a physical each year. The doctor does a first physical exam and uses this as a comparison for future physicals. When something is different in a subsequent physical exam, then it must be investigated.
Spell Out Your Objectives
When it comes to finding the right auditor, it’s a good idea to develop your audit objectives in advance. These may include:
- Writing down a list of all company assets (including data, computer equipment, and more)
- Define the security perimeter: things that will be included and those that will not be included in the audit.
- Define threats
- Prioritise Risks
- Make a list of security improvements and best practices to eliminate threats
Now you have a list of objectives for the audit, meaning these are the areas that the auditor needs to focus on.
Choose auditors with experience
What you’re looking for is an auditor (or a team) that has real-world experience with security technology. This way they’ll have the ability to even the most elusive and serious security issues. You might also ask to see any published works they’ve written. This is another way to see if the auditor has the experience and the knowledge to conduct a proper security audit.
Instead, contact business connections and see if they can recommend some experienced security audit firms. In addition, ask each audit firm for a list of references to past clients, and then contact these firms and ask about their own experience with the audit firm. Once you’ve created a list of auditing firms, ask them for details on how they conduct an audit.
Prepare for the Audit
Now that you’ve found the right auditing firm, you’ll need to make sure they’re onboard with your objectives and the type of data they’ll have access to. This is where many companies and auditors have their first problem. Everyone assumes the other side knows what data will be accessed during the audit. The auditor may have their own ideas on the subject, and your company may have its own view on the matter. Never make the assumption that you and your auditor are on the same page about access to data. This is something that should be agreed to by you and your auditor before the audit begins.
In addition, it’s necessary to keep those people and departments involved in the process. You’ll want to involve the department managers who will be affected by the audit. This way, they won’t face sudden, unpleasant surprises in the course of the audit. For this reason, it’s a good idea to create some audit rules in advance:
- Managers will need to determine any specifics to limit impact on their systems. They may specify the day and time when testing will be optimal for their processes.
- Auditors will need an “indemnification statement” that gives them authorisation to conduct the audit. This should also be sent over to your ISP, so they aren’t alarmed by the large volume of port scans on their address space.
- Auditors generally expect access to certain data and documentation to analyse your network. These may include:
- Copies of all policies and procedures (may include passwords, virus scanning, acceptable use info for employees), privacy guaranteed (to keep company users and client data secure), privileged access and incident handling.
- Information about your network, and specification of target IP ranges
- List of security devices (firewall, IDS)
- List of software used on the network
- Ensure the auditor has a plan, and that they provide you with the details.
- When the audit’s completed, you can review the results to plan your future strategy. The audit report should cover:
- Threat sources (internal and/or external)
- Probability of an attack on the network
- Impact of the attack (should outline how much money the company could use, would this affect the company’s reputation, and more)
- Recommend actions to fix any problems
Whilst security audits aren’t fun, they are essential. Especially when you see trends that change overtime. The audit provides essential information on the health of your network. As well as vulnerabilities that could put your company in danger.
Contact the LIS Help Desk to conduct a security audit with confidence, knowing your network will be more secure as a result. Our experienced team are always on hand to answer your questions and keep your business secure.
LIS – SECURING YOUR DIGITAL WORLD
#Security #Audit #ITSupport