An IT security audit is an evaluation of the security of a company’s information systems by measuring how well they conform to a set of established and agreed-upon criteria.
Security audits, vulnerability assessments and penetration tests are three main types of security diagnostics an organization can employ.
WHY DO YOU NEED TO CONDUCT AN IT SECURITY AUDIT
The advances in technology and changes in your business model create vulnerabilities in your information technology systems. These advances and changes are dynamic. So, to be effective your IT security also has to evolve continuously.
To set up a strong defense against cyber threats, you must be aware of not just the threats but also the state of your IT security and vulnerabilities.
WHO WILL AUDIT
There are two main actors who can lead and execute such audits. Internal Auditors and External Auditors.
Small companies may use IT Managers or other Information Security personnel within the organization to conduct the audit activities. These employees will execute and report the audit reports to top level management and possibly to external compliance officials. Larger organizations tend to hire Internal Auditors with a security background and skillset like CISSP, CISA and CISM certified professionals.
Depending on the purpose and nature of the audit, a company may use external auditors from third-party companies specializing in technology auditing. Usually the use of external auditors is driven by compliance, where the audit activities must be driven and executed independently and unbiased.
MANUAL AND AUTOMATIC AUDITS
During a manual audit, the auditor will interview your employees, conduct manual security checks and scans, evaluate physical access to systems, and analyze your application and operating system access controls.
An automated audit is a computer-assisted audit technique (CAAT) where specialized software and tools are run against the infrastructure and systems under the audit scope and produce audit reports. These tools are capable of continuously monitoring the infrastructure and provide alerts when suspicious activity is detected.
A combination of manual and automated audits will produce more in-depth results and will certainly provide higher assurance to a company.
THERE ARE ADVANTAGES FOR EACH TYPE OF AUDIT
Each type of audit has its own benefits.
Automated IT security audits are usually faster and can cover more checks on information systems whereas the manual way would take a lot of time and would be impractical. Additionally, fewer skills are required on behalf of the auditor, as the tools used will perform advanced tests without the need for human knowledge, or additional intervention. Last but not least, specialized software is capable of producing clean and comprehensive reports.
Manual IT security audits have their own advantages that automated tools may not ever have.
A good example is the ability to interview employees or observe how certain actions are being taken on the systems/processes under the audit scope, which can give you a lot of vital information and insights that an automated tool cannot.
HOW OFTEN TO PERFORM AN IT SECURITY AUDIT
You might have the freedom to chose when to perform IT Audits if you are not bound by any compliance or regulatory requirements which may dictate the frequency for you. If you do have this freedom of choice then you may want to choose between auditing in predefined intervals e.g. monthly, quarterly,bi-annually, or you may want to go more aggressive and go with continuous auditing.
Continuous IT audits have the benefit of providing faster insights on problematic areas and perform proactive reviews on them. Using a continuous audit method will help reduce costs as more automations are needed to perform the audits, less man-hours will be required to collect evidence to support the audit and most probably faster remediation of the findings will be achieved.
The ultimate choice on the frequency of the IT audits may not depend entirely on your company.
Choosing to perform continuous audits (CA) will present more benefits for the entire organization in a very short period of time, even though the initial design and implementation of the audit program may seem and be difficult due to complexity and culture factors.
The main areas to focus to conduct your IT Security Audit are:
- Physical security
- Personnel security
- Account management
- IT and security policies
- IT Infrastructure security
- Software security management
- Cloud security
- Network security
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.