In order for a company to run an audit, they’ll need first to decide if the auditor will be an internal senior IT manager or an external auditing service provider. For example, an internal auditor — typically used by smaller companies — can be someone who works in an IT department, especially someone who creates reports for executives and compliance staff. Larger companies might look at hiring auditors with a background in cybersecurity and network security.
Once the auditor has been selected, there are a few key steps in performing the audit:
1. Identify devices and operating systems
2. Identify company security policies and regulations
3. Review IT infrastructure
4. Assess risk
5. Assess firewall security
6. Conduct penetration tests
Identifying devices and operating systems helps auditors locate endpoints and their vulnerabilities; each added device or new operating system update comes with cybersecurity risks, and having all devices and systems up to date will help prevent data breaches.
Each company has varying security policies and regulations, and an auditor first needs access to security policies and procedures to see if a company is in compliance as well as to identify if these policies need to be updated. An example of a company security policy could be that each employee needs to update their password every six months.
An IT infrastructure review helps analyze the technology being used by the company as well as its security compatibility. Risk assessments are crucial in an auditor’s assessment. A risk assessment enables an organization to accurately assess outside risk and properly categorize it based on impact and cost to remediate.
When reviewing firewall security, an auditor will look at a few things: firewall configuration, management processes, rule-based analysis, and the topology of the firewall. Firewalls are a central piece in defending against external threats, but they can affect internal attacks because firewalls help segment network access into limited portions or areas with only a few internal individuals capable of viewing the data.
Another concern for auditors is a Distributed Denial of Service (DDoS) attack used to disable network infrastructure. While firewalls can mitigate some of the damage, companies need to look at implementing larger, more comprehensive data security strategies for these types of attacks. Also, while firewalls can be a strong defense against external threats, monitoring the firewall and network security will influence response times and threat assessments for a company, thus influencing the financial impact of a hacking incident.
Penetration tests assess the viability of a company’s security systems, and the auditor will run a test “hack” on the company to check the status of the security measures. This process of thinking like a potential attacker helps an auditor identify gaps in security and advise companies on the implementation of more robust network security programs.
Other steps in that audit process can depend on the auditing service companies select, but can include:
- White box external and internal network penetration tests
- External and internal vulnerability assessments
- Human error (phishing, telephone impersonation, access controls, email filters, and spam)
- Remote access security
- Internal network security posture assessment
Be sure to evaluate multiple audit providers to find one that is the best fit for your company. Ask for an audit checklist to see the clear steps auditors take during their security assessment. A full report can guide future decisions on security best practices.