WHAT IS AN IT SECURITY AUDIT?
An information technology security audit is an assessment of the security of your IT systems. It covers the entire IT infrastructure including personal computers, servers, network routers, and switches. There are two types of information technology security audits; automated and manual. Automated audits are done using monitoring software that generates audit reports for changes made to files and system settings. Manual audits are done using an IT audit checklist that covers the technical, physical and administrative security controls.
WHY DO YOU NEED TO CONDUCT IT SECURITY AUDITS?
The frequency and sophistication of cyber attacks on small and medium businesses are increasing. To set up a strong defense against cyber threats, you must be aware of the threats as well as the state of your IT security and vulnerabilities.
Technology improvements and changes in your business create vulnerabilities in your information technology systems. These improvements and changes are dynamic, so to be effective, your IT security must evolve accordingly.
Here are the steps for a successful IT Security Audit:
- Assess the state of your current IT security
- Identify vulnerabilities and prioritize improvements
- Define a safety target level for your IT security
- Implement your desired IT security level
BEGIN BY ASSESSING THE SITUATION OF YOUR IT SECURITY
1. PHYSICAL SECURITY
When we talk about IT security, we don’t usually consider physical security. We think about software, infrastructure and the internet. But physical security is just as important. A simple physical access restriction can mitigate several security risks. Consider the following:
- Do you restrict physical access to your server room?
- Do you have door locks, access control systems and video surveillance?
- Do you control access to your office either via security or reception desk, sign-in log or access badges?
- Do you escort visitors in and out of controlled areas?
- Are your computers and other systems physically secured?
- Do you use a physical lock and cable to secure laptops?
ADMINISTRATIVE SECURITY CONTROLS
With a simple USB key and an internet connection, your files can be copied or corrupted and your network hacked. Therefore, you should maintain strong administrative security controls. Background checks on all employees or contractors must also be mandatory before giving them access to your systems.
As you review and update your IT policies, also educate your employees about them. Human error is the main issue in IT security. Internal discussions about security threats and preventive measures contribute greatly in reducing human error. Most phishing or malware attacks will fail if your employees are aware of and follow security protocols.
- Do your employees wear an ID badge with a current photo?
- Do you conduct background checks for employees and contractors?
- Do your employees intercept individuals with no ID badges?
- Do you create a unique user account for everyone?
- Are all user accounts and their privileges documented and approved?
- Are admin accounts used only for performing admin tasks?
- Are user accounts, especially those with admin privileges, removed when no longer required?
- Do you use only one remote access method?
- Do you give unique credentials to each user instead of using a common account?
- Are administrative privileges restricted to your IT team?
- Is system access limited controlled with roles?
IT AND SECURITY POLICIES
- Do you have a strong password policy?
- Have you implemented MFA (Multi-Factor Authentication)?
- Do you use virtual private networks (VPNs) for remote access?
- Have you set up a segregated Wi-Fi for visitors and employee-owned devices?
- Do you educate your employees about cybersecurity risks and vulnerabilities?
TECHNICAL SECURITY CONTROLS
When adopting new technologies, risks increase. Beyond your own IT infrastructure, you must also think about the cloud, SaaS platforms, network devices, and how they interact. Its therefore recommended to hire professionals to help you set up your IT security correctly. Even if you have your own IT staff, its likely that they do not have the expertise to deal with new devices and security features. An external IT consultant is also ideal for conducting penetration tests and phishing simulations.
IT INFRASTRUCTURE SECURITY
- Do you purchase your equipment only from authorized resellers?
- Do you download firmware, updates, patches, and upgrades only from validated sources only?
- Do all devices have operating systems that are standardized and approved?
- Are anti-virus and malware protection installed on all computers and mobile devices?
- Do you use standard configuration for each type of device?
- Do you maintain a list of all your hardware including the device name, type, location, serial number, service tags?
- Do you have the latest drivers installed on your devices?
SOFTWARE SECURITY MANAGEMENT
- Do you approve applications before they can be installed on computers and mobile devices?
- Do you use an MDM (mobile device management) for securing your mobile devices, operating systems, and applications?
- Do you auto-update your OS, applications, and anti-virus?
- Do you install software only from a trusted source?
- Do you maintain a list of installed software with their corresponding license?
- Do you monitor accounts using online services?
- Do you run scheduled virus scans for all systems?
- Do you use spam filtering?
THE CLOUD SECURITY
- Do you encrypt all data hosted in cloud-based services?
- Do your SLAs cover response times, business continuity and disaster recovery?
- Is access to data restricted to authorized users?
- Do you have policies to deal with data breaches?
- Do you use a password manager?
- Do you use only legitimate software and browser extensions from trusted sources?
- Are devices automatically locked when left unattended?
- Is the use of USB and external hard drives restricted?
- Do you have daily scheduled backups for critical files and data?
- Do you have a disaster recovery and business continuity plan?
- Do you have policies covering the use of computers, mobile devices, and other IT resources as well as Social Media tools?
- Do you regularly review access permission to shared folders, systems and applications?
- Do you have a procedure for isolating infected systems?
- Do you regularly conduct phishing audits and penetration testing?
- Do you maintain documentation on IT security policies?
- Are you able to remotely wipe mobile devices if lost or stolen?
The network infrastructure of businesses is a common target for attackers. This is because network devices such as routers, switches and firewalls are generally not maintained at the same security level as other devices.
- Do you have a firewall in place to protect your internal network against unauthorized access?
- Do you have a strong password for your firewall?
- Is “Deny All” your default setting on all inbound and outbound access lists?
- Is every rule on your firewall documented and approved?
- Are alerts promptly logged and investigated?
- Do you use only secure routing protocols with authentication?
- Do you disable permissive firewall rules that are no longer required?
NETWORK DEVICES SECURITY
- Do you ensure that all devices on your network use WPA2?
- Are ports that are not assigned to specific devices disabled?
- Do you use physical or virtual separation to isolate devices on network segments?
- Are all unnecessary services on routers and switches turned off?
SOFTWARE PATCH MANAGEMENT
- Do you only use licensed software which is supported?
- Are software updates and security patches installed when available?
- Is unsupported software removed from devices that are internet capable?
- Do you use a patch management solution such as SCCM?
- Does your anti-malware software auto-update?
- Does your anti-malware software do live scans of files and web pages to block malicious content?
- Does your anti-malware software perform regular scans?
HOW TO CONDUCT AN IT SECURITY AUDIT?
Let’s revisit the steps for conducting a security audit.
- Assess the current state of your IT security
- Identify vulnerabilities and prioritize improvements
- Define the desired level for your IT security
- Focus of progressing towards your desired IT security level
After completing the checklist, you will have an accurate assessment of the current state of your IT security. For each “No” answer, you have a possible threat. You need to take this list of threats and prioritize them. You can do it by calculating the risk each threat poses to your business. Risk is a combination of the impact a threat can have on your business and the likelihood of that threat occurring.
Risk = Impact x Likelihood
You can attach numeric values ranging from 0 for “no impact” to 5 for “very high impact”. Similarly, you can use 0 for “not likely to occur” to 5 for “very likely to occur”.
You can objectively prioritize the threats based on the risk score.
Now that you know where your security stands, you need to define the state you want your security to be in. If you are not sure about target security levels, investigate the following for reference:
- Current industry best practices and trends
- Regulatory and compliance requirements
- Current IT Security best practices and trends
By regularly conducting security audits using this checklist, you can monitor your progress towards your target. Also, it is important to review the checklist whenever you adopt new technologies or update your business processes.
Remember that audits are iterative processes and need continuous review and improvements. By following this step by step process, you can create a reliable process for ensuring consistent security for your business.
Contact us today for professional help.