Today’s corporate IT environments are complex and diverse. The security system to protect those environments can easily have hundreds of individual parts, and all of those parts need to be looked at individually and as a whole. To assure that all those parts are working as intended, you should perform a cybersecurity audit.
Audits aren’t just good sense, either; many data privacy and security regulations require audits. That said, the steps for a cybersecurity audit can be long. In this post we’ll review what those steps are, and organize them into a checklist that you can use.
The Broad Categories in a Checklist
Every audit will be structured in its own way, depending on the company, its operations, the regulations governing that business, and other details. Still, all cybersecurity audits do need to address several broad categories.
- Company security policies in place
- Security policies written and enforced through training
- Computer software and hardware asset list
- Data classified by usage and sensitivity
- Established chain of data ownership
- Training on phishing, handling suspicious emails, social engineering hackers
- Password training and enforcement
- Training on dealing with strangers in the workplace
- Training on carrying data on laptops and other devices and ensuring the security of this data
- All security awareness training passed and signed off ensuring that all employees not only understand the importance of security but are active guardians for security
- Ensure that Secure Bring Your Own Device (BYOD) plans are in place
- Emergency and cybersecurity response plans are written
- Determine all possible sources of business disruption cybersecurity risk
- Plans in place to lessen business disruptions and security breaches
- Emergency disaster recovery plans in place
- Alternative locations for running business in case of emergencies or disruptions
- Redundancy and restoration paths for all critical business operations
- Restoration and redundancy plans have been tested
- System hardening plans
- Automated system hardening on all operating systems on servers, routers, workstations, and gateways
- Software patch management automated
- Security mailing lists
- Regular security audits and penetration testing
- Anti-virus software installed on all devices with auto-updates
- Systematic review of log files and backup logs to make sure there are no errors
- Remote plans in place, as well as policies regarding remote access
- Lock servers and network equipment
- Have a secure and remote backup solution
- Make sure keys for the network are in a secure location
- Keep computers visible
- Use locks on computer cases
- Perform regular inspections
- Prevent unauthorized users from entering the server room and workstation areas
- Security camera monitoring system
- Key card system required for secure areas
- Secure Data Policy is in place and users understand the policy through training
- Secure trash dumpsters and paper shredders to prevent dumpster diving
- Encryption is enabled wherever required
- Laptops, mobile devices, and storage devices are all secured
- Enable automatic wiping of lost or stolen devices
- Secure Sockets Layer (SSL) in place when using the Internet to assure secure data transfers
- Secure email gateways ensuring data is emailed securely
Active monitoring and testing
- Regular monitoring of all aspects of security
- Regularly scheduled security testing
- External penetration testing to ensure your staff hasn’t missed something
- Scanning for data types to make sure they are secure and properly stored
How Do You Conduct a Cybersecurity Audit?
You should conduct a cybersecurity audit at least once a year to assure that your digital ecosystem is secure, no vulnerabilities have been overlooked, and no new threats are going unaddressed. Here are a few steps to follow with your audit team, which may include your IT security department, a cybersecurity auditor, and other key stakeholders:
- Define the scope of your audit. What digital assets will you prioritize securing? What assets don’t need to be audited? What parts of your IT infrastructure are weak, new, or haven’t been checked in a while? Make an audit plan with key stakeholders and executive decision-makers before continuing.
- Ensure cross-department communication. An audit should be company-wide, which means your security auditor may not be a subject expert on every part of your digital ecosystem. Alert your organization’s leaders that you’ll be conducting an audit and confirm that they’re available to help when needed.
- Know your compliance standards and regulatory requirements. An audit should focus on meeting compliance requirements rather than discovering them. You’ll save yourself time and money by familiarizing yourself with requirements such as GDPR, HIPAA, and PHI before beginning the audit.
- Map your structure. A detailed map showing how all structures within your digital ecosystem connect will allow you to identify any gaps in security while reinforcing existing weak points. This will also allow you to identify any security vectors that may be vulnerable.
- Identify and address vulnerabilities and risks. Your cybersecurity audit should identify existing vulnerabilities and risks, which you can then address with key stakeholders. Part of the audit process should include vulnerability assessments and an evaluation of your organization’s security posture.
- Evaluate current risk management processes. Your audit should also include a look at processes, certifications, and operations currently in place. How well are they working? What can be improved?
- Set priorities. In the event of a large-scale cyber attack, you won’t be able to mobilize every effort at once. Identify what aspects of cybersecurity are the highest priority for your organization and assure that those processes are effective and up-to-date.
- Perform audits at regular intervals. Once you’ve completed your first cybersecurity audit, schedule the next one. You may choose to perform external audits and internal audits separately. Perform them regularly within your organization, whether you choose to do so once a year or once a quarter.
How Long Does a Cybersecurity Audit Take?
The length of a cybersecurity audit depends on several variable factors, such as:
- The size of your organization
- Your current risk management and cybersecurity infrastructure
- The type of audit you’re performing
- Any risk management software or dashboards you’re using
Some cybersecurity audits take a few weeks, some take a few months.
What Does a Security Audit Include?
A cybersecurity audit includes a full mapping of your digital ecosystem and an evaluation of the strengths and weaknesses within that map. You will also examine and test processes for risk responses and cyberattack recoveries during the audit. As a result, you may discover new vulnerabilities that you didn’t know about, or you may find that former risk management processes are no longer effective against changing cyber threats.
Your cybersecurity audit should also include drafting new risk management plans and processes for addressing the new vulnerabilities or threats you’ve discovered. You’ll also need to assure that the business complies with relevant national and international regulatory requirements, such as GDPR or HIPPA.
Use a Governance Framework
When creating an information systems security program, start with a proper governance structure and management systems software. There are many articles on this website about governance frameworks, but the framework assures that the security strategies align with your business objectives. Governance aligns business and information security, so the teams can efficiently work together. It also defines each person’s roles, responsibilities, and accountabilities, and ensures that you are meeting compliance.
When security experts create policies and procedures for effective information security measures, they use the CIA Model as a guide. The components of the CIA Model are Confidentiality, Integrity, and Availability.
Confidentiality: Sensitive information isn’t accessible to unauthorized users, usually via encryption such as multi-factor authentication.
Integrity: Data and systems are protected from alteration by unauthorized people, so that data wasn’t changed from the time you created it to when it arrives at its intended party.
Availability: Authorized people can access the information when needed, and all hardware and software is maintained and updated when necessary.
The CIA Model has become the standard model for keeping your organization secure. The three principles help build a set of security controls to preserve and protect your data.
About Other Cybersecurity Audit Checklists
There are many sources of cybersecurity checklists you can find on the Internet. Some companies are happy to give away their lists, while others charge for them.
When preparing for your own cybersecurity audit, it will never hurt to grab some of those security checklists to serve as inspiration for your own. Remember, however, that these “outsider” checklists are only ballpark estimates of what you might need to do. Nobody else has the same configuration of networks, devices, and software that you have, so you’ll need to tailor those checklists to something that meets your specific needs.
You may attend a new class about security that will give you ideas to add to your checklist. Or you may purchase a new firewall or some new anti-virus software that will make you rethink how you do a certain aspect of your checklist. You may also decide that you want to outsource your security checks. However, you’ll want to have your own checklist and compare it against what your outsourced consultants use to make sure that they have covered all the bases.
Manage Cybersecurity Audits With ZenGRC
ZenGRC provides a real-time view of your organization’s cyber risk posture and compliance, customized to your business’s priorities and objectives. It can also incorporate risk assessments and audit frameworks, to guide you through all the testing and remediation work that might be necessary.
Other features include a built-in content library with on-the-go access to provide your security team with expert guidance, best practices, and multiple pre-built integrations for unified and contextual insights.