Today’s network and data security environments are complex and diverse. There are hundreds of pieces to a security system and all of those pieces need to be looked at individually and as a whole to make sure they are not only working properly for your organization, but also safe and not posing a security threat to your company and your data or the data of your customers.

Risk management and risk assessments are important parts of this process. Data loss and data breaches are detrimental to your organization and can make or break a company, especially if a breach causes other organizations to lose confidence in your ability to keep yours and their data secure. For this reason, it is absolutely critical for you to perform regular audits of your environment.

There are hundreds of items that could be on a cybersecurity audit checklist. Here are some broad categories and ideas that cover many of the crucial cybersecurity threats:

  1. Management
    1. Company security policies in place
    2. Security policies written and enforced through training
    3. Computer software and hardware asset list
    4. Data classified by usage and sensitivity
    5. Established chain of data ownership
  2. Employees
    1. Training on phishing, handling suspicious emails, social engineering hackers
    2. Password training and enforcement
    3. Training on dealing with strangers in the workplace
    4. Training on carrying data on laptops and other devices and ensuring the security of this data
    5. All security awareness training passed and signed off ensuring that all employees not only understand the importance of security but are active guardians for security
    6. Ensure that Secure Bring Your Own Device (BYOD) plans are in place
  3. Business practices
    1. Emergency and cybersecurity response plans
    2. Determine all possible sources of business disruption cybersecurity risk
    3. Plans in place to lessen business disruptions and security breaches
    4. Emergency disaster recovery plans in place
    5. Alternative locations for running business in case of emergencies or disruptions
    6. Redundancy and restoration paths for all critical business operations
    7. Have you tested your restoration and redundancy plans?
  4. IT staff
    1. System hardening plans
    2. Automated system hardening on all operating systems on servers, routers, workstations, and gateways
    3. Software patch management automated
    4. Security mailing lists?
    5. Regular security audits and penetration testing
    6. Anti-virus software installed on all devices with auto-updates
    7. Systematic review of log files and backup logs to make sure there are no errors
    8. Remote plans in place, as well as policies regarding remote access
  5. Physical security
    1. Lock servers and network equipment
    2. Have a secure and remote backup solution
    3. Make sure keys for the network are in a secure location
    4. Keep computers visible
    5. Use locks on computer cases
    6. Perform regular inspections
    7. Prevent unauthorized users from entering the server room or even in the workstation areas
    8. Security camera monitoring system
    9. Keycard system required for secure areas
    10. Secure Data Policy in place and ensure users understand the policy through training
    11. Secure trash dumpsters and paper shredders to prevent dumpster diving
  6. Secure data
    1. Encryption enabled wherever required
    2. Secure laptops, mobile devices, and storage devices
    3. Enable automatic wiping of lost or stolen devices
    4. Secure Sockets Layer (SSL) in place when using the Internet to ensure secure data transfers
    5. Secure email gateways ensuring data is emailed securely
  7. Active monitoring and testing
    1. Regular monitoring of all aspects of security
    2. Regularly scheduled security testing
    3. External penetration testing to ensure your staff hasn’t missed something
    4. Scanning for data types to make sure they are secure and properly stored

There are three levels of security in an organization. Information Security or InfoSec encompasses everything and refers to the processes and information technology designed to protect any kind of sensitive data and information whether in print or electronic form from unauthorized access.

Cybersecurity is a subset of InfoSec and deals with protecting internet-connected systems including hardware, software, programs, and data from potential cyberattacks. It protects the integrity of networks from unauthorized electronic access.

Cybersecurity is the practice of defending your organization’s networks, computers and data from unauthorized digital access, attack or damage by implementing processes, technologies and practices. There are many sophisticated threats targeting many organizations and it is critical that your infrastructure is secured at all times to prevent a full-scale attack on your network and risk exposing your company’ data and reputation.

Network Security is a subset of cybersecurity and deals with protecting the integrity of any network and data that is being sent through devices in that network. We discussed Network Security in another blog entry, which also includes the Network Security Audit Checklist.

See also

Best Practice Guide: Using Automation to Transform Risk Management


Governance Framework

When creating an information systems security program, start with proper governance structure and management systems software. There are many articles on this website about what governance frameworks are, but it is the framework established to ensure that the security strategies align with your business objectives. Governance aligns business and information security, so the teams can efficiently work together. It also defines the roles, responsibilities and accountabilities of each person and ensures that you are meeting compliance.

CIA Model

When security experts are creating policies and procedures for effective information security programs, they use the CIA (confidentiality, integrity and availability) Model as a guide. The components of the CIA Model are Confidentiality, Integrity, and Availability.

Confidentiality: Ensures that information isn’t accessible to unauthorized people-usually by enabling encryption-which is available in many forms.

Integrity: Protects data and systems from being modified by unauthorized people; making sure that data has integrity and wasn’t changed between the time you created it and the time it arrives at its intended party.

Availability: Ensures that authorized people can access the information when needed and that all hardware and software is maintained and updated when necessary.

The CIA Model has become the standard model for keeping your organization secure. The three principles help build a set of security controls to preserve and protect your data.

About Other Cybersecurity Audit Checklists

There are many sources of cybersecurity checklists you can find on the Internet. Some companies are happy to give away their checklists and others charge for them. Some are just the cost of a subscription email in hopes of selling you other products and services down the road.

It really doesn’t hurt to start grabbing some of these security checklists as they are a great place to start developing your own, because you really need to make a checklist of your own. Nobody else has the same configuration of networks, devices, and software that you have.

Those canned lists are merely ballpark ideas of how you should be checking your security, as will the one included in this document.

For your checklist to be effective, you need to take a basic checklist or collection of checklists, put them together, and then add specifics for your environment. Also, because an organization is constantly changing, you will be making changes to it as time goes by. ZenGRC can help streamline the process of creating and updating your information security controls, related objects such as risks, threats, and vulnerabilities, as well as audit and assessment tasks.

You may attend a new class about security that will give you ideas to add to your checklist. Or you may purchase a new firewall or some new anti-virus software that will make you rethink how you do a certain aspect of your checklist. You may also decide that you want to outsource your security checks, although even if you do that, you’ll want to have your own checklist and compare it against what your outsourced consultants use to make sure that they have covered all the bases as well as add things from their checklist to yours.

How to Upgrade Your Cyber Risk
Management Program with NIST