How to Manage a Successful Security Audit

How to Manage a Successful Security Audit

IT audits—no one enjoys them but they’re a critical part of today’s IT security solutions. Audits are necessary to keep your company’s network and assets safe and secure.

While it’s true audits are necessary, dealing with outside auditors can be a less than pleasant experience. What happens if they make a mistake? What if they don’t do their work properly? Then as the leader of the IT department, you’ll bear the responsibility, especially if an intruder subsequently makes their way into your systems.

Is there a way to have a successful audit, even when bringing in outside auditors? The answer is yes, when the audit is done in the right way and with the right auditor. Let’s take a look.

Establish a Security Baseline Through Annual Audits

While security audits are important, many companies fail to conduct annual audits on their networks. The reasons for this are many. Some view this as unnecessary—if they’ve not suffered an incident, then they must have strong enough security. Another reason could be the expense of having an audit each year.

While these reasons may seem understandable, the fact is that businesses are facing more security breeches than ever before. This is true for businesses of all sizes—from corporations down to small businesses. Now is the right time to ensure your network is secure, rather than waiting to be hacked.

If your company has never conducted a security audit, then it’s time to implement annual audits. You might think of an annual security audit as being similar to having a physical each year. The doctor does a first physical exam and uses this as a comparison for future physicals. When something is different in a subsequent physical exam, then it must be investigated.

The same is true of an annual audit. The first audit is the baseline of your security efforts. With the baseline audit, you’ll be able to compare future audits with the baseline results. If there’s something different, then you’ll need to check this. It could be a vulnerability that needs to be fixed. Without the baseline audit, you have nothing to measure a security audit against. There’s also no way to measure the effectiveness of security changes and updates of the system.

If you need to have a baseline audit done, then it’s a good idea to bring on two auditors to conduct separate audits. While this may be expensive, you’ll have two audits to compare, and a baseline audit to use as a comparison for future audits.

Spell Out Your Objectives

When it comes to finding the right auditor, it’s a good idea to develop your audit objectives in advance. These may include:

a). Writing down a list of all company assets (including data, computer equipment, and more)

b). Define the security perimeter: things that will be included and those that will not be included in the audit.

c). Define threats

d). Prioritise Risks

e). Make a list of security improvements and best practices to eliminate threats

Now you have a list of objectives for the audit, meaning these are the areas that the auditor needs to focus on.

Choose Auditors with Audit Experience

Next, you’ll need to review each auditor’s team credentials. Don’t be fooled by a lot of certifications, and remember that resumes are important, but they do not reflect an auditor’s knowledge and expertise. These do not add up to technical expertise. Here’s it’s more important to focus on the auditor’s work experience. Do they have years of experience in the security field and with the technology to conduct a security audit?

What you’re looking for is an auditor (or a team) that has real-world experience with security technology. This way they’ll have the ability to even the most illusive and serious security issues. You might also ask to see any published works they’ve written, which is another way to see if the auditor has the experience and the knowledge to conduct a proper security audit.

Another thing to be wary of are those auditors that call themselves “ethical hackers.” Many of these people do not have the experience needed to conduct an in-depth security audit.

Instead, contact business connections and see if they can recommend some experienced security audit firms. In addition, ask each audit firm for a list of references to past clients, and then contact these firms and ask about their own experience with the audit firm.

Once you’ve created a list of auditing firms, ask them for details on how they conduct an audit. And make sure serious contenders provide you with a statement of work (SOW), which details how they will meet your objectives.

Prepare for the Audit

Now that you’ve found the right auditing firm, you’ll need to make sure they’re onboard with your objectives and the type of data they’ll have access to. This is where many companies and auditors have their first problem. Everyone assumes the other side knows what data will be accessed during the audit. The auditor may have their own ideas on the subject, and your company may have its own view on the matter. Never make the assumption that you and your auditor are on the same page about access to data. This is something that should be agreed to by you and your auditor before the audit begins.

In addition, it’s necessary to keep those people and departments involved in the process. You’ll want to involve the department managers who will be affected by the audit. This way, they won’t face sudden, unpleasant surprises in the course of the audit. For this reason, it’s a good idea to create some audit rules in advance:

1). Managers will need to determine any specifics to limit impact on their systems. They may specify the day and time when testing will be optimal for their processes.

2). Auditors will need an “indemnification statement” that gives them authorisation to conduct the audit. This should also be sent over to your ISP, so they aren’t alarmed by the large volume of port scans on their address space.

3). Auditors generally expect access to certain data and documentation to analyse your network. These may include:

  • Copies for all policies and procedures (may include passwords, virus scanning, acceptable use info for employees), privacy guaranteed (to keep company users and client data secure), privileged access and incident handling.
  • Information about your network, and specification of target IP ranges
  • List of security devices (firewall, IDS)
  • List of software used on the network

4). Ensure the auditor has a plan, and that they provide you with the details.

5). When the audit’s completed, you’ll have a chance to review the results and determine if it was beneficial or not. The audit report should cover:

  • Threat sources (internal and/or external)
  • Probability of an attack on the network
  • Impact of the attack (should outline how much money the company could use, would this affect the company’s reputation, and more)
  • Recommend actions to fix any problems

Summing It Up

Security audits aren’t fun, but a baseline audit is extremely beneficial, especially when you have subsequent security audits run on the company’s network. The audit provides essential information on the health of your network, and any vulnerabilities that could put your company in danger.

Our tips can help you conduct a security audit with confidence, knowing your network will be more secure as a result.