The purpose of an information security audit is to assess the current security posture of an organization. Doing so will give the auditors insights into how strong/weak the organization’s defenses are, and what can be done to improve them. Audits can be carried out on a one-time basis, ad-hock, or carried out regularly, depending on the situation.
What is an Internal Audit?
An internal audit is typically carried out by one or more members of the organization’s security team and is usually performed in order to satisfy the relevant regulatory compliance requirements.
What is an External Audit?
An external audit, on the other hand, is typically carried out by an independent auditor, on behalf of the organization’s business associates, outsourcing partners, and other relevant stakeholders. The external audit should produce a report which adheres to the reporting standards relevant to a specific industry and is not usually as detailed as an internal audit.
The internal audit should also produce a report outlining the current state of their information security strategy, including how effective it is, and a list of recommendations on how to improve it.
The main purpose of an external audit is to establish a general overview of the organization’s security posture and to see if the findings are in alignment with the security claims made by the organization being audited.
When Does an Audit Need to be Carried Out?
Organizations will need to carry out an audit in the following circumstances;
- When there is a change in the strategy of the organization;
- When significant structural changes are made to the organization;
- When there is a change of leadership, including data security officers, executives, etc.;
- In the case of a merger or acquisition;
- When the information security requirements change;
- Anytime significant IT infrastructure is introduced;
- To satisfy regulatory compliance requirements.
Components of an Information Security Audit
Most information security audits will consist of the following components;
- A review of the technical, administrative, and organizational documents of the organization;
- Interviews with regular employees, systems administrators, software developers, and other relevant personnel;
- An assessment of the knowledge/competency of the organization’s security personnel;
- A review of the physical security measures in place;
- An analysis of all hardware and software configuration;
- Penetration tests/mock phishing attacks.
Tips for Performing an Information Security Audit
In addition to the components listed above, in order to successfully carry out an information security audit you will need as much visibility as possible into what assets you are responsible for, and who has access to them.
While it is theoretically possible to obtain this information by scrutinizing the native server logs, this would not be the recommended approach as doing so would be a slow and painful task, not to mention prone to errors. A better approach would be to adopt a real-time auditing solution that will aggregate event data from multiple sources and display all important events via a single dashboard.
The dashboard will provide various sorting and searching options to help you quickly identify specific events, such as when sensitive data is accessed, moved, modified, or removed, and by who. At the click of a button, you can produce a report based on a pre-defined template, which can be presented to the relevant authorities or stakeholders.
Most sophisticated auditing solutions will come with tools that will scan your repositories (both local and remote), and discover and classify sensitive data as it is found. Knowing exactly what data you store and where it is located is the first step toward establishing an effective information security program.
Auditors will also need information about the security technologies installed, including any anti-virus solutions, firewalls, Data Loss Prevention (DLP), and SIEM solutions. They will want to see an inventory of all devices, including servers and workstations, and the physical security measures in place to keep them secure.
This includes things like locks, alarms, CCTV cameras, ID badges, and so on. They will want to know about the backup and recovery solutions in place, how and when patches/updates are installed, what applications are installed, the process for vetting third-party apps, and much more.
In short, the best way to prepare for an information security audit is to ensure that all assets, applications, and devices are accounted for, and closely monitored. And this knowledge will need to be demonstrated to the relevant parties.