What is an IT security audit?

An information technology security audit is an assessment of the security of your IT systems. It covers the entire IT infrastructure including personal computers, servers, network routers, switches, etc.

There are two types of information technology security audits - automated and manual audits. Automated audits are done using monitoring software that generates audit reports for changes made to files and system settings. Manual audits are done using an IT audit checklist that covers the technical as well as physical and administrative security controls.

This blog post is focused on manual IT security audits.

Why do you need to conduct IT security audits?

The frequency and sophistication of cyber attacks on small and medium businesses are increasing. As per the 2019 Data Breach Investigations Report by Verizon, 43% of cyber attacks were targeted at small businesses. To set up a strong defense against cyber threats, you must be aware of not just the threats but also the state of your IT security and vulnerabilities.

Security audits are not one-time projects but a living document. The advances in technology and changes in your business model create vulnerabilities in your information technology systems. These advances and changes are dynamic. So, to be effective your IT security also has to evolve continuously. We will explain how to use this checklist for a successful IT security audit towards the end of this blog.

For now, here are the steps for a successful IT Security Audit:

  1. Assess your current IT security state

  2. Identify vulnerabilities and prioritize improvement opportunities

  3. Describe the target state for your IT security

  4. Access your progress towards your desired IT security state.

Let’s begin by assessing the state of your IT security controls...

1. Physical Security

When we talk about IT security, physical security doesn’t readily come to mind. We generally tend to think about software, virtual infrastructure, and the Internet. But physical security is just as important. A simple physical access restriction can mitigate a number of IT security risks.

Your audit checklist must include the following:

  • Do you have policies to restrict physical access to servers or electronic information systems?

  • Do you have controls such as door locks, access control systems, video monitoring, etc?

  • Is access to your office controlled either via security or reception desk, sign-in log, access badges, or similar?

  • Do you escort visitors in and out of controlled areas?

  • Are your computers and other systems physically secured?

  • Do you use a physical lock and cable to secure laptops?

2. Administrative Security Controls

It is incredible and at the same time scary what can be done with a tiny USB storage device and high-speed internet connectivity. Within minutes your files can be copied, the system corrupted, or the network hacked. Therefore, you must maintain strong administrative security controls. Background checks on all employees or contractors must also be mandatory before giving them access to your systems.

As you review and update your IT policies, you must also educate your employees about them. Human error is a big challenge for IT security. Regular discussions on IT security threats, preventive measures, and phishing drills go a long way in reducing human error. Most phishing or malware attacks will fail if your employees are aware of your policies and follow security protocols.


2.1 Personnel Security

  • Do your employees wear an ID badge with a current photo?

  • Do you conduct background checks for employees and contractors?

2.2 Account Management

  • Do you create a unique user account and username for each individual?

  • Are all user accounts and their privileges documented and approved by an authorized individual?

  • Are admin accounts used only for performing admin tasks?

  • Are user accounts, especially those with admin accounts, removed when no longer required?

  • Do you use only one approved remote access method?

  • Do you give remote access only to authorized users?

  • Do you give unique credentials to each remote user instead of using a common account?

  • Are administrative privileges restricted to your IT team?

  • Is system access limited based on roles and needs?

  • Do you use Identity and Access Management solutions?

2.3 IT and Security Policy


3. Technical Security Controls

With the adoption of every new technology, the complexities, and consequent vulnerabilities increase. You have to think of not just your IT infrastructure, but also the cloud, SaaS platforms, network devices, etc., and their complex interplay. Therefore, it is advisable to hire professionals to help with setting up your IT security. Even if you have in-house IT people, it is very likely that they do not have optimum exposure to new devices and security features. External help is also ideal for conducting penetration tests and phishing simulations.

If you would like to get a comprehensive picture of your entire IT infrastructure, check our previous blog: The Ultimate IT Checklist For Small Businesses

3.1 IT Infrastructure Security

  • Do you purchase your equipment only from authorized resellers?

  • Do you download firmware, updates, patches, and upgrades only from validated sources?

  • Do all purchased devices have operating systems that are standardized and approved by IT?

  • Are antivirus and malware protection installed on all computers and mobile devices?

  • Do you use standard configuration for each type of device?

  • Have you implemented server security best practices?

  • Do you maintain a list of all your hardware including the device name, type, location, serial number, service tag, etc?

  • Do you have the latest drivers installed on all your devices?

3.2 Software Security Management

  • Do you maintain a whitelist of applications that are allowed to be installed on computers and mobile devices?

  • Do you use an MDM (mobile device management) for securing your mobile devices, operating systems, and applications?

  • Do you keep auto-update on for your OS, applications, and antivirus?

  • Are customizing options limited to power users?

  • Do you install software only from a trusted source?

  • Do you maintain a list of software installed and the corresponding license?

  • Do you maintain a list of accounts (usernames and passwords) that use online services?

  • Do you run scheduled virus scans for all users and systems?

  • Do you have spam filters in place for all users?

3.3 Cloud Security

3.4 Cybersecurity

  • Do you use a password manager?

  • Do you use only legitimate software, applications, and browser extensions from trusted sources?

  • Are devices automatically locked when left unattended?

  • Is the use of USBs and external hard drives from unfamiliar sources restricted?

  • Do you have daily scheduled backups for all critical files and data?

  • Do you have a disaster recovery and business continuity plan?

  • Do you have an acceptable use policy covering the use of computers, mobile devices, and other IT resources as well as Social Media tools?

  • Do you regularly review permissions to access shared folders, systems, and applications and remove people who no longer need access?

  • Do you have a standard procedure for isolating infected machines and for cleaning them?

  • Do you regularly conduct phishing audits and penetration tests?

  • Do you maintain an FAQ on company IT and Security policies?

  • Are you able to remotely wipe mobile devices if lost or stolen?

4. Network Security

The network infrastructure of small businesses is a common target for cyber attackers. This is because network devices such as routers, switches, firewalls, etc. are generally not maintained at the same security level as your desktops and mobile devices. There are a lot of boxes to tick to make your network secure. We have talked about Network Security at length in our blog: The Ultimate Network Security Checklist.

4.1 Firewall Management

  • Do you have a firewall in place to protect your internal network against unauthorized access?

  • Do you have a strong password for your firewall device that is different from the default one?

  • Is “Deny All” your default posture on all access lists, inbound and outbound?

  • Is every rule on your firewall documented and approved by an authorized individual?

  • Is every alert promptly logged and investigated?

  • Do you use only secure routing protocols, which use authentication?

  • Do you promptly disable any permissive firewall rules that are no longer required?

4.2 Network Devices Security

  • Do you ensure that all devices on your network are using WPA2 (Wi-Fi Protected Access II)?

  • Are ports that are not assigned to specific devices promptly disabled?

  • Do you use physical or virtual separation to isolate critical devices onto network segments?

  • Are all unnecessary services on routers and switches turned off?

4.3 Software Patch Management

  • Do you use only licensed and supported software?

  • Are software updates and security patches installed as soon as they are available?

  • Is unsupported software removed from devices that are capable of connecting to the internet?

  • Do you use a patch management solution?

4.4 Malware Protection

  • Is your anti-malware software kept on auto-update?

  • Is your anti-malware software configured to scan files and web pages automatically and block malicious content?

  • Is your anti-malware software configured to perform regular scans?


How to Conduct AN IT Security Audit?

Let’s revisit the steps for conducting a security audit.

  1. Assess your current IT security state

  2. Identify vulnerabilities and prioritize improvement opportunities

  3. Describe the target state for your IT security

  4. Access your progress towards your desired IT security state.

STEP 1

The first step of the IT Security Audit is to complete the checklist as described above. You can use the spreadsheet provided at the end of this blog to complete step 1.

Step 2

After completing the checklist, you will have an accurate assessment of your current IT security state. For each “No” answer, you have a possible threat. Now you need to take this list of threats and prioritize them. You can do it by calculating the risk each threat poses to your business. Risk is a combination of the impact a threat can have on your business and the likelihood of that threat actually occurring.

Risk = Impact x Likelihood


You can attach numeric values ranging from 0 for “no impact” to 5 for “very high impact”. Similarly, you can use 0 for “not likely to occur” to 5 for “very likely to occur”.


For example, let’s say your answer to “Are anti-virus and malware protection installed on all computers and mobile devices?” is no.

The impact of a virus or malware-infected device on your business is medium, so say 3.


And, the likelihood of such an infection occurring is high, so say 4.


So you risk score for this threat is 3 x 4 = 12.

Now you can objectively prioritize the threats based on their risk score. Refer to the spreadsheet linked at the end for a better understanding of the “Impact” and “Likelihood” scores.

Step 3

Now that you know where your security stands, you need to define the state you want your security to be in. If you are not sure about target security levels, look into the following for reference:

  • Current industry best practices and trends

  • Regulatory and compliance requirements

  • Current IT Security best practices and trends

Step 4

Now you have your baseline, i.e. your current security state, as well as your target security state. By regularly conducting security audits using this checklist, you can monitor your progress toward your target. Also, it is important to review the checklist whenever you adopt new technologies or update your business processes.

There you have it! That’s the complete process for an IT security audit. Remember that audits are iterative processes and need continuous review and improvements. By following this step-by-step process, you can create a reliable process for ensuring consistent security for your business.

You can download the IT Security Audit Checklist as a spreadsheet here: IT Security Audit Checklist For SMBs


If you liked the blog, please share it with your friends

About The Author

Avatar

Hari Subedi

Marketing Manager at Jones IT

Hari is an online marketing professional with a focus on content marketing. He writes on topics related to IT, Security, Small Business, and Mindfulness. He is also the founder and managing director of Girivar Kft., a business services company located in Budapest, Hungary.


   
 
 

4 Comments