Contact Us

North Carolina Office
2732 Southwinds Run
Apex, NC 27502
phone 919-362-4416
phone 732-662-8133
fax       919-362-4416
 

Connect With Us

  

SocialTwist Tell-a-Friend

IT Security Audit

Print PDF
Sharp Solutions provides an IT Security Audit designed to assess the security risks facing your business and the controls or countermeasures you can adopt to mitigate those risks. The IT Security Audit is typically a human process, performed as a team with technical and business knowledge of the company’s information technology assets and business processes. As part of any audit, our team will interview your key personnel, conduct vulnerability assessments, catalog existing security policies and controls, and examine IT assets covered by the scope of the audit. In most cases, our team relies heavily on technology tools to perform the audit.
 

Our IT Security Audit will not only assess compliance, but also assess the very nature and quality of the policies and controls themselves. In many cases, security policies become rapidly obsolete with the release of new technologies or process overhauls. Security audits are the most effective tool for determining the validity of those policies.


Many businesses have an easy time defining the physical security perimeter that encloses the audit. It is relatively easy for our audit team to limit an audit to a physical location (like a data center) or logical grouping of assets (all production storage devices).
 
What is more difficult, and frankly more valuable, is scoping the audit around security processes or areas. To do this effectively, it is imperative that your businesses prioritize security processes by the amount of risk that they pose to the organization. For example, the process of business continuity may pose a minimal security risk to the business, whereas the process of identity management poses a severe risk. Under this sample scenario, the identity management process would be included in the audit, while business continuity would not.
 
Typically, the majority of security threats will come from these four key areas:
  • Network access controls - This process checks the security of a user or system that is attempting to connect to the network. It is the first security process that any user or system encounters when trying to connect to any IT asset within the business’ network. Network access controls should also track the security of users and systems that are already connected to the network. In some cases, this process will also look to correct or mitigate risk based on detected threats and user or system profiles or identities.
     
  • Intrusion prevention - As a process, intrusion prevention covers much more than traditional intrusion detection.  In fact, it is more closely in line with access control as it is the first security layer that blocks users and systems from attempting to exploit known vulnerabilities. This process should also enforce policies and controls to minimize the scope of an attack across the network. While intrusion detection systems are an obvious, nonnegotiable component of this process, so are other technologies such as firewalls.
  • Identity and access management - This process controls who can access what and when. Authentication and authorization are the usual pillars of this process, but robust policy management and storage are also critical components.
      
  • Vulnerability management - The vulnerability management process manages baseline security configurations across the full range of asset classes. It also identifies and mitigates risks by performing root cause analysis and taking corrective measures against specific risks.
Enterprise IT Security Assessment
Security audits are typically conducted for the purposes of business-information security, risk management and regulatory compliance. If performed correctly, a security audit can reveal weaknesses in technologies, practices, employees and other key areas. The process can also help companies save money by finding more efficient ways to protect IT hardware and software, as well as by enabling businesses to get a better handle on the application and use of security technologies and processes. As bothersome as security audits are, business owners, executives and IT managers who truly understand them realize that periodic examinations can actually help ensure that security strategies are in sync with overall business activities and goals.
 
Audit Practices and Activities
There is no standard security-audit process, but auditors typically accomplish their job though personal interviews, vulnerability scans, examination of OS and security-application settings, and network analyses, as well as by studying historical data such as event logs. Auditors also focus on the business's security policies to determine what they cover, how they are used and whether they are effective at meeting ongoing and future threats.

CAATs (Computer-Assisted Audit Techniques) are often employed to help auditors gain insight into a business's IT infrastructure in order to spot potential security weaknesses. CAATs use system-generated audit reports, as well as monitoring technology, to detect and report changes to a system's files and settings. CAATs can be used with desktop computers, servers, mainframe computers, network routers and switches, and an array of other systems and devices.

While CAATs can provide definitive data on business systems, auditors must also keep an eye on activities and practices that are not easily quantifiable. Some of the key questions that an auditor must ask include:
  • Who is in charge of security, and who does this person report to? 
  • Have ACLs (Access Control Lists) been placed on network devices to control who has access to shared data? 
  • How are passwords created and managed? 
  • Are there audit logs to record who accesses data? 
  • Who reviews the audit logs, and how often are they examined? 
  • Are the security settings for OSes and applications in accordance with accepted industry security practices? 
  • Have unnecessary applications and services been purged from systems? How often does this task take place? 
  • Are all OSes and applications updated to current levels? 
  • How is backup media stored? Who has access to it? Is it up-to-date? 
  • How is email security addressed? 
  • How is Web security addressed? 
  • How is wireless security addressed? 
  • Are remote workers covered by security policies? 
  • Is a disaster recovery plan in place? Has the plan ever been rehearsed? 
  • Have custom applications been tested for security flaws? 
  • How are configuration and code changes documented? How often are these records reviewed? 
Many other questions pertaining to the exact nature of the business's operations also must be addressed.
 
Auditors
An auditor's skills and affiliations depend on the nature of the audit and the audited company's business focus. An internal audit will usually draw auditors from within the business's own IT and accounting departments. Alternatively, a company may hire a security consultant to handle the job. A financial institution or other business working in a regulated industry will often find itself dealing with federal and state regulators. Auditors may also be sent to a business by private standards-setting bodies and other industry organizations.
 
Aftermath and Follow-Up
Shortly after the audit concludes, the auditors will usually brief a company's owners, executives and managers on what they've discovered and if any immediate remedial action is necessary. A few days or weeks later, the auditors usually issue a formal report. Stakeholders can use both the meeting and the report as opportunities to gain insight into their security practices and make improvements.

While a security audit is usually a specific event, IT security is an ongoing process. As a business designs, deploys and maintains its security policies, technologies and practices, it should strive to maintain a constant state of preparedness that will allow it to pass a security audit at any given moment.