Technology has become fast-paced these days that information systems have become vulnerable to hackers. We hear news of hacking every now and then. When you are an IT person or a member of the IT team in a company, you do not want to be in the middle of such a mess. Breach of security is a huge issue that an IT security audit should always be in order to prevent it. Hiring external auditors is of course highly recommended but internally, you should also be auditing your IT in a timely manner.
Here is a rundown of what must be done for an effective IT security audit and a brief explanation for each:
1. Define the scope of audit.
Defining audit scope includes creating assets lists and security perimeters. You need the master list of assets in order to ascertain which ones need protection through audit. Security perimeter, on the other hand, defines both conceptual and physical boundaries by which your audit will focus. Assets may include computers, laptops, routers & networking equipment, company phones, cameras, or email.
2. Create a “threats list”.
There are a lot of threats out there but you can start listing threats based on your assets as defined in the scope of the audit. You may start looking at these to get you started on your threats list:
– Computer and network passwords: check if the passwords used are strong.
– Physical assets: who has access to the company’s computers and laptops.
– Logging of data access
– Data backups
– Long- distance calling
– Access to clients list
3. Review IT history and predict the future.
Examining your threat history will make you understand what the company’s IT future would be. There are threats that are no longer available now but knowing what those threats are will prepare you for whatever may come in the future.
4. Prioritize assets and vulnerabilities.
The threat level of each asset may not be the same across all assets. Be clear on which asset needs to be prioritized first and address its vulnerabilities.
5. Implement network access controls.
Network access controls or NACs address the challenges of not only having the employees as users but also customers, business partners, contractors, and even guests. Avoid threats of unauthorized people accessing your network by nominating case-sensitive passwords for instance.
6. Implement intrusion prevention.
This is to prevent hackers from doing malicious attacks to your system. A firewall is a form of an intrusion prevention system that is either content-based or rate-based.
7. Implement identity and access management.
Do this by controlling and limiting access to certain assets. To be able to access information, users must be authenticated first before they are able to see information that is restricted.
8. Create backups.
Hacking is not the only risk IT faces. Loss of data comes close second and this must also be addressed. Do so by creating backups regularly through onsite & offsite storage systems. You may schedule backup activities and this is highly recommended to avoid work disruption. Make sure that these backups only have secured access.
9. Protect and filter emails.
The amount of spam sent daily is unbelievably high thus security risk is also high. There must be spam filters aside from educating all company users about the dangers of spam emails. Protect and filter your email system by encrypting it, and reminding the users to not open unexpected attachments or unusual emails.
10. Prevent physical intrusions.
Security attacks, although more popular in the form of hacking the system, can also be in the physical form of intrusion. Persons may break into offices and steal IT equipment with valuable data. Prevent this by installing a detection device such as a CCTV and encrypting hard drives.
Security and audit are two of the most important aspects of information technology. Business losses have primarily occurred because of data and security breaches and IT infrastructure, if in-house, requires consistent auditing by a third-party. Outsourcing these processes will not only ensure your IT support gets the check and balance it needs you will also be abiding with globally accepted IT and audit standards, from hardware to software and even operating policies and procedures.