It’s the rare IT professional who rates a security audit as among his or her favorite tasks. But while conducting an audit is nobody’s idea of a great time, best practices dictate that they be carried out at least annually. It’s necessary to take stock of security as it pertains to assets, risks, and information, especially in context of the implementation of current security policy.
In fact, a good security audit is an exhaustive inspection and analysis of how security is actually implemented compared to stated policy. That’s why establishing and maintaining a formal security policy is the first and most important tip to conducting an accurate and effective audit.
Your security policy is a set of guidelines and principles for how security is to be applied in practice. It spells out everything from acceptable use policies to penalties and consequences for failures to observe or maintain security, to rules that govern roles, access controls, confidentiality, physical and technical security, and a great deal more.
With your policy in hand, try these other tips for effective security audits.
Take inventory of all information assets and assess the risk of each. Unless your organization knows what it needs to protect, it can’t formulate or implement good security policies. And unless your organization understands what its assets are worth, it can’t know how far to go – and how much to spend – to protect those assets.
Conducting a thorough, up-to-date asset inventory, an estimate of asset value, and then understanding the risks to those assets and the business, are all essential to establishing and maintaining proper security. This is as much a business exercise as it is a technical exercise, and must involve executives, key stakeholders, and managers as well as security professionals.
Perform a penetration test. Part of checking security involves attempting to breach current security controls and configurations to see if they can be bypassed, subverted, exploited, or otherwise circumvented. This is an exercise that demands special skills and knowledge and is best left to professionals who specialize in attempting and documenting break-in efforts.
In-house staff may have blind spots that prevent them from trying all the possible cracks, gaps, and holds in security. They may also not have the time to master all of the exploits, vulnerabilities, and social engineering tactics that dedicated and energetic hackers will bring to bear on the organization’s perimeter, systems, and data. A thorough penetration test should be a key part of any security audit.
Understand and remediate all security gaps. Any security audit is bound to turn up issues. It could be something as simple and straightforward as formulating and enforcing a new password policy, or requiring all employees to use two-factor authentication for access to sensitive resources. Or, it could mean replacing a hodgepodge of end-user security tools – antivirus, personal firewall, password manager, antispyware, and so forth – with a comprehensive new endpoint management system.
Whatever your security audit reveals as in need of fixing, repair or replacement should be addressed in light of your prevailing security policy. Sometimes, policy and its implementation must change. It’s essential to make all such changes as quickly and thoroughly as possible, and then to spot-check (i.e., re-audit) your work.
Document EVERYTHING. Every step along the audit trail should be subject to extensive documentation. This is especially important when documenting results of penetration testing, policy analysis, or current controls that are shown to be in need of remediation. The goals for remediation should be clearly stated, and the steps toward remediation carefully documented as they are put into place.
This is as important for change and process control (so that changes with unexpected or unwanted side effects can be easily reversed or altered) as it is to maintain a current snapshot of the security infrastructure and how it implements current security policy.
Above all, executives, stakeholders and managers must understand and appreciate what security professionals already know – namely, that security is an ongoing process. It’s not something that ever really gets done. It must be tracked, checked, evaluated and updated when and as circumstances dictate. For a more detailed conversation, get in touch.