Just as a doctor can’t treat a patient without a full understanding of the symptoms, you can’t improve your cybersecurity without a full understanding of your own IT systems. That’s right, it’s time to talk about audits.
At the CTRL Center Reference Desk, we cover the whole universe of cybersecurity, from who might be after your data (threats) to how an attack might take place (vulnerabilities) and what you might put in place to thwart such an attack (controls). But in order to shore up your vulnerabilities and improve your controls, you need to know where you stand. In other words, what precisely are you protecting and how? Are you compliant with regulations and best-practices? What controls should you add and what, if anything, should you take away?
Despite all our decades in IT, we at TMG never stop being surprised at how little many executives actually know about what goes on in their networks. It is a big problem and one that can only be fixed with a comprehensive cybersecurity audit. A cybersecurity audit will assess an organization’s security posture, identify weaknesses, and recommend actions to mitigate risks.
If that sounds scary and like a big job . . . I’m afraid you’re right. It can be. Let’s roll up our sleeves and look at it step by step. (Note: the following assumes that this is your first cybersecurity audit. If you are already engaged in audits, not every point here may apply to you.)
What is a Cybersecurity Audit?
A cybersecurity audit is an investigation into the an organization’s security methods. An audit is critical to prevent cyber incidents from happening.
Cybersecurity Audit Checklist
First, identify what hardware, software, and systems need to be audited. If this is your first time, the answer is everything. And yes, that includes all the “shadow IT” in your organization, such as employees’ personal laptops and phones.
What infrastructure do you have in place? What hardware? What operating systems? When were the last updates completed? What are security and privacy policies do you currently have in place? You may find that different departments hold different pieces of this puzzle; you need to gather all this information in one place as part of your audit process.
What are the technical vulnerabilities of your systems? Have they been patched? Some vulnerabilities can’t be known until a hacker exploits them, but there are plenty we already know about (and more being found all the time.
4. Security Controls.
Controls include things like firewalls, antivirus programs, and data-loss prevention systems. Which of controls is your IT department currently employing? And when we say, “which ones” we’re not asking in a general sense. Make sure you know out which type of firewall, what software, what version, what vendor, etcetera.
What incident response plans do you have in place? Who is in charge of executing them and how do they work? Have they been effective so far? What about disaster recovery, has that been considered?
6. Report and Analyze.
Collect the findings of your audit into a report that can be reviewed by all stakeholders. Keep in mind that the point of this exercise is to uncover both strengths and weaknesses of your systems: it is not to apportion blame. If this is your first thorough audit, you almost definitely are going to find out some things you don’t like. Just get the information and dispassionately resolve to do better going forward.
All those great ideas in your report? Make sure they actually happen. Work with your IT department and the rest of your organization to implement the new controls and policies.
8. Follow-up and Follow-Through.
Make a plan to re-audit all of these systems and make sure that all those great ideas are working as intended. Attackers are constantly updating and evolving their strategies—you need to do the same.
If you learn one thing from the Reference Desk, we hope it’s that good cybersecurity is never one-and-done. It’s more like a habit. To us at TMG, it’s a way of life.