No one relishes an audit. Outsiders poking around for the holes in your system? No thank you. But if you’re responsible for information security in your organization, you should want—even insist—upon thorough annual audits. In some cases, you may have no choice: for example, financial institutions are required to have external auditors certify compliance with regulations such as the Gramm-Leach-Bliley Act (GLBA); your own organization’s audit department may require it; or clients might insist on seeing the results of a security audit before they do business with you.
Whether required or “optional” (we use quotes, because in our opinion they are no longer optional for any enterprise), cybersecurity audits provide a key layer of assurance that organizations are properly safeguarding the data that has become increasingly essential to drive and transform virtually all of their business processes.
What is a cybersecurity audit?
The cybersecurity audit (also referred to as a network security audit) is a process where an organization’s managed service provider (MSP) or managed security service provider (MSSP) investigates the organization’s security policies as well as its assets on the network to identify deficiencies that put it at risk of a security breach.
Cybersecurity audits are important because they help you identify your biggest security risks so you can make changes that protect your company from those risks. There is no question that, in many cases, earlier and expanded input from auditors could have saved organizations that have suffered recent high-profile cyberattacks from sifting through the financial and reputational damage that ensued.
It’s important to note that the cybersecurity audit is never a “one-and-done” solution. The world of IT is constantly changing, and odds are, as your company continues to grow, you’re going to keep adding new hardware to existing offices or even installing whole new office locations. You’ll probably add new software to your business at some point, as well. Every time you add new hardware to your business, you create new security endpoints, potentially creating new security vulnerabilities; and new software programs—whether on individual devices or “the cloud” as an SaaS solution—can also introduce new vulnerabilities in your security.
How does a network security audit work?
While specific methodologies may vary from one MSP/MSSP to another, a cyberseucirty audit essentially subsists of first establishing a security baseline and then analyzing that baseline to identify gaps. The standard steps include:
Device & Platform Identification. Once a baseline has been established, the first step of an audit is to identify all of the assets on your network, as well as the operating systems they use. This is vital to ensure that any and all threats have been identified.
Security Policy Review. Here, the MSP/MSSP reviews all of your organization’s security policies and procedures to see whether they match up to the standards required to effectively protect your technology and information assets. For example, who has access to what, and do they really need that access?
Security Architecture Review. While the policy review assesses your documented policies, the architecture review analyzes the actual controls and technologies that are in place. This builds off of the device & platform identification process to give you an in-depth analysis of your cybersecurity measures.
Risk Assessment. Here, the MSP/MSSP assesses your systems (process, application, and function), identifies threats, and analyzes the control environment to determine what your risks are and their potential impact. This information is then used to prioritize solutions from the biggest threat that is easiest to remedy to the smallest threat that is the hardest to fix.
Firewall Configuration Review. A specific security technology to review in depth is your network’s firewall. The MSP/MSSP should review your firewall’s topology, rule-base analyses, management procedures, remote access policies, and configuration.
Penetration Testing. “Pen tests” serve as a stress test for your network’s security architecture, where testers try to “break” your security architecture so they can find and fix any previously-undiscovered issues.
After the audit is complete, you should receive a report detailing the findings of the audit. This final step is especially important, because it is your opportunity to understand the risks your company is facing and prioritize the most critical fixes.
Where should I start?
Before interviewing MSP’s and MSSP’s, it’s important to define your objectives and consider what kind of firm will be the right fit. Once you’ve completed the interview process and settled on an auditor, you must prepare on your end for the process. For example, auditors must make certain assumptions when bidding on a project, such as having access to certain data or staff. But once the auditor is on board, don’t assume anything—everything should be spelled out in writing, such as receiving copies of policies or system configuration data. These assumptions should be agreed upon by both sides and include input from business units whose systems will be audited. Nobody likes surprises, so be sure to involve the business and IT unit managers of the audited systems early on. This will smooth the process and identify potential red flags before they become issues.
You might still be thinking, “I’ve got the situation under control. This is an expense I can avoid.” But nothing could be worse than gaps in your organization catch you by surprise in the form of a data breach—if you haven’t conducted a security audit, now is the time! Still not sure where to begin? Contact one of our experts to get started today.