What is an Information Security Audit?
Information security is crucial for all organisations. It revolves around protecting the information your organisation stores and processes through good practices, and ensuring information systems run smoothly and effectively.
Maintaining good network security is dependent on regular risk assessments and audits. Audits are objective examinations and evaluations of an organisation's security practices. They are an opportunity to assess your information security risks and combat vulnerabilities before they cause a breach. In an audit, you will appraise your organisation's policies and procedures and monitor organisation-wide compliance to them. The purpose of performing an audit is to continually monitor the strength of your information security practices. Allowing you to modify organisation policies and identify weaknesses that require addressing.
The Audit Process and Who Conducts It
Before conducting an information security audit it is important to thoroughly plan and prepare for it. The auditor should familiarise themselves with any existing information security policies and procedures. Next, the objectives of the audit must be established clearly. The final step is performing the audit, here you will gather information from a variety of sources to establish the effectiveness of current procedures and identify any vulnerabilities and risks to information security in the process.
An information security audit should encompass all aspects of information storage and processing within your business. Relevant areas range from paper records and physical security to encryption and cloud computing. The COBIT 5 business framework can be utilised for guidance on conducting an audit. The publication was issued by ISACA, a non-profit, independent association of 140,000+ professionals across 187 countries, and reflects the latest advances in the field of IT governance.
Information security audits can be conducted by an IT specialist as technology comprises a large proportion of current information security. Auditors can be either internal or external to your organisation. Some sectors are under tighter regulations when it comes to audits, e.g. financial institutions are required to undergo an external audit every year, so it is essential to familiarise yourself with any sector-specific requirements that may exist.
What does an Audit Entail?
Information security is a wide field covering a broad collection of policies. For this reason, an information security audit will cover many diverse topics. Some of the major areas are outlined below:
Physical security is an important security measure, although often taken for granted inside places like office buildings. It comprises the physical restrictions that prevent unauthorised access to your building and the information it contains. Unauthorised access to your building could result in theft of equipment, records, data, and the subsequent release of stolen information. This is a potential confidentiality breach and could result in disciplinary action including fines and legal prosecution. To reduce this risk, two factor authentication is implemented by many businesses. This is where you must provide two things for access: one that you know (e.g. a door code) and one that you have (e.g. a fob). ID badges are another widespread policy as many organisations insist that their employees wear them whilst in the workplace. However, ID badges should be taken off as soon as you leave the workplace as criminals have been known to quote information on ID badges (such as name, position and organisation) to gain access to buildings. During an audit you should assess the extent to which physical access restriction policies are adhered to by employees.
The logical protection of databases (e.g. passwords) is another easily implementable and crucial measure. Some organisations implement policies regarding strong password usage. Strong passwords are at least 8 characters long, contain upper and lowercase letters, numbers and special characters. Automatic screen locking after a period of not being used can help prevent unauthorised information access. Display screens should not be left logged in and unattended as this allows any passers-by access to the information displayed.
You must check that all equipment is up and running to a safe standard. Similarly, the newest software updates should be installed on all devices in a timely manner so as not to leave your network vulnerable to attack. Software is constantly being updated to combat the latest cyber threats. In an audit, it is important to check the state of all equipment and to ensure software is being updated across the network.
You should make sure that appropriate business contingency plans are in place in case things go wrong. This will help to ensure business continuity and minimise disruption to service. Whilst conducting an audit, you should assess the strength of the business contingency plan as well as awareness of individual roles and responsibilities.
One approach to an information security audit is penetration testing. In a penetration test, auditors use the same tools and techniques as a criminal might to try and breach an organisation's information security. This technique is valuable as it allows you to identify flaws in your protection, however it is not comprehensive and should be used in addition to other auditing techniques.
Why carry out an Information Security Audit?
Audits allow you to rapidly identify and address any security issues within your network. Therefore, conducting regular information security audits is an essential measure in protecting your organisation against the potentially crippling effects of an information security breach. Information security breaches often result in information falling into the wrong hands. Unauthorised access of data can be incredibly dangerous to both the party whose information is compromised and the party responsible for the breach. Disciplinary action can range from internal procedures to legal prosecution and hefty fines. Regular audits and through information security training are both sure fire ways to protect your organisation from security breaches.