A cyberattack can be devastating to any organization because it compromises sensitive data and, as a result, the financial position, strategic vision, and more important, the trust and credibility that the enterprise has built over the years. Given the magnitude of this risk, what role does the IT security audit function play in minimizing the risk likelihood and impact? And why is it important to adopt an integrated approach to IT and security auditing? Finding ways to leverage controls and testing across multiple frameworks can save organizations time and effort during audits while giving a more holistic view of their audit, compliance and security postures.
What Is a Security Audit?
A security audit is a comprehensive assessment of an organization’s security posture and IT infrastructure. Conducting an IT security audit helps organizations find and assess the vulnerabilities existing within their IT networks, connected devices and applications. It gives organizations the opportunity to fix security vulnerabilities and achieve compliance.
But security audits are not that simple and straightforward. Many organizations today undergo numerous audits due to compliance requirements to which they must adhere, and the assessment process to prepare for a potential audit can be overwhelming.
Why Perform a Security Audit?
There are several reasons to perform security audits. They include 6 goals:
- Identify security problems, gaps and system weaknesses.
- Establish a security baseline to which future audits can be compared.
- Comply with internal organization security policies.
- Comply with external regulatory requirements.
- Determine if security training is adequate.
- Identify unnecessary resources.
Security audits help protect critical data, identify security loopholes, create new security policies and track the effectiveness of security strategies. Regularly scheduled audits can help ensure that organizations have the appropriate security practices in place and encourage organizations to establish procedures to expose new vulnerabilities on a continuous basis.
When Is a Security Audit Needed?
How often an organization undergoes a security audit depends on the industry of which it is part, the demands of its business and structure and the number of systems and applications that must be audited. Organizations that handle high volumes of sensitive data, such as financial institutions and healthcare providers, are likely to do audits more frequently. Enterprises that use only 1 or 2 applications will find it easier to conduct security audits and may do them more frequently. External factors such as regulatory requirements (e.g., the US Federal Risk and Authorization Management Program [FEDRAMP]) also affect audit frequency. However, quarterly or monthly audits may be more than most organizations have the time or resources to complete. The determining factors in how often an organization chooses to do security audits depends on the complexity of the systems used and the type and importance of the data in that system. If the data in a system are deemed essential, then that system may be audited more often, but complicated systems that take time to audit may be audited less frequently.
If the data in a system are deemed essential, then that system may be audited more often, but complicated systems that take time to audit may be audited less frequently.
An organization should conduct a special security audit after a data breach, system upgrade or data migration, or when changes to compliance laws occur, when a new system has been implemented or when the business grows by more than a defined number of users. These one-time audits can focus on a specific area where the event may have opened security vulnerabilities. For example, if a data breach just occurred, an audit of the affected systems can help determine what went wrong.
What Systems Does an Audit Cover?
During a security audit, each system an organization uses may be assessed for vulnerabilities in specific areas including:
- Network vulnerabilities—Auditors look for weaknesses in any network component that an attacker could exploit to access systems or information or cause damage. Information as it travels between 2 points is particularly vulnerable. Security audits and regular network monitoring keep track of network traffic, including emails, instant messages, files and other communications. Network availability and access points are also included in this part of the audit.
- Security controls—During this part of the audit, the auditor looks at the effectiveness of an organization’s security controls. This includes evaluating how well an organization has implemented the policies and procedures it has established to safeguard its data and systems.
- Encryption—This part of the audit verifies that an organization has controls in place to manage data encryption processes.
- Software systems—Software systems are examined to ensure that they are working properly and providing accurate information and that controls are in place to prevent unauthorized users from gaining access to private data. The areas examined include data processing, software development and computer systems.
- Architecture management capabilities—Auditors verify that IT management has organizational structures and procedures in place to create an efficient and controlled environment to process data.
- Telecommunications controls—Auditors check that telecommunications controls are working on client sides, server sides and on the network that connects them.
- Systems development audit—Audits covering this area verify that any systems under development meet security objectives set by the organization. This part of the audit is also done to ensure that systems under development are following set standards.
- Information processing—These audits verify that data processing security measures are in place.
Strengthening Collaboration Between Internal Audit and IT
A robust cybersecurity strategy adopts a 3-pronged approach: prevent, detect and remediate. Internal audit’s role falls primarily in the first 2 categories: detecting cybersecurity lapses and control issues and preventing major cyberthreats and risk through frequent audits and recommendations. These objectives must be fulfilled not in isolation, but in continuous collaboration with the IT function.
There are many benefits to building a good relationship between internal audit and IT. For example, internal audit provides an unbiased and independent review of information security frameworks and controls which enables the IT team to design better controls or address areas that it might have previously overlooked. Internal audit supports the IT team’s efforts to get management buy-in for security policies and helps ensure that employees take their security compliance responsibilities seriously.
Internal audit supports the IT team’s efforts to get management buy-in for security policies and helps ensure that employees take their security compliance responsibilities seriously.
So, it is important that internal audit, together with the audit committee, meet with the chief information officer (CIO) and chief information security officer (CISO) regularly to discuss important cybersecurity issues and share insights on emerging threats, vulnerabilities and cybersecurity regulations. It is also critical to have a tool that helps the teams communicate and coordinate audit activities efficiently, such as open-source mappings (e.g., Secure Controls Framework [SCF]).
Adopting an Integrated Approach to IT and Security Auditing
The most essential requirement of a cybersecurity program is to ensure that risk, threats and controls are communicated and reported in a consistent manner. This requires audits to help the organization create a common risk language. Audit teams need to adopt standardized libraries of risk factors and controls, enabled by technology that make it simple to aggregate, communicate and analyze security data.
Another best practice is to have a centralized data repository where audit and IT teams can easily maintain, access and share crucial data. Teams can also map security risk areas to auditable entities, IT assets, controls and regulations. This tightly integrated data model should allow audit and IT teams to determine how a cybersecurity risk or ineffective control could impact the enterprise so they can provide recommendations proactively to resolve the issue.
Integrating audits also eases strain on audit teams and IT/engineering staff, as evidence gathered can be tested once and used across applicable frameworks that share scope instead of gathering it at different times of year. Gaining efficiency by cross-testing shared controls frees resources to focus on day-to-day operations instead of needing to be in perpetual audit mode throughout the year.
To best plan for an integrated audit, an organization must first make sure the scope of testing environment is going to be similar for the applicable frameworks. Once scope is defined, organizations can then work to understand similar controls that can be tested across the enterprise. In many cases, organizations start with security policies and procedures since these tend to apply to the organization as a whole, and then consider the technical testing of network systems for further efficiency gains.
Frameworks for Integration
Almost any framework can be approached in an integrated fashion. The most important aspect is that scopes align as closely as possible. The most common standards, frameworks and regulations that can be integrated are International Standards Organization (ISO) standard ISO 27001, SOC 2 Type 2, Payment Card Industry (PCI) Report on Compliance (ROC), and the US Health Insurance Portability and Accountability Act (HIPAA). An example of an organization that may leverage the aforementioned frameworks is a billing service provider for a healthcare vertical. In that case, the organization would be required to comply with HIPAA due to its relationship to the healthcare provider; the payment card industry because it accepts credit cards for payments; and ISO 27001 and SOC 2 Type 2 because of internal security demands that would require ISO and SOC audits to test processes and systems. Organizations that can align scope with these standards, frameworks and regulations gain a significant amount of efficiency in testing and a greater visibility into their overall security postures and compliance obligations.
The Big Picture
A decade ago, it was unusual for audits to be involved in evaluating data security risk and controls. However, in today’s digital enterprises, data have emerged as critical organizational assets that face the most significant security threats. The IT and security functions cannot combat these threats in siloes. The audit team is an essential ally and must join forces with IT in association with the board of directors (BoD), management and frontline teams to build a truly integrated and robust cybersecurity strategy that focuses on anticipating and mitigating risk and building cybersecurity resilience.
Chad Martin, CISA, CISSP, ISO/IEC 27001 LA, PCI QSA
Is a group product manager for Coalfire Systems, Inc. with a focus on threat, vulnerability and attack surface management. He has more than 20 years of IT and cybersecurity consulting and audit experience,