What is an IT security audit?
What is an IT security audit?
An information technology security audit is an assessment of the security of your IT systems.
It covers the entire IT infrastructure including personal computers, servers, network routers, switches, etc.
There are two types of information technology security audits - automated and manual audits. Automated audits are done using monitoring software that generates audit reports for changes made to files and system settings. Manual audits are done using an IT audit checklist that covers the technical as well as physical and administrative security controls.
This blog post is focused on manual IT security audits.
Why do you need to conduct IT security audits?
Why do you need to conduct IT security audits?
For now, here are the steps for a successful IT Security Audit:
Assess your current IT security state
Identify vulnerabilities and prioritize improvement opportunities
Describe the target state for your IT security
Access your progress towards your desired IT security state.
Let’s begin by assessing the state of your IT security controls...
Why do you need to conduct IT security audits?
Why do you need to conduct IT security audits?
1. PHYSICAL SECURITY
When we talk about IT security, physical security doesn’t readily come to mind. We generally tend to think about software, virtual infrastructure, and the internet. But physical security is just as important. A simple physical access restriction can mitigate a number of IT security risks. Your audit checklist must include the following:
Do you have policies to restrict physical access to servers or electronic information systems?
Do you have controls such as door locks, access control systems, video monitoring, etc?
Is access to your office controlled either via security or reception desk, sign-in log, access badges, or similar?
Do you escort visitors in and out of controlled areas?
Are your computers and other systems physically secured?
Do you use a physical lock and cable to secure laptops?
2. ADMINISTRATIVE SECURITY CONTROLS
2.1 Personnel Security
Do your employees wear an ID badge with a current photo?
Do you conduct background checks for employees and contractors?
2.2 Account Management
Do you create a unique user account and username for each individual?
Are all user accounts and their privileges documented and approved by an authorized individual?
Are admin accounts used only for performing admin tasks?
Are user accounts, especially those with admin accounts, removed when no longer required?
Do you use only one approved remote access method?
Do you give remote access only to authorized users?
Do you give unique credentials to each remote user instead of using a common account?
Are administrative privileges restricted to your IT team?
Is system access limited based on roles and needs?
Do you use Identity and Access Management solutions?
2.3 IT and Security Policy
Do you have a robust password policy to ensure all users have strong passwords?
Have you implemented 2FA (Two-Factor Authentication)?
Do you require the use of virtual private networks (VPNs) for remote access?
Have you set up a segregated guest WiFi for visitors and employee-owned devices?
Do you regularly educate your employees about cybersecurity risks and vulnerabilities?
3. TECHNICAL SECURITY CONTROLS
With the adoption of every new technology, the complexities, and consequent vulnerabilities increase. You have to think of not just your IT infrastructure, but also the cloud, SaaS platforms, network devices, etc., and their complex interplay. Therefore, it is advisable to hire professionals to help with setting up your IT security. Even if you have in-house IT people, it is very likely that they do not have optimum exposure to new devices and security features. External help is also ideal for conducting penetration tests and phishing simulations.
If you would like to get a comprehensive picture of your entire IT infrastructure, check our previous blog: The Ultimate IT Checklist For Small Businesses
3.1 IT INFRASTRUCTURE SECURITY
Do you purchase your equipment only from authorized resellers?
Do you download firmware, updates, patches, and upgrades only from validated sources?
Do all purchased devices have operating systems that are standardized and approved by IT?
Are antivirus and malware protection installed on all computers and mobile devices?
Do you use standard configuration for each type of device?
Have you implemented server security best practices?
Do you maintain a list of all your hardware including the device name, type, location, serial number, service tag, etc?
Do you have the latest drivers installed on all your devices?
3.2 SOFTWARE SECURITY MANAGEMENT
Do you maintain a whitelist of applications that are allowed to be installed on computers and mobile devices?
Do you use an MDM (mobile device management) for securing your mobile devices, operating systems, and applications?
Do you keep auto-update on for your OS, applications, and antivirus?
Are customizing options limited to power users?
Do you install software only from a trusted source?
Do you maintain a list of software installed and the corresponding license?
Do you maintain a list of accounts (usernames and passwords) that use online services?
Do you run scheduled virus scans for all users and systems?
Do you have spam filters in place for all users?
3.3 CLOUD SECURITY
Do the cloud services you use meet your data storage and privacy compliance requirements?
Do your SLAs have clauses on response times, business continuity, and disaster recovery?
Is access to user data restricted to required users?
Do you have a plan in place in case of loss of access to cloud services?
Do you have policies that deal with data breaches?
3.4 CYBERSECURITY
Do you use a password manager?
Do you use only legitimate software, applications, and browser extensions from trusted sources?
Are devices automatically locked when left unattended?
Is the use of USBs and external hard drives from unfamiliar sources restricted?
Do you have daily scheduled backups for all critical files and data?
Do you have a disaster recovery and business continuity plan?
Do you have an acceptable use policy covering the use of computers, mobile devices, and other IT resources as well as Social Media tools?
Do you regularly review permissions to access shared folders, systems, and applications and remove people who no longer need access?
Do you have a standard procedure for isolating infected machines and for cleaning them?
Do you regularly conduct phishing audits and penetration tests?
Do you maintain an FAQ on company IT and Security policies?
Are you able to remotely wipe mobile devices if lost or stolen?
4. NETWORK SECURITY
4.1 FIREWALL MANAGEMENT
Do you have a firewall in place to protect your internal network against unauthorized access?
Do you have a strong password for your firewall device that is different from the default one?
Is “Deny All” your default posture on all access lists, inbound and outbound?
Is every rule on your firewall documented and approved by an authorized individual?
Is every alert promptly logged and investigated?
Do you use only secure routing protocols, which use authentication?
Do you promptly disable any permissive firewall rules that are no longer required?
4.2 NETWORK DEVICE SECURITY
Do you ensure that all devices on your network are using WPA2 (Wi-Fi Protected Access II)?
Are ports that are not assigned to specific devices promptly disabled?
Do you use physical or virtual separation to isolate critical devices onto network segments?
Are all unnecessary services on routers and switches turned off?
4.3 SOFTWARE PATCH MANAGEMENT
Do you use only licensed and supported software?
Are software updates and security patches installed as soon as they are available?
Is unsupported software removed from devices that are capable of connecting to the internet?
Do you use a patch management solution?
4.4 MALWARE PROTECTION
Is your anti-malware software kept on auto-update?
Is your anti-malware software configured to scan files and web pages automatically and block malicious content?
Is your anti-malware software configured to perform regular scans?