PCWizrd

The Best IT Security Audit Checklist For Small Business

01.11.22 08:01 PM By Scott Pettie

What is an IT security audit?

An information technology security audit is an assessment of the security of your IT systems.

It covers the entire IT infrastructure including personal computers, servers, network routers, switches, etc.

There are two types of information technology security audits - automated and manual audits. Automated audits are done using monitoring software that generates audit reports for changes made to files and system settings. Manual audits are done using an IT audit checklist that covers the technical as well as physical and administrative security controls.


This blog post is focused on manual IT security audits.

Why do you need to conduct IT security audits?

The frequency and sophistication of cyber attacks on small and medium businesses are increasing. As per the 2019 Data Breach Investigations Report by Verizon, 43% of cyber attacks were targeted at small businesses. To set up a strong defense against cyber threats, you must be aware of not just the threats but also the state of your IT security and vulnerabilities.
Security audits are not one-time projects but a living document. The advances in technology and changes in your business model create vulnerabilities in your information technology systems. These advances and changes are dynamic. So, to be effective your IT security also has to evolve continuously. We will explain how to use this checklist for a successful IT security audit towards the end of this blog.

For now, here are the steps for a successful IT Security Audit:

  1. Assess your current IT security state

  2. Identify vulnerabilities and prioritize improvement opportunities

  3. Describe the target state for your IT security

  4. Access your progress towards your desired IT security state.

Let’s begin by assessing the state of your IT security controls...

Why do you need to conduct IT security audits?

1. PHYSICAL SECURITY

When we talk about IT security, physical security doesn’t readily come to mind. We generally tend to think about software, virtual infrastructure, and the internet. But physical security is just as important. A simple physical access restriction can mitigate a number of IT security risks. Your audit checklist must include the following:

  1. Do you have policies to restrict physical access to servers or electronic information systems?

  2. Do you have controls such as door locks, access control systems, video monitoring, etc?

  3. Is access to your office controlled either via security or reception desk, sign-in log, access badges, or similar?

  4. Do you escort visitors in and out of controlled areas?

  5. Are your computers and other systems physically secured?

  6. Do you use a physical lock and cable to secure laptops?

2. ADMINISTRATIVE SECURITY CONTROLS

It is incredible and at the same time scary what can be done with a tiny USB storage device and high-speed internet connectivity. Within minutes your files can be copied, system corrupted, or network hacked. Therefore, you must maintain strong administrative security controls. Background checks on all employees or contractors must also be mandatory before giving them access to your systems.

As you review and update your IT policies, you must also educate your employees about them. Human error is a big challenge for IT security. Regular discussions on IT security threats, preventive measures, and phishing drills go a long way in reducing human error. Most phishing or malware attacks will fail if your employees are aware of your policies and follow security protocols.Human error is a big challenge for IT security. Regular discussions on IT security threats, preventive measures, and phishing drills go a long way in reducing human error. Most phishing or malware attacks will fail if your employees are aware of your policies and follow security protocols.Human error is a big challenge for IT security. Regular discussions on IT security threats, preventive measures, and phishing drills go a long way in reducing human error. Most phishing or malware attacks will fail if your employees are aware of your policies and follow security protocols.

2.1 Personnel Security

  • Do your employees wear an ID badge with a current photo?

  • Do you conduct background checks for employees and contractors?

2.2 Account Management

  • Do you create a unique user account and username for each individual?

  • Are all user accounts and their privileges documented and approved by an authorized individual?

  • Are admin accounts used only for performing admin tasks?

  • Are user accounts, especially those with admin accounts, removed when no longer required?

  • Do you use only one approved remote access method?

  • Do you give remote access only to authorized users?

  • Do you give unique credentials to each remote user instead of using a common account?

  • Are administrative privileges restricted to your IT team?

  • Is system access limited based on roles and needs?

  • Do you use Identity and Access Management solutions?

2.3 IT and Security Policy

  • Do you have a robust password policy to ensure all users have strong passwords?

  • Have you implemented 2FA (Two-Factor Authentication)?

  • Do you require the use of virtual private networks (VPNs) for remote access?

  • Have you set up a segregated guest WiFi for visitors and employee-owned devices?

  • Do you regularly educate your employees about cybersecurity risks and vulnerabilities?

3. TECHNICAL SECURITY CONTROLS

With the adoption of every new technology, the complexities, and consequent vulnerabilities increase. You have to think of not just your IT infrastructure, but also the cloud, SaaS platforms, network devices, etc., and their complex interplay. Therefore, it is advisable to hire professionals to help with setting up your IT security. Even if you have in-house IT people, it is very likely that they do not have optimum exposure to new devices and security features. External help is also ideal for conducting penetration tests and phishing simulations.

If you would like to get a comprehensive picture of your entire IT infrastructure, check our previous blog: The Ultimate IT Checklist For Small Businesses

3.1 IT INFRASTRUCTURE SECURITY

  • Do you purchase your equipment only from authorized resellers?

  • Do you download firmware, updates, patches, and upgrades only from validated sources?

  • Do all purchased devices have operating systems that are standardized and approved by IT?

  • Are antivirus and malware protection installed on all computers and mobile devices?

  • Do you use standard configuration for each type of device?

  • Have you implemented server security best practices?

  • Do you maintain a list of all your hardware including the device name, type, location, serial number, service tag, etc?

  • Do you have the latest drivers installed on all your devices?

3.2 SOFTWARE SECURITY MANAGEMENT

  • Do you maintain a whitelist of applications that are allowed to be installed on computers and mobile devices?

  • Do you use an MDM (mobile device management) for securing your mobile devices, operating systems, and applications?

  • Do you keep auto-update on for your OS, applications, and antivirus?

  • Are customizing options limited to power users?

  • Do you install software only from a trusted source?

  • Do you maintain a list of software installed and the corresponding license?

  • Do you maintain a list of accounts (usernames and passwords) that use online services?

  • Do you run scheduled virus scans for all users and systems?

  • Do you have spam filters in place for all users?

3.3 CLOUD SECURITY

  • Do the cloud services you use meet your data storage and privacy compliance requirements?

  • Do your SLAs have clauses on response times, business continuity, and disaster recovery?

  • Is access to user data restricted to required users?

  • Do you have a plan in place in case of loss of access to cloud services?

  • Do you have policies that deal with data breaches?

3.4 CYBERSECURITY

  • Do you use a password manager?

  • Do you use only legitimate software, applications, and browser extensions from trusted sources?

  • Are devices automatically locked when left unattended?

  • Is the use of USBs and external hard drives from unfamiliar sources restricted?

  • Do you have daily scheduled backups for all critical files and data?

  • Do you have a disaster recovery and business continuity plan?

  • Do you have an acceptable use policy covering the use of computers, mobile devices, and other IT resources as well as Social Media tools?

  • Do you regularly review permissions to access shared folders, systems, and applications and remove people who no longer need access?

  • Do you have a standard procedure for isolating infected machines and for cleaning them?

  • Do you regularly conduct phishing audits and penetration tests?

  • Do you maintain an FAQ on company IT and Security policies?

  • Are you able to remotely wipe mobile devices if lost or stolen?

4. NETWORK SECURITY

The network infrastructure of small businesses is a common target for cyber attackers. This is because network devices such as routers, switches, firewalls, etc. are generally not maintained at the same security level as your desktops and mobile devices. There are a lot of boxes to tick to make your network secure. We have talked about Network Security at length in our blog: The Ultimate Network Security Checklist.

4.1 FIREWALL MANAGEMENT

  • Do you have a firewall in place to protect your internal network against unauthorized access?

  • Do you have a strong password for your firewall device that is different from the default one?

  • Is “Deny All” your default posture on all access lists, inbound and outbound?

  • Is every rule on your firewall documented and approved by an authorized individual?

  • Is every alert promptly logged and investigated?

  • Do you use only secure routing protocols, which use authentication?

  • Do you promptly disable any permissive firewall rules that are no longer required?

4.2 NETWORK DEVICE SECURITY

  • Do you ensure that all devices on your network are using WPA2 (Wi-Fi Protected Access II)?

  • Are ports that are not assigned to specific devices promptly disabled?

  • Do you use physical or virtual separation to isolate critical devices onto network segments?

  • Are all unnecessary services on routers and switches turned off?

4.3 SOFTWARE PATCH MANAGEMENT

  • Do you use only licensed and supported software?

  • Are software updates and security patches installed as soon as they are available?

  • Is unsupported software removed from devices that are capable of connecting to the internet?

  • Do you use a patch management solution?

4.4 MALWARE PROTECTION

  • Is your anti-malware software kept on auto-update?

  • Is your anti-malware software configured to scan files and web pages automatically and block malicious content?

  • Is your anti-malware software configured to perform regular scans?

Get Started Now

Scott Pettie

Categories :
Tags :