The anatomy of an Information Security Audit
It’s an audit on the level of Information Security, clear from the name. It’s a systematic and measurable technical assessment of a company’s security policies. They provide a way to define and assess the security of a production environment.
There are multiple types of audits, depending on the security controls used in the organization. An organization can have technical, physical, or administrative audits. The same depends on the controls used in the organization. Information security audits cover several topics over multiple domains of security. These audits help create a security benchmark for the company. They can also help identify the strengths and weaknesses of a company (security-wise) while helping prioritize remediation of exposures that present the greatest risk. Most audits offer risk mitigation measures in line with industry best practices.
Infosec auditing covers a few fundamentals:
- The basis of your critical data and processes.
- An understanding of the threat landscape.
- A proper governance and accounting system.
- Resilience to withstand any attack.
- A strategy to define the security budget allotment.
There are two types of audits, internal and external. To conduct internal audits, employees use resources available in their work environment. Internal auditors often lack complete knowledge required to conduct audits. External auditors, however, are skilled professionals with a wide range of tools at their command. External audits are more of a luxury as the cost can sometimes be higher than the security budget. The success of the audit will depend on the level of communication between the sysadmin and the external auditor. An auditor can use multiple software implementations to collect data needed for an infosec audit.
The auditing team designs a list of threats and tests the production infrastructure against it. These threats can include but are not limited to:
- Uninformed employees
- Weak passwords
- Employee devices
- Malware
- Physical theft
- Natural disaster
- Insider threats
- Denial of Service Attacks
- Phishing
Auditing is usually a 4-step process:
- Planning: The audit plans should be very minimal, so it covers as many aspects as possible. We divide the plan into three parts, the aim, the scope, and the expected outcomes of an audit.
- Inspection and testing: The auditing team will execute the plan in all areas of the business. Because of this, having strong communication during the auditing process helps move things along faster. This phase involves inspecting the current security policies, assessing employee knowledge, and stressing the security system of the company.
- Interpretation of test results: The auditing team will interpret the test results with the help of the documentation created during testing. The result of the security stress-test will be determined based on the parameters provided by the organizations. This is a transitional phase that describes how the finished report will read. The observations here need to be organized logically. If any deviations from general security best practices are required, they need to be rationalized as clearly as possible.
- Reporting: The auditor can deliver the final report in writing or verbally. The report will answer questions like is the current system secure enough, do the employees possess proper knowledge, what vulnerabilities need to be addressed immediately, how should a given threat or vulnerability be managed, does the policy require any changes, and general security best practices to be followed.
While the aforementioned is a general list of auditing responsibilities, the actual list of roles and responsibilities can vary depending on the organization being audited. Infosec audits require attention to detail on a scale that makes most people shiver to their core. An infosec auditor also has a specialized certification that verifies how good they are at pulling out deficiencies in the security setup. This certification is known as CISA or Certified Information Security Auditor.
