A cyberattack can be devastating to any organization because it compromises sensitive data and, as a result, the financial position, strategic vision, and more important, the trust and credibility that the enterprise has built over the years. Given the magnitude of this risk, what role does the IT security audit function play in minimizing the risk likelihood and impact? And why is it important to adopt an integrated approach to IT and security auditing? Finding ways to leverage controls and testing across multiple frameworks can save organizations time and effort during audits while giving a more holistic view of their audit, compliance and security postures.
A security audit is a comprehensive assessment of an organization’s security posture and IT infrastructure. Conducting an IT security audit helps organizations find and assess the vulnerabilities existing within their IT networks, connected devices and applications. It gives organizations the opportunity to fix security vulnerabilities and achieve compliance.
But security audits are not that simple and straightforward. Many organizations today undergo numerous audits due to compliance requirements to which they must adhere, and the assessment process to prepare for a potential audit can be overwhelming.
There are several reasons to perform security audits. They include 6 goals:
Security audits help protect critical data, identify security loopholes, create new security policies and track the effectiveness of security strategies. Regularly scheduled audits can help ensure that organizations have the appropriate security practices in place and encourage organizations to establish procedures to expose new vulnerabilities on a continuous basis.
How often an organization undergoes a security audit depends on the industry of which it is part, the demands of its business and structure and the number of systems and applications that must be audited. Organizations that handle high volumes of sensitive data, such as financial institutions and healthcare providers, are likely to do audits more frequently. Enterprises that use only 1 or 2 applications will find it easier to conduct security audits and may do them more frequently. External factors such as regulatory requirements (e.g., the US Federal Risk and Authorization Management Program [FEDRAMP]) also affect audit frequency. However, quarterly or monthly audits may be more than most organizations have the time or resources to complete. The determining factors in how often an organization chooses to do security audits depends on the complexity of the systems used and the type and importance of the data in that system. If the data in a system are deemed essential, then that system may be audited more often, but complicated systems that take time to audit may be audited less frequently.
An organization should conduct a special security audit after a data breach, system upgrade or data migration, or when changes to compliance laws occur, when a new system has been implemented or when the business grows by more than a defined number of users. These one-time audits can focus on a specific area where the event may have opened security vulnerabilities. For example, if a data breach just occurred, an audit of the affected systems can help determine what went wrong.
During a security audit, each system an organization uses may be assessed for vulnerabilities in specific areas including:
A robust cybersecurity strategy adopts a 3-pronged approach: prevent, detect and remediate. Internal audit’s role falls primarily in the first 2 categories: detecting cybersecurity lapses and control issues and preventing major cyberthreats and risk through frequent audits and recommendations. These objectives must be fulfilled not in isolation, but in continuous collaboration with the IT function.
There are many benefits to building a good relationship between internal audit and IT. For example, internal audit provides an unbiased and independent review of information security frameworks and controls which enables the IT team to design better controls or address areas that it might have previously overlooked. Internal audit supports the IT team’s efforts to get management buy-in for security policies and helps ensure that employees take their security compliance responsibilities seriously.
So, it is important that internal audit, together with the audit committee, meet with the chief information officer (CIO) and chief information security officer (CISO) regularly to discuss important cybersecurity issues and share insights on emerging threats, vulnerabilities and cybersecurity regulations. It is also critical to have a tool that helps the teams communicate and coordinate audit activities efficiently, such as open-source mappings (e.g., Secure Controls Framework [SCF]).
The most essential requirement of a cybersecurity program is to ensure that risk, threats and controls are communicated and reported in a consistent manner. This requires audits to help the organization create a common risk language. Audit teams need to adopt standardized libraries of risk factors and controls, enabled by technology that make it simple to aggregate, communicate and analyze security data.
Another best practice is to have a centralized data repository where audit and IT teams can easily maintain, access and share crucial data. Teams can also map security risk areas to auditable entities, IT assets, controls and regulations. This tightly integrated data model should allow audit and IT teams to determine how a cybersecurity risk or ineffective control could impact the enterprise so they can provide recommendations proactively to resolve the issue.
Integrating audits also eases strain on audit teams and IT/engineering staff, as evidence gathered can be tested once and used across applicable frameworks that share scope instead of gathering it at different times of year. Gaining efficiency by cross-testing shared controls frees resources to focus on day-to-day operations instead of needing to be in perpetual audit mode throughout the year.
To best plan for an integrated audit, an organization must first make sure the scope of testing environment is going to be similar for the applicable frameworks. Once scope is defined, organizations can then work to understand similar controls that can be tested across the enterprise. In many cases, organizations start with security policies and procedures since these tend to apply to the organization as a whole, and then consider the technical testing of network systems for further efficiency gains.
Almost any framework can be approached in an integrated fashion. The most important aspect is that scopes align as closely as possible. The most common standards, frameworks and regulations that can be integrated are International Standards Organization (ISO) standard ISO 27001, SOC 2 Type 2, Payment Card Industry (PCI) Report on Compliance (ROC), and the US Health Insurance Portability and Accountability Act (HIPAA). An example of an organization that may leverage the aforementioned frameworks is a billing service provider for a healthcare vertical. In that case, the organization would be required to comply with HIPAA due to its relationship to the healthcare provider; the payment card industry because it accepts credit cards for payments; and ISO 27001 and SOC 2 Type 2 because of internal security demands that would require ISO and SOC audits to test processes and systems. Organizations that can align scope with these standards, frameworks and regulations gain a significant amount of efficiency in testing and a greater visibility into their overall security postures and compliance obligations.
A decade ago, it was unusual for audits to be involved in evaluating data security risk and controls. However, in today’s digital enterprises, data have emerged as critical organizational assets that face the most significant security threats. The IT and security functions cannot combat these threats in siloes. The audit team is an essential ally and must join forces with IT in association with the board of directors (BoD), management and frontline teams to build a truly integrated and robust cybersecurity strategy that focuses on anticipating and mitigating risk and building cybersecurity resilience.
Is a group product manager for Coalfire Systems, Inc. with a focus on threat, vulnerability and attack surface management. He has more than 20 years of IT and cybersecurity consulting and audit experience,
