An IT Security Audit, Why?
An It security audit must be relevant to your business. Your requirements will be different if you are a large corporation or a small business. However, the damage that can derive from a lack of audit can have in both cases a dramatic impact on the continuation of your business. You need to determine the reason why you will submit your organisation to an IT security Audit.
Main reasons could be:
- Head office requirement
- Compliances with local or international regulations
- Adherence to best practices for security and efficiency
- Posture assessment after suspicion that there are issues in your systems or network.
- Need to comply with partner requirements (supplier, partner or client)
- Reorganisation of your department or company
Again it will depend on a number of elements of your business. Sometimes you will need an audit because some major changes have affected your company, or you have lost key personal and need to tighten your network security and ensure data confidentiality. Other times it will be your regular annual check up, planned long time in advance. It is important that you adapt the frequency of your audits to the speed at which changes have affected your organisation. Employee turnover, fast development, incorporation of larger customers, increasing size of corporate customers which increases the risk on your organisation, new investment in equipment, change in direction or methodology and operation. Your auditor should be a reliable partner to help in your decision of Audit frequency. You should expect a clear and detailed report with all the reasons and motivations to run frequent audits.
Our IT security audits follow regulations standards and ITIL best practices. We regularly consult organisations like:
- Bureau Veritas
- ISO Certification requirements
- Military standards and procedure in Data protection
- Industry Best Practices
- Guidances from large manufacturers and recommendation from leading security and network companies.
Our IT Audit process start with an interview with your Management, to review which elements are critical to the survival of your business. We also look at identifying limitations in the workflow and where documents or data could become more vulnerable. We will collect and examine documentation related to the company’s practices and procedures, data related to technological previous assessments and will walk through physical locations. We will also analyse other resources that could impact the effectiveness of your security program.
During our IT security Audit, we will focus on the following elements:
- IT Security Policy in place
- Personnel Security Training program and participation
- Monitoring in place for systems, network and people
- Confidentiality, integrity of Data
- Authentication and Access Controls
- User Equipment (Workstations, Laptop and potentially extend to mobile elements)
- Systems Security (Servers, NAS, Backup systems)
- Network Security (Switches, firewalls, Access Points, Guests access)
- Application Security, in house as well as externalised or cloud base.
- Software Development, Acquisition, maintenance and safe keeping procedure
- Physical Security of locals and perimeters
- Service Provider Oversight – Security
- Business Continuity Plans
Our IT Audit is summarised in a comprehensive report which covers all identified problems together with our recommended solutions. We always provide a clearly detailed solution and implementation plan to ensure that the client can immediately and with its own people, tackle the various vulnerabilities or problems we have encountered.
Our reports will always contain:
- Executive Summary
- Procedure followed during audit
- Report from Management interview
- Detailed Audit Results
- Remediation Action Plan
- Results of data and documents analysis
- Control program for effective corrective implementation