The IT Audit: Where to Begin

Are you tasked with keeping your information safe, but don't quite know where to start, or even what IT structures are in place at your business?

You aren't alone.

We've discovered that when you don't know where to begin, beginning with an audit makes the most sense.

Audits are opportunities for your business to improve, based on analysis and the resulting insights. Most importantly, audits tell you where you are, like an ideolocator for your security map.

If you truly want to discover where you need to focus your IT safety energy, it might be time to consider an IT audit.

When's the right time for a system safety audit?

When it comes to auditing your system security, there are three major indicators it's time to get started:

1. You don't have clear insight into your IT structure
2. You want to be preventative and protect your business from threat
3. You haven't had an audit in a one-year period

If even one of these is true, you're ready to consider next steps. Doing an internal audit can be daunting, so you may want to start by acting like you're a professional systems auditor.

What does a professional systems auditor look for?

The first thing a professional auditor will do is take an inventory and define your network's boundaries. Inventory includes every device facing out on your network, every endpoint, and everything between, like hosts, routers and switches.

This effort allows a specialist to create a map of your network topology. If you can't create that full map on your own, you can at least develop an understanding of your inventory via a network scan.

But if you can't perform a network scan to discover your inventory, or if you don't already have a comprehensive list of these assets, you may want to consider hiring a professional auditor.

Oftentimes, an auditor will use Computer Assisted (or Aided) Audit Techniques (CAATS) to complete his or her task. Though these techniques have their place in an audit, there are also qualitative issues to consider that these techniques can miss. And if you're doing an internal audit, the qualitative questions you need to ask in order to build a picture of your infrastructure are crucial.

Building a checklist

Think of your checklist as a list of questions. You'll want to ask yes or no questions, of course, but also qualitative ones, to help you understand your current infrastructure. Later in this post, you'll learn how this checklist can give you a clear idea of risk and help you define your priorities.

To build your checklist, you can use this sample from utah.gov as a guide. You'll see this sample's relevance in your priority definition, as well.

Yes or no (or check-the-box) questions might include:

• Are my employees trained on who not to provide with personal information?
• Does my company require two-factor authentication?
• Does my company have security badges for access to server rooms?

Examples of helpful qualitative questions include:

• How are passwords created and managed?
• How do we store and update backup media?
• Who has access to our server room?

Break your list into categories to make it more manageable. You could use categories like personnel security, awareness and education and physical security.

Finding your top concerns

What you're really assessing during an audit is your risk and how to prioritize your system safety efforts. What is most important?

To get to that answer, you'll need to create a list of possible negative events (threats) and a number scale, which will help you evaluate both total risk and the risk of individual threats to your business.

A simple equation can help: risk = impact x likelihood.

This equation tells you that assessing both the impact of a breach and the likelihood of that event occurring is crucial to understanding priority. Therefore, you'll want to make a scale for each of these variables.

Impact Scale

When creating an impact scale, you won't need to get specific with costs or time lost unless you want to. Your scale can be as specific or as general as will make sense for your business. An example: Minimal impact = 0, Minor effects but no major operational effects = 1, Time lost and costs incurred = 2, High costs incurred and significant time lost = 3, etc. Create intervals which make sense to you.

Likelihood Scale

A likelihood scale can also be as specific or as general as you need it to be. You could use something like: 1 = Highly unlikely, 2 = Likely to occur less than once/year, 3= Likely to occur once/year, 4 = Likely to occur once/month.

Just as you did with your questions list, you can break up your impact and likelihood scale into categories for simpler management. Categories for the impact/likeliness equation could include: human error threats, such as accidental modification or disclosure or inadequate security policy; access control threats, like physical access or password cracking; and reliability of service threats.

Next, complete the equation for each threat and check out your scores. If you've gotten to this point, you are now performing work that strong information security assessment teams perform, not during a simple audit, but during a greater vulnerability assessment. It's likely you'll need some assistance in creating a priority list and a plan of action.

System safety audit: What's next?

It's time to look at your scores and determine how you will make the appropriate adjustments. Some scores might scream you need a new policy, or new personnel to cover certain physical areas, and that you can make those adjustments easily.

Another option is to stop right here, list in hand, and hire a consultant to help you work through the priorities and your plan of action.

Hiring an auditor or professional IT consultant could help ensure you left no stone unturned or question unasked. Ultimately, auditing for system safety isn't just about checking boxes. It's about growing, learning and making improvements to keep your business safe.

Learn more about how Twinstate Technologies can help keep your systems safe.