Information security audits are on the rise, as organizations look to not only bolster their security postures, but demonstrate their efforts to other parties such as regulators.
Audits, which are measurable technical assessments of systems, applications and other IT components, can involve any number of manual and automated processes. Whether conducted by internal auditors or outside consultants, they are an effective way for companies to evaluate where they stand in terms of protecting data resources.
The high-profile data breaches of recent years have forced many organizations to take a closer look at their security technologies and policies, experts say.
“Public exposure to the steady volume of company breaches have led to increased scrutiny from legislators and compliance organizations,” says David Barton, CISO at security technology provider Websense. “A comprehensive security audit program is one way to satisfy the scrutiny of those compliance organizations.”
Audits can be complex, however. There are many standards in use, including some for regulated industries as well as independent standards developed by active industry control groups, says Sean Pike, program director, eDiscovery and Information Governance, at research firm International Data Corp. (IDC).
“For each standard there are many more attempts at encapsulating the required audit components into control or common-control frameworks meant to guide the security audit,” Pike says. “Each control framework typically has a tremendous amount of controls that are meant to assist [an] audit—anything from user passwords to data storage or physical controls. An audit can be overwhelming for even the most mature organization.”
Trends such as the rise in cloud services and mobile technologies are making audits even more complicated.
While no one likes to see the dirty laundry of their organization, we can’t address and resolve what we don’t know is a problem.
Rich Wyckoff, manager of information security at Fletcher Allen Health Care
“One of the immediate ways that an audit is effected is that it’s more difficult to determine where enterprise data is or where it moves throughout the course of a business process,” Pike says.
Here are some suggestions from experts on how to conduct an effective security audit:
Scope out the audit and do the necessary prep work. “The keys to a successful audit start long before the audit is actually conducted,” says Rich Wyckoff, manager of information security at Fletcher Allen Health Care.
Developing the scope for the audit and work with the auditors beforehand to agree on what they will be auditing. “I’m of the mindset that I want an auditor to help me find pieces of the business I don’t know about,” Wyckoff says. “While no one likes to see the dirty laundry of their organization, we can’t address and resolve what we don’t know is a problem.”
Sign up for CIO Asia eNewsletters.