If your organization is preparing for a cyber security audit, we recommend that you read on for best practices to optimize the value of the audit.
Third-party external audits can be expensive, so it’s best to be as prepared as possible by following these best practices.
What is a cyber security audit?
A cybersecurity audit is a method that verifies that your company has security policies in place to address all possible risks.
Internal staff may conduct an audit to prepare for an external organization. If your organization is subject to regulatory requirements, such as the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the Standard Payment Card Industry Data Security (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), or ISO 27001, you will need to hire an auditor to verify compliance and receive certification.
A cybersecurity audit is different from a cybersecurity assessment. An audit is a checklist that checks that you have addressed a specific risk, while an assessment tests the risk to see how well it is being implemented.
Best practices of a cyber security audit
There are many publications available that provide detailed information on how to prepare for a cybersecurity audit, but here is a high-level overview of what to do in preparation for an external audit.
Develop a security policy
Every organization should have a security policy that outlines the rules and procedures for working with the organization’s IT infrastructure, especially the handling of sensitive and private data.
If you previously developed these policies, now is the time to review the policies to ensure data confidentiality, data integrity, and secure data access as it pertains to your industry and applicable compliance requirements. For example, your security policy should identify:
- What to protect? (For example, data, business applications, hardware, etc.)
- How will you protect it? (For example, the use of passwords)
- How will access to data be controlled and blocked?
- How to protect personal or confidential data?
- How to maintain the accuracy and integrity of the data?
- How to protect archived data?
To help you prepare and/or review your organization’s security policy, you can refer to the National Institute of Standards and Technology (NIST) Cybersecurity Framework.
“The NIST Framework is a voluntary guide, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it is designed to foster cybersecurity and risk management communications among organizational stakeholders, both internal and external, to improve their ability to prevent, detect, and respond to cybersecurity threats. cyberattacks”.
Review and verify your cyber security policies
Most likely, you have a variety of security policies that were created at different times by different people. Now is the time to review each of these policies and cross-reference them to make sure they are consistent.
For example, if your backup policy requires backups every 30 days, you may not be able to meet your Recovery Point Objectives (RPOs) under your disaster recovery policy, which depends on those Backups.
If a disaster occurs, you can lose up to 30 days of data. If your systems don’t use multifactor authentication, your password policy should require extraordinarily strong passwords that are changed frequently.
Examples of these security policies include:
Data security policies. How do you make sure your sensitive data is safe from prying eyes?
Data privacy policies. How do you make sure private data stays private?
Network access control. How do you restrict network access to only those devices that are authorized and comply with security policies? Do network devices have the necessary security patches and cybersecurity protection?
Backup policies. When and how does your organization back up its systems, applications, and data?
Password Policies. What are your organization’s password policies and how do you manage them?
Disaster recovery policies. Is your disaster recovery plan regularly exercised and updated to ensure you can recover your systems and data? Will you be able to meet your planned Recovery Time Objectives (RTOs) and RPOs?
Remote Work Policies. How does your company ensure the safety and security of your remote workers’ devices?
email policy and employee Internet. How do you ensure that your employees use email and the corporate Internet for their business and have no expectation that personal communications, data, and files will be kept private? How can you be sure employees understand that they can’t send harassing, threatening, or offending email?
Acceptable Use Policy. What procedures must an employee agree to before being allowed access to the corporate network?
It is important to create a secure network structure and topology design. For example, if you are segmenting your network, your Finance servers should not be on the same network or subnet as your Research and Development or Human Resources servers.
Instead, segmenting your network into smaller zones strengthens your security because you have compartmentalized services that may contain sensitive information.
Also check to make sure your firewall and other network security tools that should be in place ARE in place, as they will need to be reviewed and audited.
Review and enforce business compliance standards
If you are subject to regulations, such as GDPR, PCI, or HIPAA, make sure you comply with applicable regulations and make this a part of the conversation with your auditors.
Auditors will likely approach your team about applicable compliance regulations, so be prepared with documentation showing your compliance.
Review and enforce employee workplace standards
Before the audit, be sure to review and ensure that all employees understand and adhere to your employee Internet and email policy.
For example, employees must not view websites that contain criminal or offensive content, such as gambling and pornographic websites.
Employees must not store content that violates copyright laws. Employees should not use their corporate email addresses for personal business.
Conducting an internal audit of cyber security
Prior to the initiation of an external audit, it is highly recommended that you test for non-compliance and security gaps by performing a test internal audit following the best practices outlined above.
An internal cybersecurity audit can combine a manual review of policies, processes, and controls, as well as automated reviews of key infrastructure and security systems.
You must do this for two reasons. First, external audits are quite expensive, ranging from tens of thousands to hundreds of thousands of dollars.
It’s best to know your compliance posture before you spend the money on an external audit so you can address any issues beforehand. Doing this will also reduce the stress associated with an external audit and eliminate any surprises.