Most IT professionals perform ongoing security monitoring of their environments to catch security problems as they arise. But what happens if your monitoring tools don't catch a threat or vulnerability? Or, what if there are underlying configuration problems in your IT environment that invite security breaches?
IT security audits help guard against risks like these. By auditing your IT infrastructure, applications and services, you can detect weak points and find ways to optimize your overall security posture. Security audits aren't a replacement for monitoring, but they provide another layer of defense to help catch issues that slip through monitoring defenses.
This article explains why, how and when to perform IT security audits.
What Is an IT Security Audit?
A security audit is a formal review of IT assets for security vulnerabilities. Audits typically cover all facets of an organization's IT estate -- from networks and applications to data storage media and beyond.
Audits are important because they help detect vulnerabilities that could be lurking within your environment, but which would otherwise not become obvious unless they lead to an actual breach. You may have improper access controls configured for cloud data storage, for example, or you could have insecure ports open on a network switch. Audits provide an opportunity to find and address issues such as these before they turn into active breaches.
Audits can also be used as a way to assess your organization's compliance with regulatory or governance rules. Admins can define the compliance policies that their IT assets need to meet, then scan environments to determine whether the actual configurations match those rules.
At the same time, audits allow teams to measure their improvement with regard to security since the last audit. This is useful for organizations committed to continuous improvement of IT security over time.
Finally, there is a cost component to security audits. By finding insecure systems and configurations, admins can identify opportunities for implementing more secure and cost-effective solutions. Thus, although audits come with an upfront cost, they can save money in the long run by helping organizations improve their overall security posture at a lower total cost.
Further reading Ultimate Data Security Checklist
IT Security Audit Processes
Audits can be broken into four distinct processes.
Audit Planning
First comes planning. Teams must identify the goals and objectives of the audit: Will it be a comprehensive audit of all systems, for example, or will it focus on certain areas? Which business goals will the audit reinforce?
They should also define the resources necessary to conduct the audit: Which security tools and personnel will drive it?
Planning a timeline is useful, too. Determine how long each phase of the audit should last, and how progress will be measured.
Audit Execution
With a plan in place, you're ready to perform the audit. Many aspects of auditing can be automated using tools that scan environments for vulnerabilities or insecure configurations. However, some manual reviews may also be necessary, especially for highly complex systems.
As security issues are identified, teams should keep a list. If possible, ranking risks based on their severity is useful for determining which issues to prioritize for response.
Reporting
After the audit is complete, the team should prepare a report and share it with stakeholders across the organization. In some cases, sharing with third parties, such as a company's partners, may be pertinent as well.
In addition to noting the security risks discovered by the audit, the report should include plans for remediating them.
Incident Management and DR Planning
Finally, review your organization's disaster recovery plan and incident response plans to ensure that they address any risks identified in the audit. You may have discovered new vulnerabilities, such as insecure data storage, that leave the organization at risk of ransomware.
Although disaster recovery and incident response plans should address even unknown or unanticipated risks, it's particularly important to make sure you plan for the specific risks that the audit finds.
IT Security Audit Frequency
One of the biggest questions for IT admins is determining how often to conduct IT security audits. Audits consume time and resources, so you can't perform them constantly. Instead, run audits on a timetable that makes sense for your business.
One-Time Project
If you are conducting a new project, such as setting up a temporary hosting environment in the cloud while you recover on-premises infrastructure following a disaster, it's wise to perform an audit after the fact to check for risks and vulnerabilities. You should do this even if the new resources will be used only once, or only temporarily.
Evaluation of New Processes
Each time you implement new technology or equipment, like setting up new servers or updating networking equipment, audits help evaluate risks and find potential vulnerabilities. They can also alert you to opportunities for strengthening the security posture of the environment that you may otherwise overlook.
Regular Assessments
In addition to performing audits when certain situations arise, you can plan regular audits on a monthly, semiannual or annual basis. The frequency of regular audits should reflect the resources you have available for performing audits.
Keep in mind that if you lack the capacity to perform regular audits of your entire environment on a monthly or semiannual basis, you can at least audit critical resources with that frequency, while saving the across-the-board audits for once every year.
What Should Be Audited?
What do you actually audit? Again, a comprehensive audit should cover every facet of every system in an IT environment. The list of items to assess typically includes, but is not necessarily limited to:
- Employees’ and third-parties’ access rights: Ensure there are no shared accounts, that least-privilege principles and IAM best practices are enforced, and so on.
- Hardware and software: Check that firmware and software are up to date. Make sure hardware is physically secure. Identify resources that have reached their end of life.
- Backups: Ensure that backups are being performed regularly, and that they meet RPO and RTO needs.
- Authentication and password management: Is password rotation in place? Is MFA enabled? Are users required to create strong passwords?
- Network configuration: Check for insecure ports, unnecessary exposure of network hosts to the Internet, and so on.
Further reading Network Audit Guide
- Operating systems: Are operating systems up to date? Are you using the most secure operating systems available? Do you have kernel hardening frameworks running, such as SELinux?
- Data security control: Make sure data is physically secure (if it is stored on-premises) and that it is secured against unauthorized access and network-borne threats.
Conclusion
IT security audits are a critical step toward optimizing your business's overall IT security posture. They save time and money by allowing you to take a proactive approach to security and find issues that you don't catch -- or that you catch too late -- using security monitoring, which is a distinct process.