The Dodd-Frank Wall Street Reform and Consumer Protection Act enacted in 2010 required the U.S. Federal Reserve to conduct annual stress tests for banks with a minimum amount of assets. C-suite leadership of these banks take these stress audits very seriously and devote ample resources and efforts to prepare for these reviews. This includes their own internal risk assessments to identify potential vulnerabilities.
While it may not be on the same scale, many companies must undergo regular cybersecurity audits. These are essential security stress tests to determine whether an organization can withstand exploitative tactics that target common vulnerabilities. In some cases, an audit may undercover a serious threat such as a backdoor. Like a banking audit, there are serious repercussions without a passing grade. That means absolute preparation is critical and that requires a strategy.
Conducting a Preliminary Audit
Let’s face it, the only way to ensure your business is ready for an audit is an actual audit. A preliminary audit examines the attack surfaces of your hardware and software and reviews the security policies and controls to protect them. The first step is to determine what type of audit you need to conduct because not all audits are the same. For instance, a monthly recurring audit would include just the basics such as:
- Ensure that all systems and applications are fully patched and up-to-date
- Review personnel and their assigned responsibilities
- Assure that all databases and data repositories are properly secured
If you have never conducted a preliminary audit or a significant amount of time has transpired since your last one, you will want to include additional steps such as:
- Complete a risk assessment to identify the risks that your organization faces
- Conduct an inventory of all network-connected devices and software applications
- Identify and categorize all the data hosted throughout your network to understand which data needs to be prioritized in terms of security
- Perform a gap analysis to compare your existing security policies against industry best standards such as NIST, CIS Controls, or ISO 27001
A post-breach audit often requires advanced security tools that can fully test your company’s security posture. Tool sets will also be determined by specific compliances. For instance, firms that must follow PCI DSS regulations are required to do quarterly vulnerability assessments and an annual penetration test.
Internal or External Audits
Once you have determined the type of audit you need to implement, you must decide whether you can adequately conduct it internally or if you need to bring in outside specialists. If your business takes place in a low-risk environment and you have internal IT personnel with the right skill sets, an internal audit will prove less expensive and give you more control over the process. Smaller businesses that lack the resources or expertise may be able to utilize their MSP or MSSP.
Businesses that operate within highly regulated industries or handle sizable amounts of sensitive data may want to bring a team of experienced professionals that have formal cybersecurity training. Enterprises that use hybrid multi-cloud architectures may require auditors with expertise in assessing these complex environments. While obviously more expensive, an external audit will be more objective and may offer fresh insights. In most cases, an external audit will be perceived as more credible by stakeholders.
Manual or Automated
Depending on the type of audit required, you might have a choice between a manually driven audit and an automated one. A manual audit will be more thorough and offer context-driven analysis and tailored findings. It is also highly adaptable and can easily be modified to address emerging threats and compliance changes. These audits often contain extensive reporting that includes recommendations to address any issues. A manual audit, however, is more costly, time consuming and disruptive. It often includes a qualitative assessment which will only be as good as the person conducting it.
An automated audit provides an efficient and scalable means to scan your network for vulnerabilities, configuration errors, missing security patches, and outdated software. While they are far less disruptive to your business operations, they are more susceptible to producing false positives and cannot provide the in-depth analysis that a manual audit can produce. These audits have little flexibility and lack the rich reporting that a manual audit will include.
Preparing for the Real Deal
Now that you have completed a trial run to prepare yourself, it is time for game day. That doesn’t mean you simply hand over the ball to the auditing team as they take the field, however. You and your internal team still have work to do.
Imagine your business going through an IRS audit. You would most likely want to appease them in any way possible and streamline the process. You would want to know what they are wanting to find prior to their visit so you can have all the required documents readily available for them. Similarly, it is a good idea to have all your ducks in a row for an actual audit.
- Confirm the project scope with the auditor ahead of time. This is especially helpful if you are hiring an external auditing team to avoid project creep and contain costs. Knowing what areas of the network the auditors will be addressing and what type of documentation they will need in advance will make you better prepared to provide information and answer questions. Find out what personnel, if any, must be available for interviews.
- Accelerate the auditor’s understanding of your network by creating a diagram of your network assets using a diagramming app such as Visio.
- Organize your cybersecurity policies into a single source document that you can present to the auditor. This should include your password policy, information security policy, user account restrictions, access control policies, internet use policies, and BYOD policies. Be sure to include a complete copy of your incident response plan as this is critically important.
- Have your log files and backups organized and readily available as these will be requested in some capacity by the auditor. Be sure you understand the required retention periods for them.
The Importance of a SOC
Being fully prepared for an audit will also reduce the stress of the entire process and make you less nervous about the next one. SMBs that use a security operations center (SOC) know the greater confidence that a SOC security team can provide prior to an audit. Because a SOC team monitors and analyzes your network 24/7, they know your network better than most. Because their job is to eliminate detected vulnerabilities and exploitable attack avenues, your network will already be secure in advance of the audit. They will also be able to assist in providing any data that a security compliance auditor will require, thus making your preparatory work easier. Yes, completing a cybersecurity audit can be a highly involved process, but with the right preparation, it can also be a process that not only rewards compliancy but brings added value to your organization.