BY: JEFF PETTERS
A security audit is the high-level description of the many ways organizations can test and assess their overall security posture, including cybersecurity. You might employ more than one type of security audit to achieve your desired results and meet your business objectives.
In this blog, we will go over the benefits of audits, the cost, and of course, how Varonis can help you assess your security and fill any gaps you might find.
A Varonis Risk Assessment is a free 30-day security audit that shows you where your sensitive data is at-risk and shines a light on many other potential attack vectors. Sign up for a free risk assessment here.
Why Are Security Audits Important?
If you keep track of cybersecurity news even a little bit, you should have an intuitive understanding of why audits are important. Regular audits can catch new vulnerabilities and unintended consequences of organizational change, and on top of that, they are required by law for some industries – most notably medical and financial.
Here are some more specific benefits to running security audits.
- Verify that your current security strategy is adequate or not
- Check that your security training efforts are moving the needle from one audit to the next
- Reduce cost by shutting down or repurposing extraneous hardware and software that you uncover during the audit
- Security audits uncover vulnerabilities introduced into your organization by new technology or processes
- Prove the organization is compliant with regulations – HIPAA, SHIELD, CCPA, GDPR, etc.
How Do Security Audits Work?
Gartner put together a comprehensive guide to plan and perform audits. During their research, Gartner identified several key findings that can help organizations better plan and utilize audits for good.
They found that companies focus audits on compliance activities and not to assess the risk to their organization. Checking boxes on a compliance form is great, but that won’t stop an attacker from stealing data. By reframing the security audit to uncover risk to your organization as a whole you will be able to tick the compliance-related boxes along the way.
Gartner also found that audits tend to exist in a silo without a wide net and buy-in from many key stakeholders in the organization. They advise organizations to build a cross-functional security audit project plan with multiple stakeholders that is updateable and repeatable so you can track your successes and failures over time.
A security audit should follow this basic format:
Define Assessment Criteria
A security audit is only as complete as it’s early definition. Determine the overall objectives the company needs to address in the audit, and then break those down to departmental priorities.
Get sign off on all business objectives of the security audit and keep track of out-of-scope items and exceptions.
Gartner advises companies to agree on how the assessment will be performed and tracked, and how the results will be gathered and addressed prior to the audit.
Things to consider:
- Industry and geographic standards (e.g., HIPAA, CCPA, GDPR, etc.)
- Maintain a threat catalog of all discovered risk vectors
- Are your stakeholders involved and able to participate?
- Utilize outside resources when possible, an experienced security auditor can help you ask the correct questions and steer the audit successfully
Most importantly, the organization’s priorities must not influence the outcomes of the audit.
Put simply, don’t ignore bad stuff because it makes your job hard.
Prepare the Security Audit
With all of your success criteria and business objectives defined, it’s time to prioritize those items. In order to do a great audit, companies have to align their efforts with the top items on their list. Not every item is a top priority, and not every top priority requires maximum effort.
During this step, select the tools and methodologies required to meet the business objectives. Find or create an appropriate questionnaire or survey to gather the correct data for your audit. Avoid square pegging tools into the round holes of your requirements and one-size-fits-all surveys.
Conduct the Security Audit
The next step is, of course, to conduct the audit.
During the audit, take care to provide appropriate documentation and perform due diligence throughout the process. Monitor the progress of the audit and also the data points collected for accuracy. Use previous audits and new information as well as the guidance of your auditing team to carefully select which rabbit holes in which you descend. You will uncover details that require further examination but prioritize those new items with the team first.
Complete the audit and socialize the results with all of the stakeholders using the agreed-upon definitions from the earlier steps. Create a list of action items based on the audit and prioritize fixes and changes to remediate the security items discovered.
Beware of Risks and Pitfalls
There are a few possible challenges to a successful security audit.
- Avoid on the fly assessments, trust the process
- Stand by the facts of your results – people will push back and question the validity of your audit, make sure to be thorough and complete
- Beware of poorly defined scope or requirements in your audit, they can prove to be unproductive wastes of time
- An audit is supposed to uncover risk to your operation, which is different from a process audit or compliance audit, stay focused on risk
Types of Security Audits
Gartner describes three different security audits for three different use cases.
1. One-time assessment
One-time assessments are security audits that you perform for ad-hoc or special circumstances and triggers in your operation. For example, if you are going to introduce a new software platform you have a battery of tests and audits that you run to discover any new risk you are introducing into your shop.
2. Tollgate assessment
Tollgate assessments are security audits with a binary outcome. It’s a go or no-go audit to determine a new process or procedure can be introduced into your environment. You aren’t determining risk as much as looking for showstoppers that will prevent you from moving forward.
3. Portfolio assessment
Portfolio security audits are the annual, bi-annual, or <enter your requirements here> regularly scheduled audit. Use these audits to verify that your security processes and procedures are being followed and that they are adequate for the current business climate and needs.
What to Look For in an IT Audit
Here is an incomplete list of things that you might find and flag during an audit.
- Insufficient password complexity
- Over permissive ACLs on folders
- Inconsistent ACLs on folders
- Non-existent or insufficient file activity auditing
- Non-existent or insufficient review of auditing data
- Correct security software and security configurations on all systems
- Only compliant software installed on systems
- Data retention policies followed
- Disaster recovery plans updated and tested
- Incident response plans updated and tested
- Sensitive data stored and protected correctly with encryption
- Change management procedures followed
Q: How Often Should a Security Audit Be Performed?
A: For the three different types of security audits we discussed, do One-Time Audits after you introduce a defined threshold of change into your operation, Tollgate Audits before you introduce new software or services, and Portfolio Audits at least annually.
If you can automate some of this work by monitoring the status of your security risk profile over time the annual audits will be easier to manage.
Q: How Much Does an IT Security Audit Cost?
A: From a single Google search I found anywhere from $1500 to $50,000 quoted for a security audit. So it depends. $1500 seems to be a daily rate for an auditor, so a month of their time would cost around $30,000. Penetration tests and other services would add to that cost. You might want to use pentesters in your Portfolio audits, and maybe your Tollgates. So it depends.
Audits are an important piece of your overall security strategy in this current “we are all hacked” business climate. If you are looking for a system to automate some of your data security audit capabilities, check out Varonis. Varonis shows you where your data is at risk and monitors your sensitive data for attacks from both inside and out.
If you are just getting started with your security audits, a Varonis Risk Assessment can kick start your program with a well tested 30-day security audit. Contact one of our Security Experts today to get started.