Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases and more. From this view point, add the dimension that each business is different and has its own challenges; and objectives in terms of the value they hope to gain from undergoing the process of the internal security audit.
A security audit is a systematic evaluation of the security of a company’s information system by measuring how well it conforms to a set of established criteria. A thorough audit typically assesses the security of the system’s physical configuration and environment, software, information handling processes, and user practices. Security audits are often used to determine regulatory compliance. – Techopedia
While the business value of an effective audit is not in question, the proposal of an audit is often met with resistance: the Information Systems department (IS) vs the Auditor. The perception from the IS side is that they feel like they are being policed or deliberately being set up to be caught with their proverbial pants down. The result? The equivalent of digital hide and seek between two company departments who should actually be complementing each other’s role and objectives. Communicating the specific objective, playing open cards with each other and sharing insights of the systems in questions will eliminate conflict from the start.
There is no one-size fits all security audit
While it is important to ensure that your company has an Internal Security Policy that covers all aspects of information security, and audit should focus on one or two areas that will have the biggest impact on business. It could be a combination of any of the following areas:
- Information Security (general)
- Business Continuity Management
- IT Risk Management
- Programme Risk
- Software / IT Asset Management
- Social Media Risk Management
- Segregation of duties / Identity and access management
- Data loss prevention and privacy
“Effective risk management is the product of multiple layers of risk defense. Internal Audit should support the board’s need to understand the effectiveness of cybersecurity controls.” – Deloitte.
Six Key Benefits
- Improve the “control environment” of the organisation
- Ensure that the organisation process-dependent instead of person-dependent
- Identify redundancies in operational and control procedures and provides recommendations to improve the efficiency and effectiveness of procedures
- Serve as an Early Warning System, enabling deficiencies to be identified and remediated on a timely basis (i.e. prior to external, regulatory or compliance audits)
- Ultimately increase accountability within the organisation
- With an internal audit function, management would have an advocate, a risk manager, a controls expert, an efficiency specialist, a problem-solving partner and a safety net.
Are you considering an internal security audit?
OIC is a security consulting firm based in Cape Town. We get excited about challenging security issues and are ready to provide real solutions to securing your company’s most valuable assets: your people, processes and technology. Contact us: firstname.lastname@example.org