We use checklists to ensure we're hitting every step in meeting a goal. For example, I make a list so that I don't forget anything when I go to the grocery store. Surrounded by shelves full of products with colorful labels, it's easy to lose track of items that I need, especially if they don't relate to whatever meal I'm cooking this week.
However, just because I’m making baked chicken thighs this week doesn't mean I won't be impacted when I run out of mouthwash. That's why I audit myself before I leave the store by comparing my list against what I have in my cart. Did I get everything I need? Is there anything I need to push to next week's list?
Security audits are a safeguard in the same way that I cross-check my grocery list. A security audit establishes a set of criteria that organizations check against to ensure that they are meeting internal security policies and complying with external regulations.
What is a security audit?
A security audit is a comprehensive evaluation of an organization's security posture. It examines defenses across the physical workspace, digital applications, network, and employees to determine if security policies are being followed and identifies areas for improvement.
Why do security audits matter?
In our interconnected world, security is a constant concern. The more complexity in an IT environment, the more vulnerabilities that can exist. Security audits combat this trend by serving as a time-bound commitment to cross-check systems for risks.
By examining the security posture of the entire organization, these audits identify gaps in existing defenses, processes where employee training can be improved, and opportunities to create new security policies. They serve as a litmus test for the effectiveness of existing strategies and highlight new areas of focus for the security team.
The process of auditing is also important to ensure you are maintaining good visibility into the different areas of your organization. The audit keeps an organization accountable, the same way my grocery list cross-checks that I have found everything I need. If I only went off my usual shopping habits, then nonperishable products, like mouthwash and laundry, would be overlooked.
Audits may also be required by government agencies or external institutions to maintain your organization's accreditation, such as routine audits to ensure compliance with the Fair and Accurate Credit Transactions Act (FACTA). This is a federal law that regulates how companies handle U.S. citizens' financial information.
Routine Audits vs. Event-Based Audits
Security audits are an important part of a company's long-term strategy for protecting its data and assets. This means that audits should be conducted on at least an annual basis, but a higher frequency is advisable to adjust security practices sooner. Cybersecurity best practices are evolving as technology advances, and frequent audits will ensure your organization is keeping pace.
In addition to routine audits, experts recommend that your organization performs security audits after an attack or major update. Both scenarios are considered significant events.
In the case of an attack, such as a data breach, the audit will focus on identifying exactly what happened and what went wrong to allow the leak. Naturally, your team will also emphasize fixes to prevent another breach from happening.
After a major update, such as the installation of a new tool or a data migration, your environment will be significantly changed from when the last audit was conducted. In this case, an audit is a safeguard against new vulnerabilities that may have been introduced with the large-scale change.
However, given the time and resources a full security audit requires, it's important to define the impact level of an update that would initiate an audit. This prioritization ensures you are allocating your security team's resources wisely.
Security Audit Types
- Internal Security Audit
- Second-party Security Audit
- Third-party Security Audit
1. Internal Security Audit
The internal security audit is run by team members within your organization. You will have the most control over what your internal audit examines, the team members that drive it, and the resources dedicated to its process.
Naturally, you will use the internal approach for your routine audits. However, leveraging a third-party security audit is also worthwhile since the external organization will have a more objective view that can lead to new findings.
2. Second-Party Security Audit
A second-party security audit is when your organization runs an audit on a supplier to ensure their security practices are adequate so that a cyberattack or breach in their organization won't impact your security. For example, ensuring a plugin on your website is secure so that a bad actor breaching the company that produces the plugin can't use it as a backdoor into your website and network.
3. Third-Party Security Audit
A third-party security audit (also known as an external audit) is an audit of your company run by a third-party organization that has no affiliation with your business (to ensure unbiased results).
Many federal regulations — such as the Federal Risk and Authorization Management Program (FedRAMP) — require audits by third parties before awarding certifications to organizations. In the case of FedRAMP, the third-party certification shows that a technology vendor meets security and compliance baselines before it is vetted by an authorized federal agency for full certification.
Security Audits and Additional Security Evaluations
As we have seen, there are three different types of security audits. It's also important to distinguish security audits from other security evaluations your organization may perform as outlined below.
Security Audits vs. Cybersecurity Audits
Cybersecurity audits are a subset of security audits focused specifically on the information systems within an organization. Given the digital environments most companies are working in, they might seem synonymous with security audits. However, focusing only on cybersecurity would be an oversight.
For example, your IT environment may be secure, but if someone can walk through the front door of your office and access a computer with administrator-level privileges, then that's a critical vulnerability that needs to be addressed. Security audits that examine both the physical and digital workplace will cover the full spectrum of potential risks and compliance issues.
Cybersecurity Audit Checklist
The cybersecurity audit checklist will closely mirror the security audit checklist covered in the next section. However, it will focus more on digital security practices, so we have included a checklist below to help you track these differences:
- Identify goals and assessment criteria.
- List potential threats.
- Assess staff training on digital security.
- Pinpoint risks in your virtual environment.
- Examine business practices against security policies.
- Evaluate data security strategy.
- Inspect active monitoring and testing approaches.
- Update security practices based on findings.
Security Audits vs. Vulnerability Assessments
Vulnerability assessments are checks of software and IT environments to determine if existing security rules are performing as intended. For example, a user without administrative access should not be able to launch the company's HR software and delete another user. A vulnerability assessment would attempt this unauthorized action to see if the user is blocked from initiating this action or how far they can proceed if not.
Security Audits vs. Penetration Testing
Penetration testing focuses on the different ways a bad actor could attempt to access internal systems. Security teams will often run these tests as if they are the bad actors, starting from the outside and trying to work their way into an organization's network. Penetration testing proves whether existing tools and procedures are providing adequate protection and uncovers gaps for the security team to plug.
Vulnerability assessments and penetration testing may be conducted as part of a security audit, but your security team will also perform these evaluations to further examine risks identified from your audit or as standalone tests, so it's important to understand the distinctions.
Security Audit Checklist
Now that you understand what security audits are and why they matter, let’s run through a checklist of different focus areas.
1. Identify your goals and assessment criteria.
Naming goals will assist your team with identifying the results that you are aiming to achieve with your audit. Goals also set benchmarks to measure the organization's current security posture.
Assessment criteria will serve as signposts to different areas for your team to examine. Having established criteria allows your team to evaluate every system and security process against predefined metrics to ensure consistency in analysis for your reporting.
2. List potential threats.
Depending on the industry you work in, threats to your organization may be different. For example, a government agency may be targeted by state-sponsored hackers more often than a small legal firm. Naturally, it makes sense to identify the most relevant threats to your organization so you can fine-tune your defenses and stop them.
This activity will also help your audit team define the scope of your audit and better search for vulnerabilities in the later stages.
3. Assess employee training.
Employees form another part of your defenses, and many cyberattacks target them specifically through phishing and social engineering. This means that adequate security training is critical when equipping your employees to recognize threats and respond.
Part of your audit should examine what security policies are in place for employees and if they understand and react appropriately to these rules. If there is any gap in your employee's knowledge or compliance, then you should address this gap with updated training or new courses in the final stage.
4. Pinpoint risks in your environment.
In this stage, your audit team will dive deep into your physical and digital work environments. They will start with a full inventory of existing systems, tools, and environments (digital and physical) then compare against current security policies.
Are all systems up to date with the latest patches? Are there unidentified devices or unauthorized applications on the network? These findings will be cataloged, and this data will inform your strategy changes in the next stage.
Another benefit to routine system audits is that they often identify software that is no longer in use or multiple tools that have overlapping use cases. For example, one team is using Slack while another is using Microsoft Teams. Not only does consolidating tools reduce costs, but it also reduces the number of systems to audit and removes potential intrusion pathways.
5. Update security practices.
Now that you have a complete picture of where your organization's security practices stand, implement solutions to address the risks you've discovered. These fixes should be prioritized based on the impact on employees' workflows, severity of the vulnerability, and resources required.
For example, a low-impact change such as requiring routine password updates will not demand entirely new tools or system overhauls and can prevent bad actors from moving laterally between systems if they compromise one employee's password.
However, a fix that is resource-intensive but addresses a major vulnerability is still important. You'll just need to ensure you've given adequate planning to a smooth rollout for your employees. Tools lessen the burden on your security team for many of the more manual processes of the security audit.
Security Audit Tools
Security audits are a large undertaking. If your organization has never conducted one before, it can be intimidating to consider all the activities you'll need to perform. Fortunately, there are tools custom built to aid with the security audit process. We'll overview a few here.
Nmap is an open-source tool designed to rapidly scan large networks. Nmap uses raw IP packets to determine dozens of characteristics about your network, including available hosts, available services on those hosts, and firewalls in use. It is supported on all major operating systems and comes with additional tools for more insights into scan results, such as Ndiff to compare current and previous findings to identify patterns.
OpenVAS is an open-source vulnerability scanner. It offers unauthenticated and authenticated testing to check for internal and external network exploits across internet protocols. Additional plugins are available to optimize OpenVAS for your organization's unique use case, and its more than 100,000 network vulnerability tests are continually fine tuned using threat intelligence from its parent organization, Greenbone Networks.
Price: Free with custom paid plan available — contact Rapid7 for pricing
Metasploit is an exploitation testing framework designed to facilitate the tasks of attackers. Security teams use this tool to test vulnerabilities they have identified against a demo environment configured to match their network to determine the severity of the vulnerability. A major advantage of Metasploit is that it allows any exploit and payload to be combined in tests, offering more flexibility for security teams to assess risks to their environment.
Metasploit is supported on both Unix and Windows.
4. Netwrix Auditor
Price: Free trial with paid plans available
Netwrix Auditor is an auditing tool for IT systems designed to consolidate discovery and reporting. It identifies sensitive data across your systems and records user permissions and activity around this data. Netwrix Auditor also provides risk assessments to identify weaknesses and automated reports of findings, including reports tailored to specific regulatory requirements and industry standards.
Conducting Your Security Audit
Now that you know what a security audit is, what to look for during an audit, and tools that will support your audit, the next step is to build your own security audit strategy. The scope and frequency of your audits will depend on what makes sense for your organization. For example, if you have a small security team, then less frequent audits may be necessary until you can add additional personnel or tools to automate processes.
The most crucial factor of a security audit is that you do it regularly. Any audit strategy will pay dividends by providing a better picture of your organization's security posture and where to focus your efforts to strengthen your defenses.