IT Audit - Identify and Reduce your Risks


An IT audit is an independent evaluation of an organization's information systems, data, and security controls.  The purpose of the audit is to ensure IT controls protect assets and IT related risks are properly aligned with the organization's level of risk tolerance.

IT audits help identify risks and ensure controls are in place to ensure information:

  • Availability - systems and data are available when needed
  • Confidentiality - information is made available only to authorized parties
  • Integrity - information is accurate, complete, and safeguarded from intentional, unauthorized, or accidental modification

IT Audit - Controls Evaluated
Scope
IT audits vary in scope and may include one of more of the following to ensure security controls are sufficient and effective:

  • External "hacker view" penetration test of network entry points (firewalls, etc.)
  • Evaluation of web applications for risks
  • Social engineering (phishing) evaluation of staff
  • On-site evaluation of information systems and controls

Security controls
The types of security controls evaluated by an IT audit include:

1) Technical safeguards

  • Network infrastructure configurations - firewalls, routers, network segmentation, servers, storage, software applications, etc.
  • Security protection systems - authentication (passwords), anti-virus, backups, encryption, logging and monitoring, etc.
  • Communications - Internet connectivity, Wi-Fi, etc.

2) Physical safeguards

  • Access control systems - card access systems and access logs
  • Physical controls - locking cages and restricted access to media
  • Logging and monitoring - access logs, cameras, and video retention

3) Administrative safeguards

  • Risk assessment - preventive, detective, and corrective security controls
  • Security policies - password policy, patch management policy, anti-malware policy, etc.
  • Job descriptions - Chief Security Officer and IT staff
  • Agreements - service providers and confidentiality
  • Security training programs
  • Incident response plans
  • Business continuity plans

IT Audit Report
Once information gathering is complete, the IT Auditor prepares an IT audit report of findings with prioritized recommendations to reduce risks and enhance security.  Since a security breach can compromise systems and data, the organization should perform remediation and corrective action in a timely manner.

Organizations should consider annual IT audits.  Annual audits ensure:

  • The issues identified in the initial/prior audit were sufficiently addressed
  • No new vulnerabilities were created when the organization remediated systems
  • No new security issues have been identified

IT Auditor
Select a Certified Information Systems Auditor for your IT audit.  The Certified Information Systems Auditor designation is a globally recognized certification for information system audit control, assurance, and security professionals. Certified auditors have audit experience, skills, knowledge, the ability to identify and assess vulnerabilities, report on compliance, and identify remediation/corrective action needed. The independent auditor's reports are impartial, ensuring a completely unbiased approach with recommendations that are in your best interests. 


Security Blog menu  

Tags: it audit | security audit | it security | cyber security | network security | data security

 


Certified Auditors

Certified Information Systems Auditors
Altius IT's auditors are board certified to audit your IT systems and issue reports and opinions on your security. We help you identify, manage, and reduce your risks. Our comprehensive audit service uncovers gaps in your existing defenses so that you can better:

  • Fortify your network infrastructure
  • Comply with regulatory requirements
  • Protect your valuable assets

Contact us for more information on our IT audit services.