Comprehensive Security Audits: Key Elements to Consider

After what has happened to Target, Home Depot, and Sony, network security is making headlines left and right and six ways to Sunday. And it’s not just multi-billion dollar companies in the crosshairs—according to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year.
When it comes down to it, we’re all at risk—even if we think our own assets aren’t particularly alluring to hackers, smaller organizations often serve as vectors into larger organizations (and are typically far less protected than those big names themselves).
Needless to say, we at Optimal have seen first-hand the kind of attention that security has been getting of late; more and more, we’re hearing questions about what it takes to make sure that an organization is truly secure.
To really dig into the state of your current IT environment and where you may be vulnerable, you’ll need to engage an outside firm to perform a comprehensive security audit. We’ve covered what these engagements may cost you, but what specifically should your audit entail, and how can you tell if you’re getting a solid assessment out of your engagement? We’ll walk through the key areas of focus below.

External vulnerabilities

The focus: Can outside forces gain access to your internal network?
This is what many of us most readily associate with the idea of a security audit. Ethical hacking. Penetration testing. Hunched-over experts poking and prodding and scanning your network from behind their machines to see where any holes may exist.
In practice, this piece takes the form of your provider running software that is specifically designed to locate vulnerabilities.

Internal Network Configurations and Operations

The focus: How does your network stack up against best practices?
Your provider will work through each piece of your network to determine where you stand, where you need to be, and—if there’s a disparity—how you can get from A to B. Specifically, they’ll be looking at:

  • What anti-virus and anti-spyware solutions are in place? Are they maintained?
  • How and when are your servers patched?
  • Your workstations?
  • How is your Active Directory set? Who can access what data?
  • What backup and disaster recovery solution do you have in place?
  • How is your firewall configured? Is its firmware updated?
  • How are your switches configured?
  • What’s the status of your warranties?
  • Your software licensing?


People & Policies

The focus: Are your people working against you?
It sounds harsh, but poor internal policy and carelessness on the part of staff members can be even more dangerous than shoddy network engineering.
Some providers will engage in social engineering, which actively tests how easily someone can pull sensitive information out of the people inside your organization. More standard is high-level IT policy review, which includes an analysis of:

  • Password policy
  • Remote access policy
  • Encryption policy
  • Mobile usage policy
  • File sharing policy


Physical Security

The focus: How easy is it for an outsider to gain physical access to your space?
Reality check: even if you have anti-virus on all of your workstations, the latest firmware updates on your firewall, and automated patching to all of your operating systems, you’re still in big trouble if your servers are sitting out in the open just waiting to be tampered with.
This section will zero in on factors like:

  • What does it take to access your office building?
  • Your office/production area itself?
  • Your server room?

In the end, all of these pieces will come together in the form of a cohesive written report with findings and recommendations for next steps. This report should be objective to the point that you could put in the hands of any IT provider, and that they could use as a roadmap to get your environment shored up. (Ideally, this document will be written in plain English so that C-level executives can use it as a reference for their technology decisions going forward.)
So there you have it—the key elements that make up a comprehensive security audit. An easy way to see if your provider will get you the results you’re looking for is to ask for a sample assessment—most providers will have a redacted report on-hand.
Beyond that, take the time to check references and to make sure that the provider you engage to perform your audit is skilled in the areas you’re most concerned about.
When your security and your data is at stake (along with a rather hefty capital investment), you can’t afford to miss the mark.

Are you looking to engage a provider to perform a comprehensive security audit?  Having trouble vetting the providers out there? Let us know--we can help.