Cyber Auditing

Introduction
The only way to know that your organization can meet the challenge of cyber security risk is to
perform a cyber security audit. Such an audit measures every aspect of your cyber security
program — including those parts of the program found to be lacking.

A cyber security audit lets you understand how well your technologies, policies, and people work
together to reduce risks from cyberattacks. Moreover, an audit helps to assure business continuity
when cyberattacks inevitably do occur. It can provide the foundation you need when planning a
cyber security risk management program.

Let’s also be honest, however: audits are few people’s idea of a good time. It’s a necessarily
tedious process, and can be daunting. This guide will help to keep you on the right path through
that journey. You’ll learn what to consider before beginning, and all the steps needed to reach a
successful end.

What Is a Cyber security Audit?

Cyber security is an integral part of risk management. A cyber security audit is a review of the
cyber security risks your organization faces, as well as the policies, procedures, and controls your
organization uses to keep those risks at acceptable levels.

More broadly, one could say that a cyber security audit is an opportunity to review your IT
systems, find weaknesses, and implement remediation measures to make your cyber security
stronger.

An audit will examine cyber security processes, software, and hardware. Audits assure that those
things are implemented properly, or catalog the ways in which they aren’t.

Not all audits are equal. If you recently experienced a data breach or loss, a more in-depth
assessment with more sophisticated tools is warranted. Research firm Gartner has found that
companies tend to focus their audits only on compliance issues, but focusing on risk is more
important. When you focus on reducing risk, you’re in a much better position to achieve
compliance.

A detailed cyber security audit will do the following for your organization:

● Evaluate overall data security

● Determine whether your software and hardware work the way they should
● Demonstrate compliance with legal and industry regulations
● Discover unknown vulnerabilities
● Uncover inefficiencies in your software or hardware
● Determine the adequacy of existing policies and training
● Gauge employee compliance or threats

A less detailed audit — which, under certain circumstances, could be all you need — might only
look at the following:

● Whether your software is up-to-date

● Whether cyber security roles are adequately staffed
● Run a vulnerabilities scan

You should perform all regularly scheduled audits. The frequency of audits that need to be
performed, however, depends on the nature of your business. Consider the following factors to
determine how often you should conduct audits:

● The types of information stored on (or accessible through) your systems

● The number of hardware and devices connected to your network
● The number and types of software systems used
● Current trends in cyberattacks
● How much an audit will disrupt your day-to-day business

Here is an example of a simple monthly audit:

1. Check that all software is up-to-date.

2. Review personnel and responsibilities.
3. Assure hardware, databases, and service are connected to a secure network.

Your industry might also have compliance requirements that stipulate how often you should
assess your cyber security. Whenever there is a change in compliance laws such
as GDPR or HIPAA, you should conduct a fresh audit.

For companies subject to PCI DSS regulations (which govern the security of credit card data),
the large credit card issuers determine the frequency of cyber security audits. That frequency
ranges from quarterly to annually, and depends on how many credit card payments your
organization processes each year.

Who Needs a Cyber security Audit?

Everyone. In today’s world, every organization needs a regular cyber security audit.
 Even the smallest and simplest businesses should take a comprehensive look at its cyber security.
An audit is critical if you haven’t specified a plan for information security versus cyber security,
as there are notable differences between the two.

Cyber security should be of particular concern to organizations that handle sensitive information.
Some organizations are also required to do cyber security audits by certain federal regulations or
industry guidelines.

Cyber security audits are not explicitly required by all major federal regulations and industry
guidelines. Many of the elements of a thorough cyber security audit, however, are also important
requirements for compliance.

Here are some compliance frameworks whose requirements are met in part through a cyber
security audit:

FISMA

● Continuous monitoring of certain controls, with documentation and reports

● Annual evaluation of information security controls
● Security controls implementation
● Learn more about FISMA compliance management software

NIST

● Detailed network mapping of sensitive data

● Listing of third-party access to sensitive information
● Risk prioritization
● Detailed documentation of password and malware/antivirus protection
● Learn more about NIST compliance management software

PCI DSS

● Web applications must be tested annually

● Penetration tests must be conducted annually
● Local network vulnerability scans must be conducted quarterly
● Learn about PCI compliance management software

Risks of Poor Cyber security

Poor cyber security brings numerous consequences for organizations. For example, the expense
of paying money to ransomware attackers has climbed into the millions of dollars for some
companies. Even small mom-and-pop companies have been forced to shell out tens of thousands
in payments after ransomware has paralyzed their businesses.
 Cyber security lapses can also cause immeasurable damage to an organization’s reputation. Fair
or not, being the victim of avoidable cybercrime often makes the public skeptical of how well an
organization is run. When customers are affected by breaches, they lose trust, and often take their
business elsewhere.

Are Your Security Measures Working?

If it’s been a while since you put significant attention toward cyber security, it might be time to
reconfirm that your measures are working.

Here are some signs that you need a cyber security audit:

● You are experiencing unexplained hardware or software problems

● Firewall protections are incomplete or disorganized
● You don’t have a clear cyber security policy
● You lack existing benchmarks for cyber security performance
● It’s unclear who is in charge of various aspects of cyber security
● You lack an incident management and business continuity plan
● Your personnel have low levels of cyber security awareness
● You’ve made recent changes to your network, including hardware or software
● Businesses similar to yours have recently experienced cyberattacks

The only way to know for certain how effective your network security measures are is to conduct
an audit, which will help you identify any risks to your cyber security.

Common Threats to Business Cyber security

As technology evolves, so do cyber security threats. Each type of threat has the potential to
throw your business into disarray or hurt your customers. Common cyber security risks include:

● BYOD (bring your own device). Employees’ use of personal computers, or employees with low
levels of security awareness, can introduce malicious software or access to your systems.
● DDoS. Your web host might shut down the site or severely slow its performance.
● Malware. Attackers can siphon and use sensitive information without being detected.
● Password theft. Cybercriminals can access sensitive information.
● Remote work. Introduces a higher risk of social engineering and increases the vulnerability of
mobile connections, password security, and information control.
● Social engineering. With a cleverly deceptive invitation from attackers, employees can
accidentally give unauthorized access or information that puts your organization or customers in
danger.
● SQL injection. Malicious third parties can retrieve sensitive information.
● Zero-Day exploits. These are new, unknown weaknesses that hackers can use to damage data
and steal information.
 Internal vs. External Security Audits
Should you use a third-party auditor, or can you handle the work internally? The answer will
depend on how complex your organization is and how robust your security staffing is. Whether
internal or external, your audit team must be able to:

● Determine and conduct appropriate tests

● Understand the data
● Prioritize threats
● Set benchmarks
● Create a plan based on audit findings

Internal Audit Pros and Cons

If you have a simple business and sufficiently skilled IT or risk management employees, then an
internal audit may be the best choice for you.

Pros

● Usually much less expensive

● More control over the process
● Can be tailored to your organization

Cons

● Personnel time costs

● Might not be sufficient for regulatory or industry compliance
● Possible learning curve, depending on your security staffing
● Decisions might be affected by internal biases
● Might not have the experience to determine the appropriate scope

External Audit Pros and Cons

A complex system with lots of vulnerabilities and sensitive data might require highly trained
auditors. If your organization operates under certain regulations, your auditors might even be
required to hold specific certifications.

Generic auditing packages might do the trick, but it’s likely that they won’t address all the needs
specific to your organization. Plus, whoever is evaluating an off-the-shelf option will still need to
have a suitable level of expertise.

For these reasons, many companies outsource their audits to save time and assure that it gets
done right. If you decide this is the best route for you, you’ll still need to invest time finding a
 reputable auditor to conduct the audit. An independent auditor helps to assure that the process is
objective and avoids any conflicts of interest.

You’ll want to be sure that whoever conducts the audit has a solid track record and experience.
It’s good to ask for referrals from trusted peers and to search the audit firm’s online reputation.

Pros

● Experienced professionals with formal training

● Unbiased
● May be more efficient
● Can assure compliance with regulatory and industry standards

Cons

● Might take longer

● Expense might be too much for smaller organizations
● More complex to coordinate with external auditors

Cyber security Audit vs. Cyber security Assessment

The main difference between a cyber security audit and a cyber security assessment comes down
to detail.

Audits are exacting exercises that help you to find weak processes or controls and then improve
what you’re doing; they also help a company to police against future threats. Assessments are a
lesser review that only gauge how well your controls are working; that’s all. (A thorough risk
assessment, however, can lay the groundwork that makes the audit process much smoother.)

An audit will examine every detail of your cyber security, from hardware to software to
personnel. An assessment will look at fewer details, giving you less information.

Other differences include:

● Audits are comprehensive; assessments are more focused.

● Audits can tell you what exists and what doesn’t. Assessments tell you what is effective.
● Audits often require an independent third party. Assessments do not.
● Audits can help you determine what needs further assessment.

Both audits and assessments should help guide your cyber security plan. Sometimes you don’t
need to do a full audit, and an assessment might fulfill your needs. It really depends on how big a
problem you are trying to solve.
 Best Practices for Internal Cyber security Audits
An internal audit might seem like the best option after you look at your needs and your team’s
capabilities. If so, you’ll need to assure that you can cover all issues as well as an external
auditor would. Auditors must have up-to-date training on the software and systems that will be
evaluated. You’ll need to assure a high level of objectivity throughout the process.

Also remember to consider the effect the audit will have on your business as the audit happens;
some disruptions will be inevitable. Be sure everyone who will be affected knows when and how
that will happen, as well as what roles they might have to play.

Scope
You’ll first need to determine the scope of your audit. For example, do you want a
comprehensive picture of everything related to cyber security? Or do you need to focus only on
certain parts of your business? Ideally, you’ll examine the entire cyber security framework, not
just certain technologies or departments.

You might need to look at any or all of the following types of assets:

● Hardware such as computers, peripherals, servers, and personal devices

● Sensitive company information
● Sensitive customer information
● Important internal documentation

Threats
Once you’ve decided the scope, identify the threats specific to each of those areas. You will need
to make an honest assessment of your organization’s ability to defend against each one.
Depending on your business, those threats can include the following:

● BYOD. Employees allowed to “bring your own device” can introduce threats through those
devices.
● DDoS (Distributed Denial of Service). Attackers overload servers with bogus user traffic,
preventing genuine users from accessing your systems.
● Malware. Malicious software can incapacitate your systems or remain undetected for days,
weeks, or even months.
● Password theft. Cybercriminals steal or guess passwords so they can access sensitive
information.
● Social engineering. Employees are approached through phone calls, fake news sites, text
messages, and social media, to be duped into taking dangerous activity.
● SQL injection. Attackers manipulate SQL “queries” (the typical string of code requests sent to a
service or server) to retrieve sensitive information.
● Zero-Day exploits. A targeted attack against a system, network, or software that takes advantage
of an overlooked security problem.

Response
The last part of your audit is to plan the response. This part needs to be as granular and specific
as the rest of the process; every threat will need a corresponding response. Which actions to take
first will depend on how you prioritized risk.

Some threats will have quick fixes, such as software updates and data backups. Others might
take months to address fully — such as sourcing new tools or changing people’s attitudes and
behaviors. You might discover that you have a great deal of capability to respond to some threats.
You might also find threats that require outside help to address.

Either way, specificity about how each threat should be treated is crucial to combating those
threats, and to making the audit process worth all the effort.

Keep in mind, “internal” doesn’t mean no help at all. Software is available to help you streamline
your internal audit process. Reciprocity’s audit solutions can make it easier to gather data,
understand that data in a clear visual format, and share it across teams.

Cyber security Audit Checklist

Your cyber security audit will occur in three phases and cover multiple subjects. To help you in
your planning, we’ll list those phases first, followed by the subjects you’ll cover.

Phases of the Audit

1. Prepare

● All necessary stakeholders are involved.

● Scope is clearly defined.
● Possible business disruptions caused by the audit have been identified.
● Auditors are sufficiently trained and equipped.
2. Conduct
● All threats are identified.
● Measure against standards specific to the technology in use.
● Measure against standards specific to your industry.
● Know all pertinent compliance requirements.
3. Respond
● Plan next steps based on audit findings.
● Actions are specific to each threat.
 Subjects of the Audit
Each of the following subjects can be broken down into an even more detailed audit checklist,
but every audit should cover the following:

● Management
● Employees
● Business practices
● IT staff

● Physical security
● Secure data
● Active monitoring and testing

Preparing for an External Cyber security Audit

Considering all the resources necessary for a thorough cyber security audit, you might decide to
hire an external auditor for the job. That will probably save you headaches, but you’ll still need
to undertake some of the same preparations to make the audit a seamless process. Here are the
important areas to review before beginning.

Having the following information documented and accessible will remove friction from an
external audit process:

● Security personnel. Make a list of relevant employees and their responsibilities. This will allow
your auditors to understand your security architecture quickly, and to contact easily the people
they need throughout the audit process.
● Network architecture. Create a visual map of all the assets on your network, how they’re
connected, and how they work together. This will help auditors identify gaps.
● Security policies. Larger organizations may have several policies that affect cyber security.
These include network access controls, remote work rules, disaster recovery/business continuity
plans, and internet use policies. Together, these documents will give auditors deeper insight into
your security practices.
● Compliance requirements. Give auditors a list of legal or industry compliance obligations that
address cyber security. This will help the auditors determine the scope of the audit, and how well
your organization is meeting compliance standards. Include any solutions for compliance you
might already use.

After the Audit: Securing Your Business Data

After the audit you’ll have a keen understanding of your organization’s security weaknesses.
Now you need a plan of action.
 The next step, then, is to determine which of the risks uncovered in the audit need the most
urgent attention. As mentioned above, each threat will require a specific response. Some
solutions will be technological; others will have more to do with policies or organizational
culture.

How to Prioritize Risks
Any risks you uncover should be prioritized based on the likelihood of the risk (probability), how
damaging it would be (impact), and how prepared you are to address it (capabilities).

Prioritization is an area where objectivity is incredibly important. Here’s an easy formula to help
you figure out which risks are the most urgent. On a scale of 1 to 10, rate each of the items listed
in the previous paragraph. Add those three numbers, then divide that sum by 3 to get the risk
score.

(Probability + impact + capabilities) /3 = risk score

To help you assign these scores, consider the broader contexts that define your threat landscape.
For example, certain types of attacks might have recently become more popular or sophisticated.
Perhaps certain trends exist in your specific industry. A highly regulated business will need to
consider compliance requirements when calculating the impact of each threat as well.

Finally, make sure threats are measured against standards that are specific to each technology
you’re evaluating. For example, you’ll want to measure your third-party access risks against
NIST standards, and your payment processing software against PCI DSS standards. This is an
area where auditors’ training and experience are important.

Remediating Security Threats
Once you’ve determined your security threats, it’s time to remediate them.

It’s very likely that the audit will leave you and your cyber security team with several follow-up
actions. They will fall into three areas: systems, people, and policies.

Here are some possible protections against the common threats we’ve already discussed, and the
category into which they fall. Keep in mind that the best solution might differ from one
organization to the next.

●
o BYOD. Update rules on allowable use and educate employees (policies, people).
o DDoS. Outsource additional cloud-based mitigation services (systems).
o Malware. Survey employees about cyber security awareness (people); schedule frequent
network
 scans (systems).

● Password theft. Require multi-factor authentication (systems).

● Social engineering. Create or enhance an employee awareness program (people).
● SQL injection. Prevent user-supplied input into web forms (systems).
● Zero-Day exploits. Implement network access control (systems) and educate employees
(people).

Compliance requirements may also overlap with your cyber threat response. If so, software
solutions like ZenGRC can help you stay secure and in accordance with different frameworks.

Create Training for Employees

For most organizations, one of the biggest threats is employees who don’t understand — or
respond to — the risks inherent in their work environments. If an audit reveals that many of your
vulnerabilities are due to user error, you can look to existing best practices in security
awareness to address your “people” problems.

The best way to eliminate such threats is to update policies and educate your employees. All
personnel should know:

● What kinds of materials, processes, and environments present potential threats

● What risks can be posed by outside contractors or vendors
● Which of employees’ own behaviors pose significant risks
● The risks of social engineering
● How policies help to thwart specific threats

It’s important to find effective ways to communicate the issues raised in your cyber security
audit. A wholesale information dump won’t be enough. It will take various, engaging forms of
education and information to make clear that your organization’s leaders have made cyber
security a priority.

Cyber security Audits Made Easy

It’s clear that the path to a secure cyber environment takes many steps. From an initial
assessment to a detailed audit to your follow-up, you now have all the information you need to
chart that course successfully.

ZenGRC takes some headaches out of auditing and supports ongoing cyber security by:

● Gathering customized evidence and reports

● Making third-party risks more visible
● Increasing visibility to address gaps and respond to incidents
● Automating routine cyber security compliance activities

Integrating compliance management software lets you tackle compliance while enabling a

smoother cyber security audit process. Automation gives you a clearer understanding of your IT
security and the ability to share that information with your audit team and stakeholders.

To learn more about how ZenGRC can help with the auditing process, schedule a demo with our
team today.