IT auditing , Risk Management and Incident Handling
Organizations today have to live with constant pressure to secure their organizations from cyber attacks as well as have a plan on how to react in the case of an attack. At the same time, they need to be able to stay in compliance with many regulatory requirements that have been increasingly added by governments and economic blocs. These regulatory requirements often encompass many things and these are unfortunately some of the targets of cyber criminals.
For instance, there are many laws concerning user data while hackers have an insatiable demand for user data. If an organization keeping user data is breached and the data stolen, it will have to meet the costs of being non-compliant with regulations as well as losing customers due to the attack. Due to the nature of the consequences that come with a cyber attack, organizations have focused more efforts on avoiding such.
They are therefore doing IT audit to establish weaknesses in the IT infrastructure and fixing them before tragedy strikes. Since it is impossible to remain 100% secure, organizations are also focusing on cyber resilience and are thus investing in robust incident handling techniques. This blog post will discuss these cyber security approaches in the following topics:
- IT auditing
Part 2 of the blog post will cover
- Risk Management
- Incident handling
This refers to the examination of the whole IT infrastructure in an organization. In addition to this, IT audit has been stretched to include the security policies, standards, and procedures that an organization has established. Therefore, a complete audit is able to determine whether an organization has enough controls to protect its IT assets, data and to ensure its attainment of business goals. The following is a more in-depth explanation of why organizations carry out IT audits:
To evaluate the systems, policies, and processes that secure the organization
With the increasing cyber attack incidents, IT security managers have been prompted to add more security solutions to their IT infrastructure. These security solutions range from physical access controls to software access controls since hardware and software security are of equal concern. All these solutions need to be periodically assessed to determine whether they are working as expected.
IT audits will go through the configurations or processes used in these solutions to identify whether there are some gaps that can be exploited by attackers. If the gaps are identified, the audit team can give out clear directions of what needs to be done to seal the loopholes. Security policies are also an area of interest during auditing. Security policies cover the whole scope of an IT infrastructure and include both internal and external security controls. If the security policies, standards, and procedures are flawed, this could lead to security concerns in the organization’s future.
In addition, auditing helps to determine the compliance of the security policies. If, for instance, the security policies require one to set an 8-character complex password, auditing may reveal whether there are some employees that have violated the policy.
To determine the risks to the company’s assets
IT auditing helps uncover risks to the organization. As mentioned earlier, auditors comb through the internal and external security controls of an organization. While doing so, they will uncover the risks associated with either of the controls. Additionally, they review the organizational security policies.
Policies that are inadequate or that can lead to more harm than good can be discovered during the auditing process. An audit process involves many things and it essentially combs through every part of the organization. From systems to physical security installations, the audit is carefully conducted just to find any flaws or vulnerabilities that the organization might have. At the end of an audit, the organization is almost in full knowledge of the risks that it faces.
To ensure that the organization is compliant with the relevant regulations
The IT sector is filled with external regulations that are imposed on all organizations. Since organizational systems may be used by people from different places around the world, there may be more laws to follow than the organization is aware of. For instance, there have been updates to the GDPR regulations that have affected organizations worldwide. This is despite the fact that the regulations were with interest to the EU region. There are many other examples of laws being effected in a certain geographical region but applying all over the world.
This is because the internet connects users worldwide. Therefore, if you set up an online shop that requires registration with personal details of a user, you are required to take into consideration the GDPR laws. An EU citizen might register on your website and if there is an issue and they report your site for not being compliant to GDPR, you may be heavily fined. The beauty of auditing is that it is fully encompassing. It will comb through the organization and identify areas where compliance is required. Since auditors are experienced in this, they can easily pinpoint areas where the organization has overlooked compliance.
This could save the organization from a lot more trouble especially due to lawsuits and fines for non-compliance.
To determine inefficiencies in the IT infrastructure and management
The IT infrastructure in many organizations is growing more complex. There is an ongoing trend of modernization of the workplace. Therefore, more departments are using ERPs. Contractors and suppliers are also interacting with the organization via their own systems. Routine operations are being automated. In addition to this, there is a broad spectrum of IT systems and solutions that the IT department will be running in the organization.
The end result is a complex IT infrastructure. It is easy for inefficiencies to arise due to the complex nature of the organization’s IT infrastructure. However, auditing can help to determine these inefficiencies. In the examination of process flows, auditors may be able to tell where or on which systems that there are unnecessary delays or where some sort of interconnectivity is required.
Apart from the infrastructure, auditing might reveal some of the inefficiencies with the management. With a complex IT department, there may arise some inefficiencies especially with the assignment of special roles to employs. For instance, there could be many transactions that might require approval from the IT line manager who may be bogged down by very many other tasks causing him or her to sluggishly make the approval. If another IT staffer is authorized to make the approvals, transactions could be made faster.
Therefore, an audit team will look at the flow of processes and the governance of the IT department closely during an audit process. They will be keen to identify areas where there are inefficiencies resulting from the management of IT and give directions on how this can be avoided.
However, there are some limitations of auditing and it should not be thought of as the single process that can rectify all the wrongs in an organization. Auditing is limited to a number of things in an organization. There are some eminent risks that might not be identified through auditing and this is why there should be an entire risk management process continually running in the organization.
Part 2 – will come soon
To read more about GRC related posts
To read more about GDPR click here