IT security audits are essential and useful tools of governance, control, and monitoring of the various IT assets of an organization. The purpose of this document is to provide a systematic and exhaustive checklist covering a wide range of areas which are crucial to an organization’s IT security. The explanations and examples offered in the document should help the IT team design and execute an effective IT security audit for their organizations. After reading this article, you should ideally be able to create your own Information Security Audit Checklist suiting your organization.
The primary audience for this document would be:
The CIO of the organization
Members of the IT department of the organization
Risk Managers or individuals in charge of ensuring organizational security.
Information Security Audit Checklist – Structure & Sections
Structure of the Checklist
For Information security audit, we recommend the use of a simple and sophisticated design, which consists of an Excel Table with three major column headings: Audit Area, Current Risk Status, and Planned Action/Improvement. This is a must-have requirement before you begin designing your checklist. You can customize this checklist design by adding more nuances and details to suit your organizational structure and practices.
Now that you have a basic checklist design at hand let’s talk about the various areas and sections which you should include in your IT Security Audit checklist. There are also some examples of different questions for these areas.
Sections of IT Security Audit Checklist
Existence & Accessibility of Information Security Policy
Your employees are generally your first level of defence when it comes to data security. Hence it becomes essential to have a comprehensive and clearly articulated policy in place which can help the organization members understand the importance of privacy and protection. That being said, it is equally important to ensure that this policy is written with responsibility, periodic reviews are done, and employees are frequently reminded.
Here are a few questions to include in your checklist for this area:
Is there a comprehensive Information Security Policy in place?
Is the Information Security Policy regularly reviewed and updated?
Are the employees of the organization frequently informed about the Information Security Policy?
IT Security Responsibilities
You can’t just expect your organization to secure itself without having the right resources and a dedicated set of people working on it. Often, when there is no proper structure in place and responsibilities are not clearly defined, there is a high risk of breach. It is essential for the organization to have people with specific roles and responsibilities to manage IT security.
You could possibly include questions in the following manner.
Is there a specific department or a team of people who are in charge of IT security for the organization?
Are the IT Security roles and responsibilities allocated and defined?
Dealing with External Parties
It is quite common for organizations to work with external vendors, agencies, and contractors for a temporary time. Hence, it becomes crucial to ensure that no internal data or sensitive information is leaked or lost. The organization needs to understand the risks associated, have a clear distinction between confidential and public data and finally ensure if proper processes are in place for access control. Even the email exchanges needs to be scrutinized for security threats.
Potential contenders for this section:
Have we defined and categorized the external third parties that we are dealing for?
Are necessary contracts and agreements regarding data security in place before we deal with the external parties?
Do we have enough control measures and reviews in place before we allow access to external parties?
IT Asset Management includes both the physical components such as network equipment, computing devices, etc. and the electronic components such as emails, data, etc. To keep active and accurate track of threats, you first need to know the number, type and general information of the asset usage. It is a great practice to maintain the asset information repository as it helps in active tracking, identification, and control in a situation where the asset information has been corrupted or compromised. Read more on reducing IT asset related threats.
Things to cover include:
Is there a master list of organizational assets? Is it categorized and easily accessible?
Is there an associated asset owner for each asset? Is he aware of his responsibilities when it comes to information security?
Are there enough provisions in place to protect the asset from cyber threats?
It is entirely possible, with the number of different types of data being transferred between employees of the organization, that there is an ignorance of data sensitivity. Hence it becomes essential to have useful labels assigned to various types of data which can help keep track of what can and cannot be shared. Information Classification is an essential part of the audit checklist.
Few questions that you can cover:
Is there a precise classification of data based on legal implications, organizational value or any other relevant category?
Is there enough awareness among employees regarding this classification?
Are the employees following relevant classification storage to keep information safe?
This audit area deals with the specific rules and regulations defined for the employees of the organization. Since they continuously deal with valuable information about the organization, it is important to have regulatory compliance measures in place. Processes for various scenarios including termination of employees and conflict of interest needs to be defined and implemented.
Here are a few questions to include in your checklist for this area:
Is proper background screening of employees done before they join the organization?
Are proper non-disclosures and confidentiality agreements signed by the employees?
Are proper processes for security awareness, education, and training in place? Are appropriate disciplinary actions defined in case of a breach?
Are proper guidelines and processes for information security in place for people leaving the organization?
Physical Security and Access Control
Even if the onslaught of cyber threats is becoming more prevalent, an organization cannot discard the importance of having a reliable and secure physical security parameter, especially, when it comes to things like data centers and innovation labs. Right from the main campus entrance to individual room entrances, access controls need to be implemented with 24*7 monitoring.
You can try to include:
Does the physical security perimeter cover all possible entry and access routes?
Do we have employee specific access controls for particular locations?
Are the work areas secure enough to protect the sensitive organization?
Are the networking and computing equipment secure enough to avoid any interference and tampering by external sources?
Data Security and Backup
Phishing attempts and virus attacks have become very prominent and can potentially expose your organization to vulnerabilities and risk. This is where the importance of using the right kind of antivirus software and prevention methods becomes essential. Another critical task for an organization is regular data backups. Apart from the obvious benefits it provides, it is a good practice which can be extremely useful in certain situations like natural disasters.
Your checklist for this area should cover:
Are verified and trusted antivirus software in place on every computer and laptop?
Are regular data and software backups happening? Can we retrieve data immediately in case of some failure?
Privacy Control and Password Management
Password protection is vital to keep the exchange of information secured in an organization (learn why?). Something as simple as weak passwords or unattended laptops can trigger a security breach. Organization should maintain a password security policy and way to measure the adherence to it.
Questions to include:
Do we have systems in place to encourage the creation of strong passwords? Are we changing the passwords regularly?
Is there a provision to enforce session timeouts to avoid extended exposure?
Security and Threat Incident Management
Out of all the areas, it would be fair to say that this is the most important one when it comes to internal auditing. An organization needs to evaluate its threat management capability in an unbiased manner and report any shortcomings accurately. A robust system and process need to be in place which starts with the actual reporting of security incidents, monitoring those incidents and eventually managing and solving those incidents. This is where the role of the IT security team becomes paramount.
Cover things like:
Are all security incidents captured and reported through the right channels?
Is there a clearly defined and documented security incident response plan in place?
Business Continuity Management
Business continuity management is an organization’s elaborate plan defining the way in which it will respond to both internal and external threats. It ensures that the organization is taking the right steps to effectively plan and manage the continuity of business in the face of risk exposures and threats. The British Security Industry Association (BSIA) advocates to integrate business continuity plan with security policy; thus, it becomes an essential part of our checklist.
Checklist to cover this area:
Have we identified our most valuable assets and the critical threats associated with them?
Have we identified various scenarios which can cause immediate disruption and damage to our business operations? Is there a plan to proactively prevent that from happening?
This area covers all the legal, technical and Intellectual Property standard that is necessary for an organization to maintain. All these standards are defined at an industry level and are generally approved by the primary regulatory body. It is essential for organizations to adhere to these standards. For example, the recent GDPR policy change is a crucial aspect of compliance.
Checklist for this area should cover:
Are we following the latest legal, technical and IP standards in our systems and processes?
Is there a frequent review of these standards?
Sample Information Security Audit Checklist Templates (Free to Download)
These templates are sourced from variety of web sources. Please use them only as samples for gaining knowledge on how to design your own IT security checklist. There is no one size fit to all option for the checklist. It needs to be tailored to match your organizational requirements, kind of data used and the way the data flows internally within the organization.
That’s it. You now have the necessary checklist to plan, initiate and execute a complete internal audit of your IT security. Keep in mind that this checklist is aimed at providing you with a basic toolkit and a sense of direction as you embark on the internal audit process. It is eventually an iterative process, which can be designed and tailored to serve the specific purposes of your organization and industry.
If this is your first audit, this process should serve as a baseline for all your future inspections. The best way to improvise is to keep on comparing with the past review and implement new changes as you encounter success and failure. The habit of planning and executing this exercise on a regular basis will help in creating the right atmosphere for security review and will ensure that your organization remains in the best possible condition to protect against any unwanted threats and risks.