Editor’s Note: This blog is part three of a five-part blog series on how to approach technology assessments and security.
An IT audit is an all-encompassing security assessment that involves reviewing and benchmarking multiple areas of your organization to identify operational practices and systems configurations that represent risk to sensitive information.
While often required for compliance or regulatory purposes (such as a GLBA or PCI DSS audit), all organizations should perform an IT audit annually as part of an overall information security program.
Why an IT Audit is Important
Information technology is a critical component of operations, and a breach of security could cause significant damage to your organization and customers. An effective information security program depends on both technology and processes.
It's vital for your organization to securely implement servers, workstations, routers and firewalls to reduce vulnerabilities and protect sensitive information. Equally important are the policies, procedures and operational practices used to configure, manage and operate systems.
Regular reviews of critical IT processes help organizations reduce potential risk. These reviews also provide the opportunity to evolve policies and procedures to better address emerging threats quickly.
Through the IT audit and risk assessment processes, your organization makes a number of assumptions and reaches a number of conclusions regarding its security controls. To objectively test the assumptions and conclusions, you should conduct both vulnerability scanning and penetration testing.
In part four of this series, we will cover vulnerability scanning.
Read More: Did you miss the other parts to this blog series on technology assessments and security? If so, our Insights page now hosts these blogs on risk assessment basics and performing a meaningful risk assessment.
D.J. Vogel, CISSP, CISA, QSA, PA-QSA, ASV
Partner, Security and Compliance
Email | LinkedIn
Kevin Bong, GSE, PMP, QSA, GCIH, GCIA, GPPA, GSEC, GCFA, GAWN
Manager, Financial Institutions, Security and Compliance
Email | LinkedIn
This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax or other professional advice. Please refer to your advisors for specific advice.