Previously, we discussed the initial planning elements of an internal security audit. In this video, we'll cover the final elements that an entry-level analyst might be asked to complete.
- Establishing the scope and goals
- Conducting a risk assessment
The remaining elements are completing a controls assessment, assessing compliance, and communicating results. Before completing these last three elements, you'll need to review the scope and goals, as well as the risk assessment, and ask yourself some questions:
- What is the audit meant to achieve?
- Which assets are most at risk?
- Are current controls sufficient to protect those assets?
- If not, what controls and compliance regulations need to be implemented?
Considering questions like these can support your ability to complete the next element: a controls assessment.
A controls assessment involves closely reviewing an organization's existing assets, then evaluating potential risks to those assets, to ensure internal controls and processes are effective. Entry-level analysts might be tasked with classifying controls into the following categories:
Related to the human component of cybersecurity. They include policies and procedures that define how an organization manages data, such as the implementation of password policies.
Hardware and software solutions used to protect assets, such as the use of intrusion detection systems (IDSs) and encryption.
Measures put in place to prevent physical access to protected assets, such as surveillance cameras and locks.
The next element is determining whether or not the organization is adhering to necessary compliance regulations. Compliance regulations are laws that organizations must follow to ensure private data remains secure. In this example, the organization conducts business in the European Union and accepts credit card payments. So they need to adhere to the General Data Protection Regulation (GDPR) and Payment Card Industry Data Security Standard (PCI DSS).
The final common element of an internal security audit is communication. Once the internal security audit is complete, results and recommendations need to be communicated to stakeholders. This communication typically includes:
- Summarizing the scope and goals of the audit
- Listing existing risks and noting how quickly those risks need to be addressed
- Identifying compliance regulations the organization needs to adhere to
- Providing recommendations for improving the organization's security posture
Internal audits are a great way to identify gaps within an organization. For example, in a previous company, an internal password audit revealed that many passwords were weak. Once identified, the compliance team enforced stricter password policies.
- Security audits are essential for identifying gaps and improving security measures within an organization.
- Internal security audits involve planning, risk assessment, controls assessment, compliance assessment, and communication.
- Audits help organizations improve their security posture and ensure adherence to compliance regulations.
Later in the course, you'll have an opportunity to complete elements of an internal security audit for a fictional company, which you can include in your professional portfolio.