An IT audit
is an independent evaluation of an
organization's information systems, data, and
security controls. The purpose of the
audit is to ensure IT controls protect assets
and IT related risks are properly aligned with
the organization's level of risk tolerance. IT
audits help identify risks and ensure controls
are in place to ensure information:
- Availability - systems and data are
available when needed
- Confidentiality - information is made
available only to authorized parties
- Integrity - information is accurate,
complete, and safeguarded from intentional,
unauthorized, or accidental modification
IT Audit - Controls Evaluated
Scope
IT audits vary in scope and may include one
of more of the following to ensure security
controls are sufficient and effective:
- External "hacker view" penetration test
of network entry points (firewalls, etc.)
- Evaluation of web applications for risks
- Social engineering (phishing) evaluation
of staff
- On-site evaluation of information
systems and controls
Security controls
The types of security controls evaluated by an
IT audit include:
1) Technical safeguards
- Network infrastructure configurations -
firewalls, routers, network segmentation,
servers, storage, software applications,
etc.
- Security protection systems -
authentication (passwords), anti-virus,
backups, encryption, logging and monitoring,
etc.
- Communications - Internet connectivity,
Wi-Fi, etc.
2) Physical safeguards
- Access control systems - card access
systems and access logs
- Physical controls - locking cages and
restricted access to media
- Logging and monitoring - access logs,
cameras, and video retention
3) Administrative safeguards
- Risk
assessment -
preventive, detective, and corrective
security controls
- Security
policies - password policy, patch
management policy, anti-malware policy, etc.
- Job descriptions - Chief Security
Officer and IT staff
- Agreements - service providers and
confidentiality
- Security training programs
- Incident response plans
- Business continuity plans
IT Audit Report
Once information gathering is complete, the IT
Auditor prepares an IT audit report of findings
with prioritized recommendations to reduce risks
and enhance security. Since a security
breach can compromise systems and data, the
organization should perform remediation and
corrective action in a timely manner.
Organizations should consider annual IT
audits. Annual audits ensure:
- The issues identified in the initial/prior
audit were sufficiently addressed
- No new vulnerabilities were created when
the organization remediated systems
- No new security issues have been
identified
IT Auditor
Select a Certified
Information Systems Auditor for your IT audit.
The Certified Information Systems Auditor
designation is a globally recognized
certification for information system audit
control, assurance, and security
professionals. Certified auditors have audit
experience, skills, knowledge, the ability
to identify and assess vulnerabilities,
report on compliance, and identify
remediation/corrective action needed. The
independent auditor's reports are impartial,
ensuring a completely
unbiased approach with recommendations
that are in your best interests.
Security Blog menu
Tags: it audit | security audit | it security
| cyber security | network security | data
security
|