Auditing Cybersecurity Programs
Obtain organization charts or other artifacts describing the makeup and function of the security team. Interview functional leaders to gather more information.
Last updated
Obtain organization charts or other artifacts describing the makeup and function of the security team. Interview functional leaders to gather more information.
Last updated
A security program should be expected to cover a minimal set of practices in some form or fashion, including:
Policy and compliance management - Defining security guidelines for the company
Awareness - Getting relevant security information into the hands of people who may need it
Vulnerability management - Helping the organization understand the risks and criticality of potential exploits and assisting with remediation
Security monitoring - Collecting log and alert data and detecting potential security events in the environment
Incident response - Dealing with viruses, breaches, or other malicious activities and helping to return the business to a normal state
Obtain a copy of your company’s IT security policies. Ensure that they adequately cover your company’s IT environment. At a minimum, the policies should include coverage of the following areas:
Acceptable usage
Data Classification
Remote Access
Password Policy
Client Security
Server Security
Logical access
Ensure that key stakeholders were included during policy creation. Obtain a list of employees involved in the creation and approval of the IT security policies, such as IT organizations that are expected to comply with the policy.
Review processes for periodically reviewing and updating the policies to ensure that they keep up with the ever- changing IT environment. Look for evidence that these processes have been executed.
Review processes for periodically evaluating changes in the environment that might necessitate the development of new policies. Look for evidence that these processes have been executed.
Ensure that provisions have been made for obtaining approved exemptions from the policy. There inevitably will be occasions when people do not think that they can comply with the policy. A defined process should be in place whereby those people can formally request an exemption from the policy. They should be required to state why they need an exemption and define the compensating controls that will be put in place.
Discuss the scope of the security awareness program with the individual in charge of that function. You should expect the following primary elements in a complete program:
General security training for new employees
Periodic security training for current employees
Ongoing general security awareness
Role-specific security training for designated functions (for example, software developers)
Review the processes for providing general security training for new hires.
Review the content to ensure that basics are covered, such as employee expectations around security, information on company security policies, key areas of concern or risk for the company, how to report security issues, and so on.
Sample records from training systems or orientations to ensure that employees attended or reviewed security material.
Ensure that training is provided on a periodic basis. Depending on risk level and industry requirements, organizations may be required to provide security training very frequently, but many companies mandate annual or biennial security training for current employees.