Auditing Cybersecurity Programs

A security program should be expected to cover a minimal set of practices in some form or fashion, including:

• Policy and compliance management - Defining security guidelines for the company

• Awareness - Getting relevant security information into the hands of people who may need it

• Vulnerability management - Helping the organization understand the risks and criticality of potential exploits and assisting with remediation

• Security monitoring - Collecting log and alert data and detecting potential security events in the environment

• Incident response - Dealing with viruses, breaches, or other malicious activities and helping to return the business to a normal state

Verify Adequate Policy Coverage

Obtain a copy of your company’s IT security policies. Ensure that they adequately cover your company’s IT environment. At a minimum, the policies should include coverage of the following areas:

• Acceptable usage

• Data Classification

• Remote Access

• Password Policy

• Client Security

• Server Security

• Logical access

Verify Stakeholder Buy-In

Ensure that key stakeholders were included during policy creation. Obtain a list of employees involved in the creation and approval of the IT security policies, such as IT organizations that are expected to comply with the policy.

Verify Processes Around the Policies

Review processes for periodically reviewing and updating the policies to ensure that they keep up with the ever- changing IT environment. Look for evidence that these processes have been executed.

Review processes for periodically evaluating changes in the environment that might necessitate the development of new policies. Look for evidence that these processes have been executed.

Ensure that provisions have been made for obtaining approved exemptions from the policy. There inevitably will be occasions when people do not think that they can comply with the policy. A defined process should be in place whereby those people can formally request an exemption from the policy. They should be required to state why they need an exemption and define the compensating controls that will be put in place.

Review the awareness and communications functions of the security team, reviewing methods to train employees on security risks and concerns.

Discuss the scope of the security awareness program with the individual in charge of that function. You should expect the following primary elements in a complete program:

• General security training for new employees

• Periodic security training for current employees

• Ongoing general security awareness

• Role-specific security training for designated functions (for example, software developers)

Review the processes for providing general security training for new hires.

Review the content to ensure that basics are covered, such as employee expectations around security, information on company security policies, key areas of concern or risk for the company, how to report security issues, and so on.

Sample records from training systems or orientations to ensure that employees attended or reviewed security material.

Ensure that training is provided on a periodic basis. Depending on risk level and industry requirements, organizations may be required to provide security training very frequently, but many companies mandate annual or biennial security training for current employees.

Review the vulnerability management function of the organization, ensuring that the team is aware of emerging threats and vulnerabilities and has processes to identify at-risk systems in the environment.

HOW

Assess the security monitoring function of the security team, reviewing log collection and alert processing and detection capabilities.

HOW

Assess the incident response function of the security team, ensuring that the organization is able to respond effectively to various kinds of security events.

HOW

Assess other functions of the security team as appropriate.

HOW

Review and evaluate policies and processes for assigning ownership of company data, classifying the data, protecting the data in accordance with their classification, and defining the data’s life cycle.

HOW

Determine how security policies and security risk are handled in organizational IT processes.

HOW

Review and evaluate processes for ensuring that security personnel have the skills and knowledge necessary for performing their jobs.

HOW

Assess that metrics are collected commensurate with the goals of the security program and that metrics are reported to appropriate management personnel.

HOW

Review processes around the use of managed security service providers (MSSPs) within the security team.

HOW

Determine how the organization ensures that its security controls are effective.

HOW