IT security auditing consists of creating quantifiable assessments of IT assets such as servers, client computers, hardware assets, applications running on them and the data stored within.
Such assessments are important to ensure security of these assets in the light of threats prevalent in the modern technology. In the good old days when data was stored on tapes and floppy disks, ensuring security of such assets was pretty much simpler.
But in recent years on the backdrop of some major corporate frauds that rocked the world, assessment carried out by federal agencies revealed that organisations were late in adapting to new security challenges. The result was a slew of regulatory standards such as SOX, HIPAA, GLBA, and PCI to safeguard interests of all business stakeholders.
So who can perform an audit? IT auditing can be done by Federal or State regulators, external auditors, internal auditors and consultants who can help an organisation in staying audit “complaint”. Traditionally, most of the firms were relying on internal audits to meet compliance requirements. However, with changing requirements and norm of focusing on the core competency, many of the organisations are looking forward to source internal auditing.
A recent survey revealed that around 40 per cent of the companies who undertook internal auditing resulted in audit failure, and this number rose close to 60 per cent in case of companies who took help of external auditors. There are two inferences to be drawn from this study: Firstly most of the organisations, especially small and medium ones are still not doing enough to ensure security of IT network. Secondly organisations that opted for external auditing reported greater audit failures, probably because external auditors conducted a more in-depth audit.
Auditing, for the most part, involves a number of tasks such as assessing physical safety of the assets, creating a list of all IT resources, interviewing IT helpdesk staff and administrators etc. Internal auditing at the most basic level should start with creating a network map which will list all devices in the network, all applications running on them, version number of applications, who, when and where installed these applications etc.
Such information can be compared from time to time to measure the effectiveness of the auditing strategy. There are a number of free auditing applications which can help you in doing the above mentioned tasks such as Microsoft Baseline Security Analyzer, Open-AuditIT and Nmap to name a few.
So why use external auditors? Considering the current security challenges in front of the organisations and the regulatory standards, organisations need to invest a fortune in being able to create an almost risk-free and compliant organisation. Once you are on top of the auditing, sustaining it for a long period of time requires significant investment in resources for years.
Considering fierce competition and tight profit margin that many of the companies operate in, it is logical to source auditing requirements to external auditors. But, this is just one of the reasons.
External auditors, with auditing being their core competency, have the kind of knowledge capital and agility that is required to meet fast changing business environment and the resulting realignment that overall auditing strategy requires.
As a decision maker, you can either partially or completely source the Internal auditing. Though at present, full outsourcing is rare, many of the companies are moving towards a mixed approach where certain aspects of the auditing is outsourced to external auditors.
There are a number of factors to be considered before you make a decision on “what” and “how much” to outsource. The few important decision factors that should guide this judgment are organisational competency in doing a successful audit, the regulatory compliances that need to be adhered to and whether the organisation has the required manpower, skills and flexibility.
If implemented successfully, the outsourced auditing can bring immense benefits to organisation such as streamlined functions, latest processes, top-notch skills and above all a secure and risk-free IT environment.
Satyendra Tiwari is associated with Lepide Software as a manager of product testing and marketing.