In the 1980s, the US Air Force coined the term "cybersecurity" to describe the protection of computer networks. The term was first used in a public forum in 1985, when the Air Force published a paper on the topic.1
In the 1990s, as the Internet became more widespread, the US government created the National Institute of Standards and Technology (NIST) to develop standards for cybersecurity. In 1997, NIST published the first edition of its Special Publication (SP) 800-53 on security controls for information systems.2
Because cyberattacks have become more frequent and sophisticated in recent years, the term cybersecurity is now used to describe the protection of all aspects of computer systems and networks, including hardware, software, data and people.
As more of everyday life moves online, personal and financial information is increasingly at risk of becoming a target of a cyberattack. As such, cybersecurity is becoming a critical issue for enterprises, governments and individuals. They must take steps to protect their systems and networks and mitigate the risk of cyberattacks. The first step is to conduct a cybersecurity audit.
A cybersecurity audit empowers organizations of all sizes to help identify and mitigate their cybersecurity risk. It is a systematic examination of an organization's information security controls to determine whether they are effectively protecting sensitive data and systems.
Auditing cybersecurity is vital for organizations to achieve 6 business objectives:
- Identify and mitigate risk—Cybersecurity audits can be used to assist organizations in identifying security vulnerabilities and risk. This includes identifying the assets that need to be protected, the threats that could pose a risk to those assets and the vulnerabilities that could be exploited by attackers. By identifying and addressing this risk, organizations can reduce their likelihood of being attacked.
- Protect sensitive information—Organizations can use cybersecurity audits to meet their goal of protecting sensitive information. This includes ensuring that sensitive data are encrypted, that access to sensitive data is restricted to authorized personnel, and that security procedures are in place to protect sensitive data from unauthorized access, use, disclosure, disruption, modification or destruction.
- Comply with regulations—When cybersecurity audits are conducted regularly, enterprises feel more confident that they are not in violation of any security regulations. A cyber audit helps ensure that organizations are compliant with industry-specific regulations such as the Payment Card Industry Data Security Standard (PCI DSS) or the US Health Insurance Portability and Accountability Act (HIPAA). By complying with these regulations, organizations can reduce their risk of being penalized by regulators.
- Improve security posture—Cybersecurity audits can help organizations identify how to improve their security postures. Audits can aid in identifying gaps in security controls, outdated security policies or a lack of employee training. By making improvements to their security postures, organizations can reduce their risk of cyberattacks.
- Gain customer confidence—Customers are growing increasingly concerned about the security of their personal data. As such, cybersecurity audits can help organizations gain the confidence of their customers. By conducting regular cybersecurity audits, organizations can demonstrate to their customers that their security is being taken seriously.
- Maintain business continuity—Cybersecurity audits ensure that an organization's critical systems and data are protected, reducing the risk of disruptions to business operations due to cyber incidents.
By conducting regular cybersecurity audits, organizations can demonstrate to their customers that their security is being taken seriously.
To aid organizations in protecting their digital assets from cyberattacks, a cybersecurity audit must take into account how information assets are classified. Information assets’ importance varies based on their classification. Assets with high importance require more restrictive controls and increased assurance of such controls’ effectiveness and efficiency.
Understanding and Performing a Cybersecurity Audit
A cybersecurity audit is a systematic examination of an organization's IT infrastructure intended to identify—and, ultimately, be used to mitigate—security risk. The scope of a cybersecurity audit can vary depending on the size and complexity of the organization. However, all cybersecurity audits typically cover the following areas:
- Information security policies and procedures—The auditor must review the organization's information security policies and procedures to ensure that they are up-to-date, comprehensive and effectively implemented.
- Physical security—The auditor should assess the organization's physical security controls such as access control, perimeter security and video surveillance.
- Network security—The organization's network security controls must also be assessed. These may include firewalls, intrusion detection systems (IDS) and vulnerability scanning.
- Application security—Application security controls such as input validation, output encoding, session management, and identity and access management (IAM) should be included in the audit.
- User security—The auditor must assess the organization's user security controls (e.g., password management, training, awareness).
In addition, the auditor may also review the organization's incident response plan, disaster recovery plan and business continuity plan.
Steps to Performing a Cybersecurity Audit
A cybersecurity audit typically includes 6 steps:
- Plan and scope the audit. The auditor should have a clear understanding of the organization's IT environment, objectives and risk before conducting the audit. It is also important for the auditor to have knowledge of cybersecurity frameworks and best practices.
- Gather information, observations and data. This can be done using:
- Risk assessment—To assess the organization’s IT infrastructure to identify potential security risk. This includes identifying the assets that need to be protected, the threats that could pose a risk to those assets and the vulnerabilities that could be exploited by attackers.
- Vulnerability scanning tools—Can be used to identify any security vulnerabilities in the organization's IT infrastructure. This includes vulnerabilities in the operating system, applications and network infrastructure.
- Penetration testing—Can be conducted to simulate a real-world attack on the organization's IT infrastructure. This helps identify any security vulnerabilities that could be exploited by attackers.
- Evaluate the effectiveness of the organization's cybersecurity controls. Controls to be evaluated may include access, encryption and incident response controls.
- Review the data that have been gathered to identify any potential security vulnerabilities or risk. The auditor should also assess the effectiveness of the organization's security controls in mitigating these vulnerabilities and risk factors.
- Document the findings of the audit in a report and make recommendations for improvement. The report should be clear, concise and easy to understand. The report should also include recommendations for improvement that can be implemented by the organization to improve its security posture.
- Follow-up on the audit results to ensure that the organization implements the recommendations for improvement. The auditor should track the progress of the organization's security posture and make recommendations for further improvement as needed.
The results of a cybersecurity audit are typically documented in an audit report. The audit report identifies any security risk factors that were identified during the audit and can be used to make recommendations for how to mitigate those sources of risk.
Conclusion
Regular cybersecurity audits are critical for ensuring that an organization's security controls are up-to-date, vulnerabilities are identified and addressed, and data are properly protected. Cybersecurity audits are performed by planning and scoping the audit; gathering information, observations and data; evaluating the effectiveness of the organization's cybersecurity controls; reviewing data to identify potential security vulnerabilities or risk; documenting findings; and making recommendations for improvement. By investing in regular cybersecurity audits, organizations can reduce their risk of cyberattacks and data breaches, improve their security postures, and increase customer confidence and trust.
Endnotes
1 Snyder, D.; J.D. Powers; E. Bodine-Baron; B. Fox; L. Kendrick; M. H. Powell; Improving the Cybersecurity of US Air Force Military Systems Throughout Their Life Cycles, RAND, 2015
2 National Institute of Standards and Technology, NIST SP 800-53 Revision 5 Security and Privacy Controls for Information Systems and Organizations, USA, 2020
Osman Azab, CISA, CISM, CRISC, CGEIT, CSAC
Is an information systems audit, security, control, risk and governance expert with more than 38 years of experience. He is recognized as an audit, assurance and governance topic leader on the ISACA® Engage platform and has participated in several ISACA review manual and job practice reviews.