As the professional responsible for your organisation’s IT security, you should insist on an annual network security audit if you haven’t already. There’s no time to waste, with 90-million cyber attacks occurring on average each year and costing about $400-billion globally last year. It’s also becoming increasingly common for potential associates, suppliers and customers to request your latest network security audit before deciding to do business with your organisation.
On the other hand, if you’re an IT professional in a financial institution, you will already have the next network audit booked into your schedule. But if you’ve brought in outside auditors, can you be sure they’ll do their job properly?
Here’s how to carry out a network audit that will give you peace of mind when it comes to the security, reliability and functionality of your company’s network.
How to plan for a successful network security audit
When working with external auditors, be clear about the rules of engagement to get the most from your network security audit. This should include, selecting an organisation that rely on established security experience and not checklists and setting down a security baseline through annual audits and defining your objects. You should also include business unit managers in audit planning and, lastly, clearly establish that your company’s risks are reflected in the auditor’s report.
The benefits of carrying out a pre-audit self-evaluation can never be overemphasised. There are several resources that can help your organisation become more effective at business and security measurements. Just be as thorough as you can be. Taking it easy on yourself defeats the object of the exercise, because when your auditors arrive, they certainly will not.
Overview of a network security audit
An audit will typically include:
- Practices—established policies being followed by users and how information is used.
- Information handling—processes that govern how information is accessed, moved around, and by whom.
- Environment—which parts of the system specific users have access to and at what times.
- Hardware configuration—devices and the security that protects them.
- Software configuration—software and the security that protects it.
A-Z network security checklist
Your audit should include the following, to ensure that your network performs as well as it should:
Backups: your tape rotation system should track the age, purpose and location of all tapes. Tapes used to backup highly sensitive data should never be used for less secure data.
Workstations: workstations should always be as secure as your servers. Unlike your servers that are safe and sound in your data centre, laptops are often exposed in airport lounges or coffee shops.
Email: audit your inbound and outbound filtering for internal users and your customers. Mail filtering software should protect you from all email threats from spam and malware, to phishing attacks. Make sure you are protected against directory harvest attacks.
File shares: your data should be secured with strong, transparent encryption.
Internet access: secure internet access with an internet monitoring solution.
Log correlation: it’s especially important if you have a number of servers to use a logging solution that allows you to peruse and correlate the logs from all your servers.
Network equipment: assess security and maintenance of your network infrastructure.
Policies: critically evaluate the effectiveness of your policies. There needs to be top-to-bottom buy-in of your network security policies for them to be effective and to form the basis of all security decisions. Policies should cover these areas: network security, internet access, remote access, privacy, acceptable use, email and communications, BYOD and encryption.
Provisioning servers: since your servers are where your company’s most valuable data sits, your ability to secure your servers against cyber threat in all its forms should be assessed with an especially critical eye.
Remote access: your audit must include an approved method for remote access.
Time: your business should use a central form of time management on network gear, servers and workstations. This will ensure all systems in-step and ease the correlation of logs and events.
User accounts: possibly the weakest point in your network security—a hard lesson Yahoo learned in 2013 when 1-billion of its user accounts were compromised. Take the opportunity to give your user accounts more than a cursory assessment during the audit.
Vulnerability scanning: your application should be configured to scan your entire external address space regularly, at least weekly.
Wireless: don’t forget to evaluate the security of your wireless networking.
What a successful network security audit should yield
Once your external audit is complete, make sure the auditor’s report includes these five aspects of your network security:
- Exploitation probability
- Service interruption risk
- Impact of exposure
- Possible legal liability
- Actions to fix problems
If keeping on top of the latest developments in cybersecurity is beyond your company’s means and skill, now might be the time to consider which security functions your company can outsource.
Our guide to cybersecurity can help provide you with a better plan.
The guide includes: