IT Security Audits: The Basics and Common Compliance Audits

[Cloud Insights, Cloud Compliance, Elementary, 6 minute read]

What is an IT Security Audit?

Security auditing is a systematic assessment of a company's information systems to identify vulnerabilities and security gaps, by measuring compliance with several defined standards.

Comprehensive audits evaluate the security of the physical configuration, environment, software, information processing methods, and user practices. Security audits are often part of an IT Compliance effort, used to determine compliance with laws governing how companies process information.

In this article, you will learn:

Why Is an IT Security Risk Assessment Important?

A central part of any security audit is to determine the degree of risk facing the organization. A risk assessment has several important benefits:

  • Justify financial costs of security measures—an IT security risk assessment makes it clear what are the risks facing information assets, and the possible consequences of a data breach. This can help the organization justify investments in specific measures to protect those assets.
  • Improves IT productivity—when security risks are known, IT departments can focus on proactively reviewing and remediating them, rather than responding to new security incidents, which is much more intensive and time consuming.
  • Breaking down silos—a security assessment promotes collaboration between management, IT, developers, and other departments. A common risk assessment gives everyone a common language and makes it easier to work together to mitigate risks.
  • Enabling self-review—risk assessments provide clear, actionable reports that are accessible to anyone in the organization, so multiple departments can take responsibility for their share of compliance requirements.
  • Sharing information—in many organizations, there is limited communication between departments and each part of the organization may have different systems and IT practices. An organization-wide risk assessment provides a platform for communication and shared responsibility.

Compliance Standards Requiring IT Security Audits

Most IT security audits are conducted due to regulations or compliance standards the organization is obligated to. In many cases, external auditors investigate organizational systems to check for non-compliance, and if the organization fails to pass the audit, there may be fines or other penalties.

Below are some of the most common IT compliance standards, and their auditing requirements.

ISO Compliance Audits

The purpose of ISO 27001 is to provide a standard framework for managing information and data in modern organizations. Risk management is an integral part of ISO 27001, ensuring companies or non-profit organizations understand their strengths and weaknesses.

The ISO 27001 certification process is generally divided into three steps:

  1. The organization hires a certification body that performs basic information security management system (ISMS) evaluation based on documentation provided by the organization.
  2. The certification body conducts a more detailed audit and compares the various components of ISO 27001 with the organization's ISMS. The organization must prove it has followed policies and procedures correctly. The lead auditor is responsible for deciding whether certification will be granted.
  3. The certification body conducts follow-up audits to ensure ongoing compliance management.

HIPAA Audits

The USA Health Insurance Portability and Accountability Act (HIPAA) is a regulation covering organizations that manage or process personal health information (PHI). It sets restrictions and conditions on how to use and protect PHI. The HIPAA Privacy Rule gives patients the right to view and request corrections of their health information and medical records.

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) conducts HIPAA audits to assess compliance of the regulation.

The OCR performs regular, ongoing audits on a random sample of Covered Entities and Business Partners (the two categories of organizations subject to HIPAA). Even if an organization was not selected for a random audit, it may come under the attention of the regulator due to a security breach or complaint.

If an organization is selected for a HIPAA audit, it must respond to the OCR audit within 10 days. This means organizations must prepare in advance, not only by putting security controls in place, but also by preparing documentation and proof of compliance.

PCI DSS Compliance Audits

The Payment Card Industry Data Security Standard (PCI DSS) is a standard affecting any organization that processes or stores payment card data.

The PCI Council performs regular audits, primarily focusing on merchants with over 6 million credit card transactions per year (Tier 1 merchant), or merchants with a lower number of transactions that recently suffered data breaches.

The main purpose of a PCI DSS audit is to identify violations, provide suggestions on how to resolve them, and ensure that each issue has been resolved.

Once an organization has been selected for an audit, the first step is to find a qualified security assessor (QSA) to conduct the audit. A QSA is an organization certified by the PCI Council to conduct security audits.

The QSA will provide an on-site auditor, whose role is to evaluate security aspects of the audited organization. This includes the cardholder data environment (CDE), which includes any device, component, network or application that stores, processes or transmits cardholder data. They will also evaluate policies and practices the organization uses to operate these systems.

SOX Compliance Audits

The USA Sarbanes-Oxley Act is intended to protect investors in public companies, by requiring publicly traded companies to provide accurate and reliable financial information every year.

SOX requires companies to conduct annual audits and provide the results to shareholders and other stakeholders. Companies need to hire independent auditors, and SOX audits must be kept separate from other audits to avoid conflicts of interest.

The primary purpose of a SOX Compliance Audit is to review the company's annual financial statements. The auditor compares the previous report to the current year’s results, and may require employees to ensure that the organization has adequate security controls to maintain SOX compliance.

The SOX auditor checks four main types of internal controls:

  • Access—physical and electronic controls to ensure that each user has exactly the access they need to do their job.
  • Security—measures to prevent data breaches, typically implemented using the COBIT standard.
  • Data backup—SOX compliant remote backup of all financial data.
  • Change Management—documented processes to add and manage users, deploy software, and modify databases or financial applications.

IT Security Audits with NetApp Cloud Insights

NetApp Cloud Insights is an infrastructure monitoring tool that gives you visibility into your complete infrastructure. With Cloud Insights, you can monitor, troubleshoot and optimize all your resources including your public clouds and your private data centers.

Cloud Insights helps you find problems fast before they impact your business. Optimize usage so you can defer spend, do more with your limited budgets, detect ransomware attacks before it’s too late and easily report on data access for security compliance auditing.

In particular, NetApp Cloud Insights ensure corporate compliance by auditing user data access to your critical corporate data stored on-premises or in the cloud.

The NetApp Data Protection and Security Assessment identifies security gaps in your current data protection strategy and delivers an actionable, proactive plan to minimize potential risks by:

  • Uncovering risk exposure and vulnerabilities in ONTAP and Cloud Volumes ONTAP environments
  • Determining your company’s ability to quickly and effectively respond to threats through a comprehensive policy and environment review
  • Delivering a detailed gap analysis and actionable recommendations to inform your data protection strategy and policies
    New call-to-action
-