Management has to provide a clear policy document and strong leadership in an attempt to reduce liability, downtime, loss of business and embarrassment that may arise as a result of an IT related security issue. As part of this policy document, there has to be a clear IT security audit checklist.
Enforcing a Sound Policy
Protocols and Services – Computer hardware, network components and software applications usually come from the manufacturers with a set of installed services, protocols and configurations that is intended to meet the needs of a wide-range of users. Unfortunately, some of these services, settings and protocols can make the system in question unsecure and less efficient. Ensure that unused protocols and services are disabled or uninstalled, and that the security settings don’t conflict with the overall security policy of the organization.
Business Resumption and Disaster Recovery Plan – Just in case the worst happens, an organization needs to have a plan to recover lost data and bring mission critical resources back online as soon as possible. The disaster recovery plan should also mitigate against any future loss of resources or time due to natural disasters, accidents or a criminal act. For your disaster recovery or business resumption plan to be effective, it must include plans to have frequent system backups done and to store a copy of those backups off-site. The recovery plan should also include contact numbers for key personnel in case of an emergency, replacement for IT and office resources, the identification of alternate facilities, and detailed recovery procedures.
Anti-virus - No IT Security Audit Checklist is complete without an accounting for an organization’s vulnerability to computer viruses. All computers should be protected with an up-to-date antivirus and anti-malware programs. If possible, the software should be set to notify an administrator if a threat is found.
Network Security – Are all Internet access points documented, authorized, and protected by firewalls, intrusion detection systems, virtual private networks, and an incident responses system?
Remote Access Points - Ensure that all remote access facilities are known, encrypted, and duly authorized.
Passwords – Change all vendor-supplied, access codes and default passwords for installed systems that have been changed or disabled. Leaving default access codes on installed operating systems, database management systems, network devices and applications is a major security risk. Such passwords and access codes can be used to breach your security measures if they are not changed.
Also ensure that the users are using unique and strong passwords and require that they change their passwords at reasonable time intervals.
Security Updates and Software Patches – Do all systems have the latest software patches installed to protect them from know vulnerabilities?
Frequent Audits – Despite the best efforts of IT professionals, breaches may remain on a network or may be created as software becomes outdated and users interact with IT systems. Audits must be done regularly to find these vulnerabilities.
Confidentiality Agreements – Have employees, contracted workers, business partners, and suppliers been asked to sign confidentiality agreements before proprietary and/or sensitive information is disclosed to them? Doing so ensures that there is a legal recourse should a breach occur and damages are realized. Ideally, they should acknowledge, in writing, that they understand the terms they are signing to.
Physical Security - Are the servers, network equipment and other sensitive IT resources physically secured? Physically securing your equipment will ensure that unauthorized persons will find it difficult to breach your security measures. Secure your sensitive and mission critical equipment by locking them away or otherwise restrict who has access to them by using access cards, security guards, and locked doors.
An IT security audit checklist ensures that all the areas of security concern are considered and steps are clearly outlined to deal with any risk, vulnerability, or liability that could arise from a security gap. To not have a IT audit checklist is to almost ensure that there are security gaps and breaches that will be left unchecked.