Keep Regular with Security Audits

Routine Security Audits can help things stay routine.

Security audits are one of the most important things you can do to protect your network. Security breaches happen all the time, and it’s up to you to stay ahead of these breaches with regular security audits. Security auditing is not just about checking logs – it’s about actively looking for changes on your network so that if something happens, you’ll know what was changed and how it happened. Security audits also provide peace of mind by showing that the right level of security is in place at any given time.

An audit includes reviewing firewall settings, software updates, antivirus/anti-malware status, account permissions (including Active Directory) domain controller health checks, password strength requirements, file share permissions including NTFS[1] permission changes, DHCP/DNS/WINS settings, user rights, Windows Security auditing settings, SharePoint Security Settings, anti-malware scanners to ensure virus signatures are up to date, patch statuses (including WSUS[2]) change logs and even checking for unauthorized software.


What is a security audit

A security audit is a process of evaluating the effectiveness of information security policies. Many businesses now depend on technology for their day to day operations and consequently, they expose themselves to various risks. Security audits are now an integral part of the security policy and it is important that they be made routine. The scope of the audit is determined by the level and type of risk identified in the organization and also is based on certain standards that have been developed.

Types of Security Audits & Auditors

Security audits are an important part of keeping your company safe. But there are many different types to choose from, and each type has its own set of benefits and drawbacks. The process begins with analyzing the environment that needs to be audited, then matching the audit to the need. That’s why it’s crucial to understand what kind of security audit is needed before getting started. And while some audits may seem more difficult than others, they all have their place in a comprehensive security plan.[3]

Internal Auditors

These employees work inside the company looking for vulnerabilities or signs that something could go wrong within their departments or areas of responsibility which can be anything from the water cooler to the data center. They are employees who are trained in spotting red flags or inconsistencies that, when addressed early on, can prevent crisis situations down the road.


External Auditors

These auditors don’t work for your company but examine your systems and equipment regularly to look for security gaps in policies and procedures. These audits are performed by a hired third party or government agency.

These audits can also take the form of either Black Box or White Box (or Glass Box) Penetration Testing. With Black Box, the auditor has no knowledge of your systems and is testing from a position outside your network, looking for vulnerabilities by attacking them from the internet. With White Box, the auditor knows everything about how your systems are put together.[4] Each method has its pros and cons, but the goal with both is to harden[5] the system.

Manual Audits

A manual audit can be performed by an internal or external auditor. During this type of auditing, the interviewer will interview your employees to evaluate physical access and vulnerability scans for security as well as application, network and operating system controls that may need adjustment if necessary in order to make sure you’re up-to-date on best practices. These audits require extensive knowledge of the type of environment being audited and the ability to generate reports based on their findings.

Automated Audits

Automated audits are a Computer-Assisted Audit Technique, also known as CAAT that produces comprehensive, customizable reports. They can be used internally by management and externally for auditing purposes. Advanced programs will monitor the IT environment continuously so you’re always in the know about any suspicious activity taking place within your networked devices.

IT Audit Standards

The security audit standards ISO, HIPAA Security Rule, PCI DSS Compliance and SOX Compliance are designed to help businesses comply with their own internal data security protocols.

ISO Compliance is a process of verifying that an organization meets the requirements of the ISO/IEC 27001 standard. This standard covers the Information Security Management System (ISMS).[6] An ISMS is a framework that allows an organization to manage and control its information security risks. ISO Compliance is necessary for organizations that want to protect their customers’ data.

The HIPAA Security Rule is a set of regulations that are designed to protect the privacy and security of electronic health information. The Rule requires covered entities to implement a variety of security measures, including:

  • Access Control
  • Audit Logging
  • Password Management
  • Data Encryption 

PCI DSS compliance is a requirement for any business that accepts credit cards. In order to be PCI compliant, a business must implement certain security measures to protect its customers’ credit card data. These security measures include things like firewalls, anti-virus software, and data encryption.

Businesses that are not PCI compliant can face fines and other penalties from the credit card companies. It’s therefore important for businesses to ensure that they are PCI compliant at all times, especially if they hand credit card data.

One of the most important audit standards is SOX compliance.[7] This stands for “Sarbanes-Oxley Act of 2002” and it demands that any company with over $10 million in assets or sales must produce an annual report, or ER. One of the mandates is to establish an internal control to keep track of risks and vulnerability to fraud, waste and abuse. There are many other mandates in the SOX standard to help protect a company and its stakeholders from fraudulent activities.


How to conduct an audit

When it comes to auditing your network security, there are a few key steps that you need to follow in order to get the most comprehensive results. Here’s a quick overview:

  1. Start by assessing your current security posture. This will help you to identify any weak spots that need to be addressed.
  2. Next, perform an audit on the devices that are being used to manage security. You need to know exactly how many of each type of device you have, what they do, and where they are. This step will help you to create a standardized configuration across your entire network.
  3. After creating a standard configuration for all of your devices, you can run vulnerability scans against them in order to see if any holes have been opened up due to lack of updates or new patches.
  4. Once everything has been inventoried and patched as needed, it’s time for another assessment so that you can see if the changes had the intended effect and whether there were any unexpected consequences.
  5. Finally, review your firewall and Active Directory settings to make sure that they are configured correctly.
  6. Rinse; repeat…

How often to do audits

How often should you do security audits? It depends on your organization’s risk level. If you’re dealing with sensitive data, you should probably be doing audits at least once a quarter. If your organization is less risky, you can get away with doing them every six months or even once a year. However, it’s always a good idea to be proactive and do audits more often than you need to. This way, you’ll catch any issues before they become a problem.

Conclusion

A security audit is an important component of network management. It’s also one of the most overlooked areas in many organizations. Without regular audits, you can’t be sure if your system is secure enough to protect data and meet compliance requirements. You don’t want to wait until there has been a breach before taking action. If you’re interested in learning more about our services or would like help with designing a custom security plan tailored specifically for your organization, contact us today!

Sources:

[1] https://docs.microsoft.com/en-us/windows-server/storage/file-server/ntfs-overview

[2] https://en.wikipedia.org/wiki/Windows_Server_Update_Services

[3] https://www.dnsstuff.com/it-security-audit

[4] https://teskalabs.com/blog/security-audit-white-box-vs-black-box-penetration-testing

[5] “In computing, hardening is usually the process of securing a system by reducing its surface of vulnerability, which is larger when a system performs more functions.” https://en.wikipedia.org/wiki/Hardening_%28computing%29

[6] https://www.itgovernanceusa.com/blog/what-exactly-is-an-information-security-management-system-isms-2

[7] https://www.soxlaw.com/sox-compliance/

Picture Credits

https://pixabay.com/images/id-4189560/

https://pixabay.com/images/id-265130/

https://pixabay.com/images/id-5382501/

1st Basis provides hosting for our customers who want a total solution or have special SAP-centered hosting needs. We started by hosting our own equipment in a co-location (colo) but demand quickly outstripped our ability to focus on SAP Basis and managing our own hardware, so we searched for a hosting partner to fill the gap—one with our same commitment to customer service.

We picked FNTS because they were one of the first to specialize in SAP-certified hosting and because they provide multiple platforms (including AS400). They are a good fit because they have the same commitment to individualizedcustomer service. After a long vetting process, multiple meetings and joint ventures, they became our go-to hosting partnerand 1st Basisbecame the defacto, preferred, Basis provider for FNTS.

A Bit About FNTS:

FNTS has over 20 years of experience in the managed IT services industry. They are not afraid to think out of the “big box” and are known for their innovation and creative solutions (from giant flywheels that store energy or dumpster-diving to rescue a new customer’s discarded data)—they go the extra mile.

From the FNTS website:

Located in Omaha, Nebraska, the First National Data Center provides:

  • Fully redundant power (A+B) and components housed within a secured and protected environment
  • Flexible and efficient HVAC/air handling systems cooling with chilled water and backup chillers
  • 24/7 air handling monitoring for temperature, air quality and humidity
  • Dry pipe sprinklers and fire suppression systems controlled round-the-clock
  • Fully redundant Internet and failover for all Internet traffic
  • SSAE 16, SOC 2, 2N data center
  • Connection to all major communication carriers
  • More than 61,000 ft² of raised floor
  • On-site engineers 24/7

Local news story about FNTS

1st Basisis proud to be working with FNTS who, like us, “is dedicated to quality personal service.”

— David Beiswenger