There’s only 59 days left until Christmas. Considering many of us take on vacations in late December that stretch until New Year, let’s rephrase our initial statement.
You only have 59 days to perform a security audit at your company. Security audits take on many forms depending on what type of firm you own or work for. Here’s a sampling, courtesy of California State University Long Beach:
- Financial Audits or Reviews
- Operational Audits
- Department Reviews
- Information Systems Audits
- Integrated Audits
- Investigative Audits or Reviews
- Follow-up Audits
The word ‘audit’ has lots of lingering negative connotations. If you’ve ever been subjected to an audit, you know the feeling that hurtles through your body at the mere mention of it. A cold sweat. Pumping heart. Fidgeting hands. Uneasy glances with your co-workers. And that’s even if you have nothing to worry about.
An audit, nonetheless, can feel like an invasion. A fission of distrust. A crack in your foundation with your business. It’s easy to take an audit personally and feel hurt. It doesn’t have to be that way if you show your cards:
If you’re the boss, it’s imperative that you understand how an audit can make your employees feel and find ways to inform them of the what-how-when-where-why’s so that the audit is demystified and that your employees know the audits purpose and mission.
If you’re the boss and you’re being audited by an outside agency or your board of directors, be transparent. Provide them the information they request and understand that audits are a necessary component to successful businesses.
If you’re an employee, ask questions but don’t consider it your job to be your co-workers’ investigative journalist. In most cases, you have a right to ask the what-how-when-where-why’s, and in most cases, your employer has a right to protect that information if, indeed, they are looking for discrepancies. Keep in mind that most employers are aware of your feelings about audits and want them to be handled as efficiently and professionally as possible.
These Companies Could’ve Used a Security Audit
It’s important to remember that an audit provides a real-world snapshot of how your company is running. It’s meant to provide real data that can catapult decision makers into making decisions that can improve the organization as a whole.
These companies are probably wishing they had run some decent audits before making headlines for all the wrong security reasons:
- Target – The big box giant fell victim to the biggest retail hack in U.S. history.
- Facebook, LinkedIn, Google, Twitter, Pinterest – The biggest names in social media fell victim to various malware and millions of account emails and log-in credentials were compromised.
- eBay – Attackers hacked employees’ log in details and accessed virtually all of the site’s 145 million members
- Michaels Stores – Customers credit card information was stolen for roughly nine months by hackers until the store caught onto the criminals misdeeds
All of these companies probably could’ve benefited from a more thorough security audit of their Information Systems (IS). We’re not saying that they weren’t previously audited. As big as all those businesses are, we’re sure that somewhere along the way someone took a good, hard look at their IS. Hindsight is twenty-twenty, though, and clearly, there were still major gaps in their coverage.
What IS an IS Audit?
The folks at Cal State Long Beach put together a handy resource for anyone looking to better understand IS audits. There are three basic varieties and the Cal State article is so good, we’re going to use a portion of their explanations:
- General Controls Review
A review of the controls which govern the development, operation, maintenance, and security of application systems in a particular environment. This type of audit might involve reviewing a data center, an operating system, a security software tool, or processes and procedures (such as the procedure for controlling production program changes), etc.
- Application Controls Review
A review of controls for a specific application system. This would involve an examination of the controls over the input, processing, and output of system data. Data communications issues, program and data security, system change control, and data quality issues are also considered.
- System Development Review
A review of the development of a new application system. This involves an evaluation of the development process as well as the product. Consideration is also given to the general controls over a new application, particularly if a new operating environment or technical platform will be used.
As 2014 comes to a close (remember – 59 days, yikes!!!!) it’s up to you to take your company’s IS security seriously. One of the ways to do this is by auditing your current system. After all, hackers aren’t going to be deterred by minor smoke screens. If anything, their intelligence will continues to escalate. You have an obligation to protect your company, your employees and your customers’ information. Time’s ticking…..