What Is a Cybersecurity Audit and Why Is It Important?

Cybersecurity audits help ensure agencies comply with IT security regulations and requirements.

Your browser doesn’t support HTML5 audio

The federal government is still unraveling its vulnerabilities in the wake of the SolarWinds cyberattack, and the Department of Homeland Security’s cybersecurity agency does not know how many federal civilian agencies are segmenting and segregating internal networks from unwanted outside traffic.

Brandon Wales, the acting director of the Cybersecurity and Infrastructure Security Agency, couldn’t tell Democratic Sen. Ron Wyden of Oregon how many agencies were doing so, according to a June 3 letter that surfaced earlier this month.

Meanwhile, President Joe Biden’s May 12 cybersecurity executive order, meant to bolster agencies’ defenses in the wake of the attack, requires agencies by mid-November to adopt multifactor authentication and encryption for data at rest and in transit, two basic cyber hygiene best practices. Agency heads are required to report their progress on adopting these measures to CISA, the head of the Office of Management and Budget and the national security adviser.

“Such agencies shall provide such reports every 60 days after the date of this order until the agency has fully adopted, agency-wide, multi-factor authentication and data encryption,” the order states.

To know how effective an agency is in its cybersecurity practices, agencies can and should conduct regular cybersecurity audits. Such audits differ from cybersecurity risk assessments, which explore an agency’s IT security protections and its ability to remediate vulnerabilities. Instead, cybersecurity audits “act as a checklist that organizations can use to validate their security policies and procedures,” as SecurityScorecard notes.

What Is a Cybersecurity Audit?

Cybersecurity audits are about assessing compliance. Agencies that conduct a cybersecurity audit will “be able to assess whether or not they have the proper security mechanisms in place while also making sure they are in compliance with relevant regulations,” according to SecurityScorecard.

Organizations that perform cybersecurity audits can then take “a proactive approach when designing cybersecurity policies, resulting in more dynamic threat management,” the firm notes.

Cybersecurity audits are performed by third-party vendors to eliminate any conflicts of interest, according to SecurityScorecard. However, “they can also be administered by an in-house team as long as they act independently of their parent organization.”

The cybersecurity audit universe “includes all control sets, management practices, and governance, risk and compliance (GRC) provisions in force at the enterprise level. In some cases, the extended audit universe may include third parties bound by a contract containing audit rights,” according to IT governance and certification firm ISACA.

“With the increasing number of cyberthreats, it is becoming critical for the audit plan in every organization to include cybersecurity,” ISACA notes. “As a result, auditors are increasingly being required to audit cybersecurity processes, policies and tools to provide assurance that their enterprise has appropriate controls in place. Vulnerabilities in cybersecurity can pose serious risks to the entire organization — making the need for IT auditors well-versed in cybersecurity audits greater than ever.”

RELATED: How can agencies best handle IT supply chain cybersecurity threats?

Best Practices for a Cybersecurity Audit

There are several best practices that agencies should take ahead of and during a cybersecurity audit, especially if it is being conducted by a trusted third party.

SecurityScorecard details several of them on its website. One is to review the agency’s data security policies. “Before the audit begins, make sure that you review this policy with regard to data confidentiality, integrity, and availability,” the firm notes.

Having solidified information security policies helps auditors “classify data and determine which levels of security are needed to protect it,” according to SecurityScorecard.

Another best practice is to centralize cybersecurity and compliance policies into a single list or document, which helps auditors get a more complete understanding of the agency’s IT security practices. This then makes it easier for the auditor to identify gaps. The policies SecurityScorecard recommends including are related to network access control, disaster recovery and business continuity, remote work, and acceptable use.

Agencies should also detail their network structure, SecurityScorecard recommends. “One of the goals of cybersecurity audits is to help identify potential gaps in security on enterprise networks. Providing a network diagram to your auditor helps them gain a comprehensive view of your IT infrastructure, expediting the assessment process,” the firm notes. “To create a network diagram, layout your network assets, and detail how each of them work together. With a top-down view of your network, auditors can more easily identify potential weaknesses and edges.”

IT and cybersecurity leaders at an agency should also review relevant compliance standards and requirements before the audit begins. Those should be shared with the audit team, which enables them to align the audit with the needs of the agency.

Finally, SecurityScorecard recommends that agencies create a list of security personnel and their responsibilities within the agency. “Employee interviews are an important part of cybersecurity audits. Auditors will often interview various security personnel in order to gain a better understanding of an organization’s security architecture,” the firm says.

Agencies can streamline this process by providing the auditing team with a list of IT security staff.

DIVE DEEPER: Follow these tips to improve your agency’s incident response plan.

How Often Should Agencies Audit Their Cybersecurity?

As cybersecurity ratings firm BitSight notes, a cybersecurity audit is more formal than an assessment and is designed “to act as a ‘checklist’ that validates the policies a cybersecurity team stated are actually in place, and that there are control mechanisms in place to enforce them.”

“Additionally, what is considered a cyber security audit only shows a snapshot of your network health,” BitSight notes. “While an audit might provide an in-depth look at your cyber-health at a specific point in time, it doesn’t provide any insight into your ongoing cyber management.”

Security experts recommend that cybersecurity audits occur at least once per year. “Software vulnerabilities are discovered daily,” independent IT security consultant Carole Fennelly writes in TechTarget. “A yearly security assessment by an objective third party is necessary to ensure that security guidelines are followed.”

Other experts recommend having audits more often, but a wide range of factors can impact how often an agency should audit its cybersecurity, including budget, whether significant system or software changes have recently been made and how stringent compliance standards are.

MORE FROM FEDTECH: How can agencies defend against insider threats?

Tips for a Cybersecurity Audit

ISACA recommends that cybersecurity audits define the audit subject and objective before an audit is initiated. The organization says that boundaries and limitations to consider for cybersecurity audits include enterprise versus a private sphere of control and whether usage of nonagency devices and applications should be considered. Another element that may limit the audit’s scope is whether the audit will focus on internal IT infrastructure versus external infrastructure.

“As a rule, the use of IT extends beyond the internal organizational network, as in traveling use, home-use settings or the adoption of the cloud,” ISACA notes. “While this may create additional cybersecurity risk, it has become common practice in most enterprises.” That’s especially true with so many federal employees continuing to work from home.

From an auditor’s perspective, ISACA says “it is advisable to adopt a risk-based view and define the objectives accordingly.” Additionally, ISACA says “audit objectives should be limited to a reasonable scope and should also correspond to cybersecurity and protection goals as defined by the enterprise.”

More On IT Governance, Policies, Risk Assessment, Threat Prevention,