How to prepare for a cyber security audit?

If your organization is preparing for a cyber security audit, you will want to read on to learn about best practices to optimize the value of the audit. External audits performed by third parties, can be expensive so it is best to be as prepared as possible by following these best practices.

A cybersecurity audit is a method that checks and verifies that your business has security policies in place to address all possible risks. An audit can be performed by internal staff as a way of preparing for an external organization.  If your organization is subject to regulatory requirements, such as the EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), or ISO 27001, you will need to hire an external auditor to verify compliance and receive a certification. 

A cybersecurity audit is different than a cybersecurity assessment. The audit consists of a checklist that verifies you have addressed a specific risk, whereas an assessment tests the risk to see how well it is implemented. 

There are many publications available that provide in-depth information on how to prepare for a cybersecurity audit, but the following provides a high-level overview of what you need to do in preparation for an external audit.  

Every organization must have a security policy in place that spells out the rules and procedures for working with the organization’s IT infrastructure, especially the handling of sensitive and private data. If you previously developed these policies, now is the time to review the policies to ensure data confidentiality, data integrity, and secured data access as it pertains to your industry and applicable compliance requirements. For example, your security policy should identify:

• What to protect? (e.g., data, business applications, hardware, etc.)
• How you will protect? (e.g., the use of passwords)
• How data access will be monitored and locked?
• How to secure personal or sensitive data?
• How to maintain data accuracy and integrity?
• How to protect archived data?

To help you in the preparation for and/or review your organization’s security policy, you can refer to the National Institute of Standards and Technology (NIST) Cybersecurity Framework. 

“The NIST Framework is voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. In addition to helping organizations manage and reduce risks, it was designed to foster risk and cybersecurity management communications amongst both internal and external organizational stakeholders. improve their ability to prevent, detect, and respond to cyber-attacks.”

More than likely, you have a variety of security policies that were created at different times by different individuals. Now is the time to review each of these policies and cross reference them to be sure they are consistent. For example, if your backup policy calls for backups every 30 days, you may not be able to meet your Recovery Point Objectives (RPOs) per your disaster recovery policy, which depends on those backups. If a disaster happens, you can lose up to 30 days of data. If your systems do not use multi-factor authentication, your password policy must require extraordinarily strong passwords that are frequently changed.

Examples of these security policies include:

Data security policies. How do you ensure that your sensitive data is secure from prying eyes? Data privacy policies. How do you ensure that private data is kept private? Network access control. How do you restrict network access to only those devices that are authorized and compliant with security policies? Do network devices have required security patches and cybersecurity protection? Backup policies. When and how does your organization back up its systems, applications, and data? Password policies. What are your organization’s password policies and how do you manage them? Disaster recovery policies. Is your DR plan exercised and updated regularly to ensure you can recovery your systems and data? Will you be able to meet your planned Recovery Time Objectives (RTOs) and RPOs? Remote work policies. How does your company ensure the security and protection of your remote workers’ devices? Employee email and internet policy. How do you ensure your employees are using email and the corporate internet for business and have no expectation that personal communications, data, and files will be kept private? How can you be sure employees understand that they cannot send emails that harass, threaten, or offend? Acceptable use policy. What procedures must an employee agree to before they are permitted to access the corporate network?

It is important to create a secure network topology structure and design. For example, if you are segmenting your network, finance servers should not be in the same network or subnetwork as your research and development or human resources servers. Instead, segmenting your network into smaller zones strengthens your security because you have compartmentalized services that can contain sensitive information. Also check to be sure that your firewall and other network security tools that should be in place ARE in place as they will need to be reviewed and audited.

If you are subject to regulations, such as GDPR, PCI, or HIPAA, be sure you are compliant with the applicable regulations and make this topic part of the conversation with your auditors. The auditors will probably be approaching your team about applicable compliance regulations, so be prepared with documentation that demonstrates your compliance.

Prior to the audit, be sure to review and ensure your employee email and internet policy is understood and followed by all employees. For example, employees should not be viewing websites that contain criminal or offensive content, such as gambling and pornography website. Employees should not be storing content that violates copyright laws. Employees should not be using their corporate email address for personal business. Your organization has the right to review any emails that employees send, or content stored on their machines to check for malware, fraud, or workplace harassment.

Prior to the start of an external audit, it is strongly recommended that you test for non-compliance and security gaps by doing a dry run internal audit following the best practices described above. An internal cybersecurity audit can combine a manual review of policies, processes, and controls as well as automated reviews of key infrastructure and security systems.

You want to do this for two reasons. First, external audits are quite expensive, ranging from tens of thousands to hundreds of thousands of dollars. Better to know your compliance stance before spending the money for an external audit so you can address any issues beforehand. Doing this will also reduce the stress associated with an external audit and eliminate any surprises.  

With Acronis Cyber Protect, you can discover all the software and hardware assets installed on your machines, choosing between automatic and on-demand scans. In addition, you can browse and filter software/hardware assets by multiple criteria, easily generate inventory reports, and auto-delete records once a machine is removed.

To pass a compliance audit, your organization needs to use different cybersecurity technologies and tools to support important compliance requirements for system backups, antivirus software, disaster recovery, etc. Many security software providers offer these as point solutions. In fact, Acronis’ annual 2021 Cyber Protection Week survey found that 80% of organizations run as many as 10 solutions simultaneously for their data protection and cybersecurity needs, yet more than half of those organizations suffered unexpected downtime last year because of data loss. The lesson learned is that more solutions does not mean more protection.

Acronis recognizes the cost, inefficiencies, and security challenges that arise from using multiple solutions, which is why Acronis – a pioneer in the field of cyber protection – offers a single integrated cybersecurity solution.

Acronis Cyber Protect is a one-of-a-kind solution that delivers complete cyber protection for modern threats, bringing together backup and data protection; next-generation, AI-based antimalware; and protection management into a single, integrated solution. It is unlike other security solutions that only bundle security tools and technologies or legacy, isolated point solutions for backup, anti-virus, patch-management, remote access, workload management, and monitoring and reporting tools. With all these technologies packaged into one solution, Acronis Cyber Protect can help you prepare for an external cybersecurity audit.