IT security audit checklist 1

IT Security Audit Checklist

Suite 1, Level 316 - 18 Wentworth StreetParramatta NSW 2150

Tel 1300 797 888

www.empowerit.com.au

IT security audit checklist 2

4 steps to proteting your business 3.

Why an IT security audit? 4.

1. Define the threats 5.

2. Evaluate security performance 6.

3. Assess the likelihood of threats 7.

4. Design a defence strategy 8.

Definitions 9.

End-to-end solutions 10.

Table of contents

IT security audit checklist 3

4 steps to protecting your business

Cybersecurity is a major concern for businesses, especially since hackers are getting smarter and bolder. To protect your company, a robust cybersecurity strategy is vital. However, you won’t be able to develop one without a comprehensive IT security audit.

IT security audits are important because they uncover system flaws that leave your company vulnerable to cyberattacks. By identifying these flaws, you can make informed decisions about which security tools and strategies to implement.

Keep in mind that these audits are only effective if you conduct them at least every quarter. That’s because the cyberthreat landscape is constantly changing, and new vulnerabilities are discovered almost every month. Between July and September 2018, for example, 57% of data breaches in Australia was due to phishing, stolen passwords, and brute-force attacks.

You may also add more hardware, software, and users as your company grows over the course of a year, giving hackers more entry points into your systems. What’s more, failing to schedule regular security audits means you face a higher risk of data breaches and noncompliance with the Notifiable Data Breaches scheme, often resulting in thousands of dollars in damages, lawsuits, and loss of brand reputation.

Follow these 4 steps to audit you company’s security infrastructure:

1. Define the threats

2. Evaluate security performance

3. Assess the likelihood of threats

4. Design a defence strategy

For more information on our managed IT services and solutions, go to: www.empowerit.com.au

IT security audit checklist 4

Why an IT Security Audit?

An IT audit identifies risks to the business within a number of key IT areas including business continuity, security, and scalability for growth. The main reasons for performing an IT audit are to:

• Ensure that the physical and virtual servers are configured as per industry best practise; confirming reliability and security.

• Identify hardware bottlenecks that are impacting on business productivity.• Obtain a listing of infrastructure hardware assets and ensure a valid warranty is in place.• Validate the disaster and recovery process.• Identify security risks within the network.

IT security audit checklist 5

1. Define the threats

Start by listing all the threats that could affect your IT infrastructure, data, customers, and users. Your list should include:

Malware – includes computer viruses, worms, spyware, Trojan horses, and ransomware.

Denial of service – overwhelms your network with requests and commands, forcing it togo offline.

Account hijacking – caused by weak, easy-to-guess passwords.

Employee negligence –such as setting the same password across multiple accounts, visiting unsecured websites, and connecting to free Wi-Fi networks.

Data leaks – due to unauthorised disclosure of information or lax access restrictions.

Social engineering – like phishing, smishing, and vishing.

Physical breach – where hackers infiltrate your office to attack your systems directly.

IT security audit checklist 6

2. Evaluate security performance

Next, assess your company’s ability to defend against all the threats listed in the previous step. This involves putting your IT systems and users through a series of tests, such as:

Security framework review – identifies the security measures you currently have in place (firewalls and antivirus software) and which areas of your IT infrastructure they protect (devices, network, email, software, etc.).

Penetration testing – simulates attacks on your system to find vulnerabilities a would-be hacker could exploit.

Security awareness assessment – studies how employees respond to simulated phishing scams and strategically staged USB drives.

Password testing – checks whether users are setting long and unique passcodes with a combination of letters, numbers, and special characters.

IT security audit checklist 7

3. Assess the likelihood of threats

Take your list of threats and score them on a scale of 1–10 based on how likely they’ll occur. During your assessment, make sure you:

Use results from your tests – if employees failed the security awareness assessment, your business can fall victim to social engineering attacks.

Analyse previous breaches – hackers will likely use the same tactics if they’ve successfully attacked your business in the past.

Study industry-level trends – industries like healthcare are more susceptible to phishing scams and ransomware attacks, while others are weaker against denial-of-service attacks.

Stay up to date on cybersecurity news – hackers will use the newest threats more frequently.

IT security audit checklist 8

4. Design a defence strategy

The final step is to develop a strategy to address your most probable threats. For example, if phishing scams are recurring threats, you need stronger email filtering solutions and more robust security awareness training. Or, if your business is weak against denial-of-service attacks, you should install intrusion prevention systems and monitor your networks 24/7.

The combination of security solutions will vary for each threat, and to make sure you implement the right ones, you need IT experts like Empower IT Solutions. We provide thorough, objective cybersecurity assessments and consulting services for large and small businesses across Australia. We also provide a broad array of security technologies to prevent costly breaches and keep your company’s name from appearing in the news for all the wrong reasons.

Call 1300 797 888 to schedule an IT security audit today!

IT security audit checklist 9

Definitions

Phishing: Like all social engineering methods, phishers prey on a target’s trust — by masquerading to be a friend, bank teller, celebrity, or government official to persuade their victims to willingly surrender private information. Phishing emails are powerful distributors of trojans, keyloggers, and a slew of other nasty exploits.

ShiShing: Much like the previous social engineering methods; smishing, or SMS phishing, is the act of sending a fraudulent text message in an attempt to trick individuals into disclosing personal information. ‘SMiShers’ either attach malicious links to text messages or ask the target to call a phone number where vishing attempts will be made.

Vishing: Vishing, or voice phishing, occurs when an attacker attempts to access personal information from targets via phone call or VoIP. This social engineering method usually creates a sense of urgency to convince the victim to give away sensitive information without critically evaluating the source or motive of the phone call. Now even though modern telephony systems have caller ID technology, attackers will usually use a spoofed ID so it looks as though the call is coming from a trustworthy source.

IT security audit checklist 10

E N D - T O - E N D S O L U T I O N S

M a n a g e d I T S e r v i c e sManage d I T s er v ice de sk , manage d I T

in f ras t r uc t ure , manage d I T moni tor ing ,

manage d b ack up and mobi le de v ice

management .

C l o u dPr i va te c loud , c loud mig ra t ion , c loud b ack up,

o f f i ce 3 65 for bus ine s s and job management

s y s tems .

I T S e r v i c e sI T pro je c t s , bus ine s s phone s y s tems , I T

p lanning , I T s y s tems hea l t h che ck and

e duc at ion s o lu t ions .

T e c h n o l o g yD y namic s 3 65 , SharePoint , Power B I and

O f f i ce3 65 .