Conducting an IT audit is a lengthy process. But if you don't have clear documentation that provides insight into your IT structure, or if you want to take preventative action to protect your business from threats, now is as good of a time to get started as any. So, where do you begin?
Your IT Audit: Checklists and Questions
Performing an audit will net ample information, but you need to know what types of items to address. According to Alex Insley, Twinstate's Unified Defense Strategies manager, "In the end, your audit will show you all the stuff you have, how secure it all is, and how vulnerable you are, as you stand today."
So begin with the "stuff." First ask: What's on my network?
Create your own checklist of questions. Consider everything that's on your network that you know about, and everything that you might not know about, too. For each item, ask:
• What are the patching levels?
• What version is this? How old is this version?
• Is it still supported by the original vendor?
If you are examining items that need to provide protection, you can use resulting information to determine your level of vulnerability. For example, if you are examining your firewall, which is included in your network, you may ask if it's adequate, what it offers, if it fits your growing needs, if it can evolve to meet today's threat landscape, etc.
For every item on your network and every bit of info you store, you should ask whether or not it belongs, and needs to be there. Use the ROT rule. If it's Redundant, Obsolete or Trivial, it's time to archive it and get it off your network, explains Insley.
It’s advisable to build an itemized checklist that includes all of your compliance requirements, because one missed item could seriously impact your security and the health of your business down the road. To help define that checklist, review this post and carefully look into each of your compliance requirements.
Finding the Tools
Performing a successful audit requires you to have access to the right tools. If you want to move quickly to complete the audit, you won't want to spend a lot of time attempting to find those tools. If you're looking for succinct, yet detailed, results in a well-crafted report, you may want to consider hiring a firm that can do everything for you. In so doing, though, you'll lose the subjective view which you would have had if you yourself performed the audit.
This loss can be beneficial, in that your higher-ups will receive a clearly unbiased report, but it can also be detrimental, in that a subjective audit gives you personally the opportunity to provide unbiased results and thereby build trust. Whether you choose to hire a partner or to find the tools that allow you to perform the audit yourself, consider the costs. Yes, a partner will cost more than a piece of software, but your time is valuable, and choosing the right tool, implementing that tool and performing the audit on your own can be a time consuming endeavor.
If you want your audit done quickly and objectively, then finding a partnership is the way to go, says Insley. If you have extreme budget constraints, but fewer time constraints, and want to maintain the subjective view, you can perform the audit in-house using the questions and concepts in the previous section.
Moving Forward From an Audit
The streamlined report your audit will provide should allow you to make important and valuable decisions about your network. You'll most likely find that your human resources are stretched thin already, and that a slow-moving piece of your network only adds to their workload. That means you can identify places where you're able to reduce time spent on tasks through network updates.
You might find that you have old network switches, and an upgrade could allow your data to flow 10 times as quickly to each machine, for example. If that's the case, your people could use their time much more efficiently. Further, you'll be able to identify places where automation might make a process more efficient, so you can effectively reduce the number of people required to perform a task.
Ultimately, you'll know you've conducted a successful audit when you come out of it with key results upon which you can act to benefit your business — through supporting better business continuity, allocating resources more effectively, and improving security.
Originally published on 06/02/2016