What is an infrastructure security review?
What do Capital One, Target and Version have in common? They have all been subjected to massive data breaches along with many other organizations, both large and small. These breaches brought to light flaws in the data security infrastructure of these multi-million-dollar organizations. However, all business organizations maintain information about their customers, employees and vendors. Much of the information is sensitive and subject to privacy laws. This sensitive information along with the tools and applications designed to protect it is referred to as data infrastructure. The infrastructure must be protected from any potential danger because any leak or hack can damage the business. Infrastructure security review, or more commonly known as IT audit, aims to uncover risks and security ruptures before actual harm or loss to the organization. Because of this purpose, an infrastructure security review must be regularly conducted. Some may conduct a meticulous assessment while others may conduct a general assessment of the infrastructure.
What are the benefits of an infrastructure security review?
In essence, conducting an infrastructure security review or IT audit allows an organization to maintain an efficient, stable, and secure infrastructure. This is primarily because in an infrastructure security review, vulnerabilities and threats within the organization’s network are identified and immediately addressed.
Specific benefits of an infrastructure security review include:
- Creating an inventory of both software and hardware found in the organization’s network in order to ensure that such have valid warranties;
- Validating a disaster recovery process and ensure that the virtual and physical servers of the IT system are configured well and functioning according to best practices of the industry;
- Reducing costs by giving the organization an opportunity to correct its mistakes early; and
- Allowing an organization to ensure software compliance, and consequently, give management peace of mind with the existing infrastructure.
How to conduct an infrastructure security review?
Knowing all these benefits that an infrastructure security review can provide, an organization should be eager to conduct one. So, how do you conduct an infrastructure review? There are 4 basic steps:
Step 1: Gathering of evidence
The first step is evidence gathering. It should be noted that an infrastructure security review has two parts: compliance testing and substantive testing. In compliance testing, the auditor gathers evidence to test whether the organization has implemented and following control procedures. Meanwhile in substantive testing, the auditor gathers evidence in order to evaluate the integrity and genuineness of individual information or data.
Step 2: Review and Assessment
In compliance testing, the auditor needs to review the physical aspect of the infrastructure such as workstations, terminals, routers and other equipment. In substantive testing, sensitive data and information belonging to the organization are involved, thus, this phase is more complicated. In this phase, the auditor reviews the organizational structure, IT standards, IT policies and procedures, personnel, processes, and documentation.
After gathering all the evidence, the auditor proceeds to conduct his assessment. He may find strengths and weaknesses in several areas. The auditor may find that there are indeed network inefficiencies and errors that need to be addressed. He may also discover hardware issues and uncover threats. These threats can include underused and overused resources, congested bandwidth, security holes, and poor network configuration, among others.
Step 3: Reporting
It is the responsibility of the auditor to report these risks and threats to management in writing. In the report, the auditor should include the IT audit plan and the objectives to be achieved for that plan. He or she should also include the scope of the audit, the audit procedures, the steps taken during the gathering of evidence, the services of other auditors or experts that were used, his findings, conclusions, and recommendations.
Step 4: Corrective Action Plan and Implementation
As with any audit, findings and recommendations reported to management must be taken seriously and a corrective action plan must be implemented. The most critical threats should be addressed immediately and reported to the Board of Directors if deemed appropriate. The audit committee of the Board should monitor progress and oversee the follow up activities.
With the exposure of numerous data breaches in recent years and media coverage, organizations are becoming increasingly aware of the importance of an infrastructure security review. We have learned that its not enough to have firewalls and anti-virus and malware protection. An infrastructure security review should be a routine activity for all organizations.