Since 2020, we have seen how workplaces have transformed and how the old IT rules hardly apply anymore. This shift in the work environment has exposed weak links in IT security infrastructure and has offered lucrative opportunities for cybercriminals. Even though IT infrastructure has undergone a transformation, IT audit methodology remains much the same. And now it is more important than ever to have a strong and secure foundation for your IT infrastructure.
Putting IT infra through a security audit can be a daunting task. With its complex architecture and hundreds of security threats to protect from, you need a comprehensive guide. An IT security audit methodology consists of steps to follow for an overall evaluation of the organization’s security infrastructure including both physical and software aspects. This helps in conducting a proper audit based on a standard framework and by following a streamlined process. From intel gathering to the final report, an IT security audit methodology helps in going about it in a planned manner.
The main purpose of an IT audit can be summarized as the answers to the below questions:
- Will the organization’s systems be up and running when required?
- Will the information within the organization be secure and be available only to authorized users?
- Will the information from the system be reliable and accurate at all times?
The answers to these questions will help us in ensuring the availability, confidentiality, and integrity of the IT system. The IT audit methodology will help you to determine the strength of these core principles and protect the system from cyber attacks and data leaks.
Understanding Internal Controls
Controls are basically procedures and policies that are put in place to safeguard the organization against cyber threats and protect the assets. These controls have certain limitations, thus they need to be reviewed and monitored to ensure that it performs as expected. They can be divided into three types: preventive, detective, and corrective controls.
- Preventive controls: These are the controls that prevent any negative incidents to happen. Organizations routinely perform these control procedures including administrative or physical such as segregation of duties. An example of such a control is to have separate individuals write and authorize checks for payments.
- Detective controls: These are the controls that are utilized after an adverse event to find out the cause, extent of damage, and protective next steps. Internal audits are an example of such controls.
- Corrective controls: These controls are invoked after the detective controls. Examples of corrective controls are software patches and updates, filing reports, and modifications to the system.
Phases of an IT Audit
There are 4 significant phases in an audit:
1. Planning phase
Preliminary information gathering and assessment
Planning is an integral part of any audit. In the beginning, planning is done to create a process flow based on an initial reconnaissance of the entire system. The plan is updated according to the test results of the initial assessment.
Overall knowledge of the infrastructure
The auditor is responsible for culminating all technical and non-technical information about the organization and the systems. This helps in scoping out the work and planning the areas to be audited. The following are some aspects of this early stage information gathering:
- Operating environment and functions of the organization’s systems
- Dependency on the IT infrastructure
- Organizational structure
- Software and hardware information
- Current and past security issues within the organization
This information-gathering step helps in finding potential areas of concern and defining the scope of the audit.
2. IT audit scope and objective
From the above steps, the auditor gains relevant information and details to define the objective and scope of the IT audit in a clear and detailed format. The initial risk assessment forms an important part of the process and answers questions pertaining to three primary security goals, confidentiality, integrity, and reliability.
Risk assessment consists of ranking the potential threats from low to high, or other scientific or complex metrics. The ranking depends on the severity of the issue with respect to the extent of damage it can cause or the ease of exploitation. Vulnerabilities that are easy to exploit and those causing a high degree of damage must be ranked comparatively higher.
These assessments should also include inputs from the management authorities, questionnaires, reviewing available documents, and a survey of applications.
Below are some common IT audit objectives:
- Review existing IT security systems
- Review of specific programs and systems for performance and security
- Analyzing security standards at various development phases
Objectives are not limited to the above-specified ones. IT audit should cover all major areas such as security settings, firewalls, physical security, and access rights, to name a few.
Related blog – Penetration testing Company
3. Evaluating collected evidence
Through rigorous testing and prodding the security infrastructure, various types of evidence are gathered that must be interpreted to compile the results of the audit. There are various techniques to test a system and obtain results. Evidence can be majorly 3 types:
- Documentary evidence
- System analysis
- Observation of processes
4. Documenting audit results
Proper documentation of the results forms an integral part of IT security audit methodology. The final report should be in a very consumable format for stakeholders at all levels to understand and interpret. It must contain details such as the audit plan, audit scope, tests carried out, findings and detailed solutions, and next steps to remedy the security issues.
IT Security Audit Methodology
The methodology of IT audit can be divided into 5 parts. Let’s discuss these points.
1. IT controls
The current IT systems need to be tested for both substantive and compliance aspects. Compliance testing is done to assess whether controls are being applied according to the documentation offered by the client. It also checks if IT controls follow the compliance levels in accordance with management procedures and policies. In substantive testing, the adequacy of the controls is substantiated on whether they are able to protect the organization from cyber threats. These tests need an in-depth understanding of the different kinds of threats such as unauthorized access to assets including data, unusual interactions with the system, data corruption, inaccuracy in information, etc.
2. General control audit
In a summarized form, general controls are concerned with the applications, databases, operating systems, and IT infrastructure support. The purpose of an audit in this area is to check the following points:
- Databases, applications, and infrastructure support having logical access controls
- Management controls for program changes
- Recovery and backup related controls
- Physical security of data centers
- Controls for the system development cycle
3. Application control audit
Application controls are application-specific controls and have a high impact on individual transactions. These controls ensure and verify that all transactions are authorized, safe, and recorded. To proceed with this phase of the audit, there is a need for a deep understanding of the working of the system. For this analysis, a brief description of the application is required, along with details of transactions including volume, involved data, and flow. This audit can be subdivided into:
- Input controls
- Processing controls
- Output controls
- Stationary file control
4. Internet and network controls
Most of the organizations either use local area networks for their operations. This leads to the risk of access by unauthorized users if not monitored and protected properly. The fundamental requirement of a network is to be accessible by only authorized users. Controls should be implemented to eliminate issues like data corruption, data loss, or interception while being transmitted.
5. IT Audit standards
The IT audit should comply with the internationally accepted security standards. Some of these are mentioned below:
- ISO Compliance: The ISO publishes a slew of guidelines that ensure reliability, quality, and safety. ISO 27001 is suitable for information security requirements
- PCI DSS Compliance: These standards apply to any company that is involved with customer payments. This is necessary to ensure that all transactions are secure and protected.
Tools for IT audit methodology
To have an impactful IT audit you need the right set of tools. You can use Kali Linux OS as it contains a suite of useful tools as mentioned below. Setup Kali-Linux either by dual-booting or running in a virtual machine.
This tool is a good choice for reconnaissance in black-box testing. You don’t even need to install it. Just download it and run the program by using the below script:
This will open up the interface and let you select the type of recon you want and then once you enter the target IP, it will scan it for you.
It is one of the most popular tools for IT audits. Used to detect open ports and gather intelligence on the internal network. Simply open up the terminal and type in the below command to start scanning:
nmap -v -sS -A -T4 target
Replace the target with the IP and it will run a stealth scan on it.
Related blog – Web Application Security Testing
Nikto is a great tool that can be used to detect server misconfigurations. To use it, type in the following command:
nikto -h www.your-site.com
Metasploit is one of the most popular frameworks for detecting any vulnerabilities and is widely used as an IT audit tool. Open the terminal and type in:
This is one of the best tools for checking for SQLi vulnerabilities on your site. Select a parameter to test and open the terminal and type in:
sqlmap -u "www.your-site.com/page?param=1" --dbs --random-agent –batch
Replace the URL with the target URL and param with the parameter you want to check. Then this tool will automatically check for all SQLi bugs and display the names of all the databases.
IT audits are an integral part of security protocols. With ever-evolving cyber threats, a periodic review and audit of the complete IT infrastructure will help you stay ahead of cybercriminals and protect your organization. If you want a comprehensive IT audit with a detailed report containing all issues and solutions, then check out Astra’s audit services.