Audit Checklist
Here is a comprehensive audit checklist for your organisation to follow.
- Develop and deploy a comprehensive cyber security policy
A cyber security policy should include the following:
- Well-defined roles and responsibilities for all team members
- Proactive risk management strategy
- An outline of incident response procedures
- Procedures to review the policy regularly with an understanding that it will evolve over time
2. Implement a strong password policy
Password policies should ensure employees routinely update their passwords with unique and complex passwords that aren’t easily decipherable. Rules within this policy may dictate that all passwords contain:
- Upper case letters
- Lowercase letters
- Numbers
- Special characters
3.Require multi-factor authentication
Multi-factor authentication (MFA) is an additional security level that requires employees to perform two or more steps of authentication before they are able to access accounts or sensitive data. It helps to ensure that those not permitted to access certain systems or data are unable to do so.
4.Limit system access for employees strictly to where it is necessary
Effective access control ensures that sensitive data and systems are only accessible to employees who need them to perform their duties. It also ensures that a breach of one employee’s account does not put an entire system at risk of compromise beyond what that employee has access to.
5.Provide end-user training for employees
Oftentimes, untrained employees are the root cause of a data breach. Therefore, frequent and up-to-date cyber security training for employees ensures they are aware of and can recognise potential threats.
Cyber security training for employees can include:
- Phishing and email safety
- Password security
- Device security
6.Ensure operating systems, applications, and software are up-to-date
Threat actors often turn to outdated systems and applications to exploit known vulnerabilities. Therefore, it is important to implement a policy that ensures all integral systems, applications, and software (including antivirus and antimalware software) are updated regularly.
7.Log and Monitor User Activity
Logging activity facilitates both post-incident investigations and compliance with regulatory requirements.
Data points you should consider logging include:
- User activities
- Attempted accesses
- Significant network events
8.Develop a device security policy
A device security policy can include requirements such as:
- Limit employees from plugging in external storage to their devices.
- Procedures for dealing with lost or stolen devices
- Procedures for replacing outdated equipment
- Implementation of disk encryption and remote-wipe capabilities
9.Encrypt communication platforms
Ensure employees and their data are protected by encrypting communication platforms, including email, messaging, and phone systems. You can also develop policies that prohibit the sharing of sensitive information through these channels.
10.Develop mobile device policies
It is important to ensure that all mobile devices, including cell phones, laptops, and tablets, that will connect to a network or access systems are secure. This may include policies that limit employees from accessing certain systems from their personal devices, as these are not held to the same security requirements as employer-provided devices.
11.Backup Data
The regular backup of data to a secure and encrypted location is invaluable in recovering quickly following incidents. Some data back policies can include:
- Schedule regular backups
- Ensure data is protected with robust encryption
- Keep copies of data
- Use reliable cloud data storage to ensure data is backed up offsite.
- Monitor data backups for failures or issues.
12.Develop an incident response and business continuity plan
Incident response plans determine the procedures your organisation will follow in the immediate aftermath of a cyber-attack. This may include threat identification, neutralisation, and restoration. One aspect of a robust incident response plan is business continuity planning. This determines the steps your organisation will take to continue business operations as effectively as possible during and after a cyber event.
13. Ensure compliance with regulations and standards
If your organisation is required to adhere to national or industry-related regulations, it is essential to ensure all regulatory requirements are being met. Certain industries and standards organisations offer their own frameworks to help ensure compliance. Failure to meet compliance can result in penalties and fines in certain circumstances.
14. Ensure secure remote access
In today’s remote world, employees often need to access systems and data from their homes or other away-from-office locations. However, remote access can open vulnerabilities that can be exposed by bad actors. Requiring secure connections, such as through a VPN, helps to ensure even remote employees are not at risk of an attack.
15. Take a comprehensive asset inventory
In order to secure all systems, your organisation must have a comprehensive understanding of your existing assets, their importance, and their risk of threat. Using this inventory, you can prioritise the allocation of security resources based on the needs of your assets.
16. Implement a data classification system
Data classification systems help to protect sensitive information by classifying it based on its importance. This system can include steps such as:
- Classifying data as public, confidential, and highly confidential.
- Setting clear rules for each category of data, including who can access what, from where, and at what times.
- Selecting data owners for each classification of data.
- Develop guidelines for how to handle, store, and share data of each classification.
- Set up security controls for each level of data classification.
- Train staff on how to access and handle data in line with company policies
- Review policy regularly to ensure it remains relevant and secure.
17. Review third-party security practices
Many organisations use third-party vendors regularly. It is important for organisations to ensure these vendors employ their own robust security policies and procedures before sharing or providing them with access to data or other sensitive information.
Want to know why it’s important to perform regular cyber security audits? Check out our article cyber security audits to learn what they are, why they’re important, and the types of audits you can use to secure your organisation’s IT security posture.