How to Prepare for a Business Security Audit

Editor’s Note: This post was originally posted on April 21, 2016 and has been updated for accuracy and comprehensiveness.

According to TechTarget, “a security audit is a systematic evaluation of the security of a company’s system by measuring how well it conforms to a set of established criteria.”

Security audits can ensure your business’ safety by evaluating the health of various security assets and functions, such as configuration and software—but only when done right.

To start a security audit, you need a set of standards for your company’s IT and physical security. Everything you review will be measured against that criteria to determine whether it’s meeting the necessary standards to protect against all types of threats. These standards should be agreed upon by your leadership team in advance of your audit. A high-quality security vendor could help you determine those standards, if needed.

Then you’re ready to start preparing for the audit. Follow the tips and best practices here to get ready.

1. Assess Your Equipment

First, decide what will be audited to determine project scope. Evaluate (if applicable to your business) the following equipment:

• Access control solutions.
• Computers, laptops and tablets.
• Network video recorders (NVRs).
• Fire alarms, burglar alarms and carbon monoxide alarms.
• Energy management solutions (e.g. smart thermostats or lights).
• Employee smartphones.
• Routers and network equipment.
• Point of sale (POS) systems.
• Security systems and monitored alarms.
• Video surveillance cameras.

2. Determine Your Business’ Threats

Once you have prioritized your equipment, sit down and figure out your business’ risks, such as weak networks, unprotected devices or malicious activity. When determining your list of potential threats, ask yourself the following questions:

• How secure are company networks?
• How many employees have access to company passwords and systems?
• Are employees utilizing the right safety measures, such as VPNs, when accessing information outside of the office?
• Do we have the appropriate anti-virus and malware software in place?
• Has my business conducted threat assessments in the past, such as cyber threat assessments?
• Are all devices password or passcode protected?
• Does my business have protection and prevention systems installed (e.g. intrusion detection system [IDS] and intrusion prevention system [IPS])?
• Are employee devices in the workplace secure?
• How often is data backed up?
• Do we store sensitive information, such as credit card data, in our systems?

Diving into these questions will help you, your security vendor and your IT team decide how in-depth your audit should be.

3. Connect with Your IT Team

Now that you have identified your sensitive assets and risk for threat, it’s time to work with your IT team to get your audit rolling. Prior to beginning your security audit, set up a meeting with your IT crew to establish the following criteria:

• Discuss team roles and responsibilities, such as who will be auditing specific equipment and who the main point of contact is for updates.
• Ensure necessary training is in place, such as qualifications to assess certain software or systems. If your internal IT team does not have the necessary qualifications, consider outsourcing to a third-party vendor.
• Determine a timeframe in which the audit will be conducted.
• Schedule meetings on a regular basis to touch base with your IT team to discuss audit progress and status.

Once the audit is complete, you may discover a need for improving your company’s security. If you have questions about how to update or upgrade your system, just reach out to the Vector Security team of experts.