How to audit your own IT processes
Auditing your IT processes is an important task, one that needs to be done regularly and thoroughly. Here at Technical Framework we take IT process auditing very seriously, as the Fort Collins & Greeley IT support and consulting firm with a reputation for meticulous auditing, we know that we need to deliver. Here are some of our key lessons that we have learned after many years of auditing.
Know Where Your Company’s “Crown Jewels” Are: It is vital that the IT manager knows where the most critical resources are. Unfortunately many firms do not know where their key assets are located. The first priority is to locate the ‘crown jewels’, this will ensure a thorough audit.
Check Your Security, Privacy Policies and Standards: Yes this is an obvious one but it is still an area that many miss. Auditors need to look at the policies and standards relating to access control, network security, data classification, vendor management, vulnerability management and data leakage prevention as well as ensuring that these are being implemented organization wide.
Determine the Efficacy of the Identity and Access Management (IAM) Process: Clearly the IAM process is vital for making sure that efficient on boarding, off boarding and provisioning is occurring. The auditors need to look at workflows and approval hierarchy.
Ensure That Users Know Their Roles and Responsibilities as Related to Security and Privacy: It is vital that IT communicates the different functions, objectives and protocols relating to security and compliance to all involved parties. Any good auditing process will involve ensuring these are communicated properly.
Examine the Effectiveness of the Monitoring Process: This is in regard to the security information and event management (SIEM) systems. It also includes the suitable regulatory standards, e.g., US Sarbanes-Oxley Act, US Health Insurance Portability and Accountability Act (HIPAA), US Gramm-Leach-Bliley Act (GLBA), Payment Card Industry Data Security Standards (PCI DSS), Basel II, etc. A good auditor will ensure these SIEM systems are in place.
Review All the Governance Processes for the Firm: Certainly this is beyond the IT manager’s direct control but this is an important area of compliance and needs to be covered in the audit despite the issues.
Audit the Extended Enterprise: Many audits have failed in this domain. The extended enterprise is concerned with extranets as well as all partners, vendors and outsourcers. This is a massive domain and is too much for most, but, the perfect audit will involve these as well.
If you have any questions regarding the auditing of your IT processes then feel free to contact us. We are here to help and will be able to guide you through the auditing process. Remember, we deliver a unique blend of hands-on support and consulting for all our clients and will provide you with a bespoke service that delivers everything you want and need.