Nick Podhradsky, EVP — Sales, SBS CyberSecurity and Clinton Watkins, CISA, CCBSP — Senior IT Auditor, SBS CyberSecurity
Security and IT professionals across the world have invested a large amount of time and effort transitioning to a remote workforce. At the start of this transition, much of the time was spent on getting the technology up and running, securing remote access, and finding a way to conduct business as normal (or as close to normal as possible). Now that the initial shock to the system is somewhat behind us, it is time to shift our mindset back to proactive security.
It’s important to keep in mind that cybersecurity risks grow significantly during a time of uncertainty. In fact, we have seen a massive increase in cyber incidents in recent weeks stemming from phishing emails, phone calls, malicious websites’ data maps, and ransomware attacks. The spike in malicious activity is so severe that researchers have seen an increase of 667% in phishing email attacks alone in the month of March.
A critical component of proactive security includes continuous process improvement, including regular testing of an organization’s people, processes and technology. Many times, an IT audit is how we verify that proper security measures are in place and are effective.
A traditional on-site IT audit has historically required a security firm to send a qualified information security auditor on-site to review policy, procedures and technical controls, as well as to conduct investigative interviews. The auditor typically examines whether the organization is compliant with its own program (and with applicable regulations), as well as identifying possible gaps in the adequacy of controls.
The Future of the IT Audit is Virtual
In response to the COVID-19 virus, regulatory agencies have announced plans to conduct virtual IT examinations. This may seem like a novel idea; however, virtual IT audits have been around for years.
A virtual IT audit should follow the same process of the on-site audit, except all the work is done remotely. The virtual audit requires the same evidence, documentation, scope and process. An added bonus of your virtual engagement is that your IT auditor is not spending time traveling, meaning there should be an increase in the efficiency of the audit process from start to finish.
Here are three common questions and solutions to note when conducting a virtual IT audit.
Question 1: Can the IT auditor communicate effectively if the service is performed virtually?
Answer: Communication is important for all services; however, in a virtual IT audit, communication is absolutely vital to the value that the organization gets from the engagement. A virtual IT audit should utilizes several different communication channels such as online meetings (with screen sharing and conference call capabilities), video conferencing (when available), email, secure information sharing portals, phone calls, and text messages to ensure the quality of the process. Communication expectations should be set up front with your auditor.
Question 2: What about the availability of the auditor vs. our in-house staff? How does that work?
Answer: When an auditor is on-site it is easy to get access to your team for interviews, questions and concerns. When the auditor is virtual, it’s even more important that the auditor gets access to the staff and information needed to conduct the audit.
With a virtual IT audit, a schedule should be created for the duration of the audit that encompasses the topics and ISP components to be reviewed, interview times for your staff members, regular check-ins with your team, and a formal Exit Meeting to discuss findings and recommendations.
Question 3: What about physical security checks? How can you validate physical security controls if you’re not on-site?
Answer: Physical security is a very important component in an information security program and needs to be addressed even in a virtual IT audit. Physical security can be reviewed and assessed through the use of video or photos of each physical control to ensure the completeness of the audit. If you have the ability to turn on a webcam and walk your IT auditor around your physical premises virtually, that’s the preferred option.
Don’t push off the your IT audit until later. Stay ahead of cybersecurity threats and incidents with a virtual IT audit.
For more information, contact Reece Simpson at 605-270-3916 or reece.simpson@sbscyber.com.
SBS delivers unique, turnkey cybersecurity solutions tailored to each client’s needs, including risk management, consulting, on-site and virtual auditing, network security and education. Learn more at www.sbscyber.com.
This story appears in 2020-2021 Issue 1 of the Nebraska Banker Magazine