Top 10 Risks Found by Our Auditors

by Sarah Harvey / June 9th, 2015

Are you in the process of getting your annual audit performed? Are you preparing for your annual audit? We have compiled a list of the Top 10 Risks we most commonly find when auditing information security to help you better strengthen your own environment. Take a look at what our auditors have found to be common shortcomings and make sure you’re not making those same mistakes at your organization.

1. No Formal Policies and Procedures

Formal guidelines of policies and procedures help to provide your employees with clear guidelines of what’s expected of them. They define accountability for each employee and establish the necessary training.

2. Misconfigurations

Standards need to be applied consistently. Organizations should utilize benchmark configuration standards from a recognized entity such as: Center for Internet Security (CIS), International Organization for Standardization (ISO), SysAdmin Audit Network Security (SANS) Institute, and the National Institute of Standards Technology (NIST).

3. No Formal Risk Assessment

An assessment of risk should cover assets that are critical to your enterprise to continue business operations. This includes hardware, software, human resources, and processes (automated or manual). Some important things to consider when thinking about risk are the threats to your assets as well as the likelihood of a particular vulnerability being compromised. Threats can be both internal (employees or third-party contractors or partners) as well as external (natural events or social engineering). Developing a formally written strategic risk assessment can help to mitigate potential risks you may face.

4. Undefined Incident Response Plan

It is always important to have clear instructions on reporting procedures when determining incident response. Best practice says building a culture within your work environment that encourages the reporting of all incidents the moment they present themselves can help minimize damage.

5. Lack of Disaster Planning

We’ve stressed before the importance of planning for the inevitable disaster (whether it be natural or human). Planning for disaster is important in situations where written plans are available for others to follow in the event that key personnel are unavailable. Proactive arrangements should be made to care for the staff and to communicate with third parties. Walkthroughs and training scenarios can benefit organizations by ensuring that employees are properly trained in the event of a disaster.

6. Lack of Testing

The concept of testing applies to all areas of your security. If your security is not tested, there is no way to determine whether or not vulnerabilities are present. Conducting a third-party audit is not a replacement for internal testing, merely a great way to validate it.

7. Insecure Code

Developing secure coding is something we find a lot of companies struggling with. To develop secure coding, training must be implemented as well as specific development standards and quality assurance.

8. Lack of Monitoring/Audit Trails

Log Harvesting, parsing, and alerting methods must be determined to efficiently deal with massive event logs. The responsibility for review must be formally assigned as part of daily operations. Audit trails should be stored in such a way that system administrators cannot modify without alerting someone with an oversight role.

9. Data Leakage

We often forget all the places our data is located. How long should it be retained? How do we implement and verify encryption? How is access to data granted? How is it audited? These are all important components of your security environment, and if not done correctly, can keep you from complying with federal and industry standards and regulations.

10. Lack of Training

A lack of training can prove to be a striking blow to the security of your organization. Employers should recognize the importance of properly training all employees on safety and security best practices. Policies and procedures should be clearly determined and disseminated in every organization. KirkpatrickPrice offers several training opportunities to help train you and your company on the basics of security awareness, awareness for managers, awareness for IT professionals, and awareness for credit card handling.

It all begins with a Risk Assessment. Determining what your individual risks are is the first step towards mitigating those risks. KirkpatrickPrice is dedicated to helping you reach maximum security. Contact us today to find out how we can help.