Why to book security audit? TADetails

Main threats of information security

Violations of availability of business processes and confidentiality of data remain key problems which business can face. Analysts of Gartner note that exactly data (so — and questions of their security) are a key link without which digital transformation is impossible. And additional expenses in the next two years will select about 40% of the companies which are going the way didzhitalization for protection against cybercriminals.

"If to consider threats at technological level, then scenarios of the complex attacks which begin with methods of social engineering are the most relevant now and use vulnerabilities in corporate Windows infrastructure" — the head of department of consulting of Information Security Center of Jet Infosystems company Pavel Volchkov adds.

Why business cannot ensure safety by own forces

One of problems which the companies wishing to ensure information security sharply face — serious staff shortage. In it experts see one of the key reasons of vulnerability, and, not only in business, but also in a public sector. Cybersecurity processes and the attitude towards them in corporate environment it is insufficiently mature and it is not supported with all necessary tools. First of all, as analysts note, control over a status of information security suffers.

Despite it, many enterprises entirely rely on own cybersecurity departments. But security up to standard, according to experts of the market, without involvement of external resources impracticablly.

Other important point — examination accumulation. The whole world goes the way expert outsourcing long ago. The conditional specialist in response to incidents professionally grows much quicker in commercial SOC or CSIRT, than in the cybersecurity department. There is it due to intensity of work and communication with big team of experts. And it is impossible to forget that skills of cybercriminals are constantly improved.

The companies, as a rule, make the choice for benefit of outsourcing for the banal reason: it is impossible to spray efforts of an internal command for all types of activity. Just the information security audit represents one of such processes.

"Audit is a comparison of a current status (AS IS) with in advance selected standard with the subsequent analysis of the reasons of discrepancy and study of options of their elimination (achievement of TO BE). As a standard can be selected as internal documentation of the company on information security, and international standards cybersecurity" — Pavel Volchkov adds.

Other powerful advantage of similar services — receiving a look from outside. Experts note that the external auditor often pays attention to the nuances unevident for the employee of cybersecurity department of the company.

Of what stages security audit consists

First of all it is necessary to define the audit purpose: why it is carried out what result should be received and as it will be used. After it the specific program in which all steps which will be taken are described is developed. Experts note that it should be the most clear and transparent for all participants of process. Also in it there has to be a schedule of the audit and the plan of holding an interview. It is better not to neglect this part: specialists should define with whom they will communicate and on what subjects.

"Further process can be separated into three main parts: collection of information, its analysis and documentation — Pavel Volchkov explains. — At the exit the customer receives analytical outputs about a current status of information security in the selected section and the recommendation about increase in level of security".

What gives audit of cybersecurity to customers: an example of the road map for a year

At the same time depending on the purpose of audit the most various tools can be used. It both means of inventory of elements of IT infrastructure, and vulnerability scanners, and the separate self-written tools automating these or those checks and, of course, vendor software for diagnostics of a status of specific technology. Some types of audit, for example, the analysis of the code, are precisely impossible without special tools.

How to select the correct company auditor

Experts advise first of all to pay attention to the offered work methodology. It is important that audit of cybersecurity was complex and affected all possible areas: from business processes to separate elements of IT infrastructure.

The company contractor should be ready to carry out works not "according to the photo", and by internal interviews and manual (or semi-automated) checks of configurations. Already at a stage of a preseyl it is reasonable to request an audit technique, the resource project plan, the plan of an interview, the curriculum vitae of specialists and so on.

Specialists point also that it is important not to forget to request letters of acknowledgement and examples of the projects which are already carried out by the auditor.

Complex approach to audit of cybersecurity

Terms, cost and payback of the project

Here it is important to understand that an information security audit of the whole enterprise — rather scalable service. In some cases it will affect one or several small systems, in others — all corporate infrastructure. And project cost, by itself, strongly depends on work volumes.

"Two key parameters influencing audit cost are a volume of the checked infrastructure and necessary depth of inspection" — Pavel Volchkov, the head of department of consulting of Information Security Center of Jet Infosystems company comments.

At the same time to speak about payback of security audit, as well as any other actions connected with cybersecurity departments rather difficult. Really working payback assessment techniques do not exist yet. However, the most part of the market agrees that audit of cybersecurity at correctly effective objective — the necessary investment which will surely pay for itself.

Example of a successful case

One of the freshest examples of 2018 — expert audit of cybersecurity in one of banks with the subsequent development of strategy of information security. The project was executed by the Jet Infosystems company which is annually implementing more than 50 different projects on an information security audit.

"During this project we revealed the problems concerning not only the cybersecurity block, but also such which belong especially to the IT direction, the networks connected, for example, with architecture and the systems of virtualization. After the end of audit the bank attracted us to the solution of these problems and noted professionalism of our works as the letter of acknowledgement" — Pavel Volchkov tells.

Other example — large-scale audit for one of the largest companies of the country on which 25 specialists in parallel worked. In a short time specialists Jet Infosystems inspected information systems, means of protecting and an APCS of the enterprises of the customer through the whole country. At the exit the company received the road map of actions for information security for the next 2-3 years.

For the additional information can address specialists of Jet Infosystems company.