Honestly, the next time i am on the receiving end of an IT audit and am asked if the workstations have antivirus installed, i’ll go crazy! It’s like all auditors who aren’t “real auditors” simply go through the same old questions and fail to ask the questions that matter. I get asked “do you have antivirus installed, do you have password strength policies, are staff required to change passwords, do you take regular backups and who has access to the server room?”. None of which focus on the businesses risks.
So here’s the questions auditors should ask.
What are the top three risks to the business that involve IT?
I say three to get the ball rolling and to give the question some scope. But one might also ask what the most significant risks are.
What are the threat vectors that may see the risks realised?
How might someone or something effect the business and change the risk from theoretical to factual? Fire, accident, incompetence, sabotage, etc.
What would the cost be to recover from that realised risk?
If the event succeeded and the risk was realised, what would the cost be to the business to recover? By “cost” i mean money, time, reputation, etc.
Show me the business continuity plan for these risks?
What is the identified cost to mitigate the risks and how will the business cope during the disaster? How long can the business cope without income (assuming income is affected)? If the plan can be shown to exist and is current, one could assume the answers to the previous questions (if they were “yes”) are true. Of course the quality of the document’s contents would need to be assessed.
Does the executive team champion risk management?
The IT team and the marketing team can’t run the security risk alone but all play a part. For example, if the IT team was asked to manage IT security alone, client data may discarded immediately after use while the marketing team might argue client data is valuable intellectual property and should be kept indefinitely. Therefore neither IT nor marketing should manage security alone. It must be mandated from the top.
Is risk management on the executive meetings agenda?
The executive team should be discussing risk (and i bet they are) regularly and that should include IT. But not just IT but payroll, building maintenance and finance too. You could imagine if the building burnt down and staff had to rebuild the business across the road, they’d like to be paid by the normal time next week which means payroll needs to be operational too.
Those 6 are the starting point and there are others. Yes, we do need to know if antivirus is installed on work-stations and if backups happen and are tested but they are low-level questions that come later.
The above 6 are the questions i’d be asking and i encourage auditors to do the same. Don’t just ask the same stupid questions about antivirus, passwords and backups. Start from the top and work your way down.