How do you tell if your information technology environment is properly implemented? An audit is the best way to find out. Many organizations do not have sufficient staff or resources to be able to perform such an audit. Even if you do have a robust internal IT department, an independent assessment should be performed. You can’t audit yourself. An overall assessment of an organization’s cybersecurity practices and controls, both physical and non-physical, is needed to identify areas that can potentially result in unauthorized access and/or confidential and critical data being compromised. A complete cybersecurity audit entails assessing risks, reviewing policies, reviewing documented controls, assessing compliance with regulations, and providing recommendations to strengthen the internal controls.

Cybersecurity Risk Assessments:

Risk, measured in terms of impact and likelihood, is the possibility of an event occurring that will have negative impact on the achievement of objectives. A Risk Assessment is a systematic process for identifying, evaluating, and prioritizing risks and threats, whether internal or external, facing your organization. The assessment should be based on the National Institute of Science and Technology’s (NIST) cybersecurity framework, and the Center for Internet Security 18 (CIS18) cybersecurity control categories, to identify threats that could affect the confidentiality, integrity, and availability of systems and data and the safety of the people, connected devices, and the physical environment. A Gap Analysis will provide management with an assessment of an organization’s cybersecurity policies, procedures, and controls, and their operating effectiveness as well as identifying the gaps required to be remediated to achieve compliance with regulatory requirements. Overall, when complete, each organization will get a better understanding of the capabilities of defenses required to protect against malicious attacks.

Regulatory Compliance Audits:

A regulatory compliance audit is an independent evaluation to ensure that an organization is following external laws, rules, and regulations or internal guidelines, such as corporate bylaws, controls, and policies and procedures. Compliance audits may determine if an organization is conforming to an agreement, such as when an entity accepts government or other funding. Compliance audits may also review IT and other security issues, compliance with HR laws, quality management systems, and other areas. The compliance audit should assess the overall effectiveness of your organization’s compliance practices and protocols with cybersecurity regulations such as HIPAA, PCI-DSS, NYS Ed Law 2d and FERPA, and NYSDFS 23 NYCRR 500.

Policy Review and Documentation:

A policy is a system of guidelines, implemented as a procedure or protocol, to guide decisions and achieve rational outcomes throughout an organization. The review should assess the current inventory of policies for existence, completeness, and accuracy in alignment with best practices or regulatory requirements and should provide recommendations in updating or initially documenting policies to meet all applicable regulatory requirements.

Information Technology Application Controls (ITAC) Audits:

ITACs are responsible for protecting the transactions and data associated with a specific software application, are unique to each application, focus on input, processing, and output functions, ensure the completeness and accuracy of records created by the application, the validity of data entered into those records, and the integrity of data throughout the lifecycle. ITAC audits, or information systems audits, examine the management controls IT infrastructure and business applications. ITAC audits can be performed as a stand-alone assessment or in conjunction with internal audit, or other form of attestation engagement.

Information Technology General Controls (ITGC) Audits:

ITGCs apply to all systems, components, processes, and data for a given organization or information technology (IT) environment. The objectives of ITGCs are to ensure the proper development and implementation of applications, as well as the integrity of programs, data files, and computer operations. As part of an ITGC audit, an assessment your organization’s controls related to logical access over infrastructure, applications and data, system development life cycle, program change management, data center physical security, system and data backup and recovery, and computer operations should be performed.

Department of Defense (DoD) and Cybersecurity Maturity Model Certification (CMMC):

To safeguard sensitive national security information, the Department of Defense (DoD) launched the Cybersecurity Maturity Model Certification (CMMC) 2.0, which replaced NIST 800-171 on DoD requirements in late 2020. This is a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks. The CMMC will not allow for self-attestation, and every organization that does business with the DoD will be required to undergo an audit by an authorized auditing entity before bidding on a contract or subcontracting to a prime. By assessing your current policies, procedures, and controls, an assessment can provide recommendations and work with organizations to achieve CMMC compliance.

SOC 2 Type 2 Readiness:

A SOC 2 Type 2 report is an internal controls report capturing how a company safeguards customer data and how well those controls are operating. Companies that use cloud service providers use SOC 2 reports to assess and address the risks associated with third party technology services. An assessment can be performed of your current policies, procedures, and controls to achieve SOC 2 Type 2 audit readiness.

Joseph Horowitz, Director of Compliance and Audit
Stetson Cybergroup
(631) 417-3726
jhorowitz@stetsoncg.com