Checklist and Guidelines

In the role of a security analyst, preparing for security audits is crucial for
ensuring that an organisation’s systems, networks, and processes are
secure. Here you will explore various security audit checklists that help in
assessing the security posture effectively.

Checklist in Security Audits

1. User Access Management:

• Evaluate user access rights and

permissions: For instance, if you are
auditing a company’s CRM system,
check that employees only have access
to data necessary for their roles. For
example, a marketing team should not
have access to sensitive financial
information. Alt text: Access control

• Analyse account management workflows: Examine how user

accounts are created, modified, and deleted. If an employee leaves
the company, ensure that their account is promptly deactivated to
prevent unauthorised access.

• Examine the strength of authentication protocols: Check if multi-

factor authentication (MFA) is implemented. For example, ensure
that employees accessing remote systems need both a password
and a verification code sent to their mobile device.

• Identify and review dormant or inactive accounts: Look for

accounts that have not been accessed in a while. For instance, find
out if old accounts for former employees are still active and remove
them to reduce security risks.

1|Page
2. Network Defense Measures:

• Inspect firewall settings and configurations: Review security

system settings to ensure they block unauthorised traffic. For
example, verify that rules are in place to prevent external access to
sensitive internal systems.

Alt text: Network security

• Review intrusion detection and prevention tools: Evaluate how

effectively these systems detect and respond to potential threats.
For instance, ensure that alerts are generated for unusual network
traffic patterns that could indicate an attack.

• Ensure the security of wireless connections: Check that Wi-Fi

networks use strong encryption methods. For example, ensure that
WPA3 is implemented rather than outdated WPA2.

• Analyse the effectiveness of network segmentation: Assess how

well the network is segmented to limit the spread of potential
breaches. For example, ensure that guest Wi-Fi is isolated from the
internal corporate network.

2|Page
3. Data Security and Safeguarding:

• Examine encryption protocols for data protection: Examine how

data is encrypted both at rest and in transit. For instance, check
that sensitive customer information is encrypted in databases and
during transmission over the internet.

Alt text: Data protection illustration

• Review backup strategies and recovery methods: Verify that

regular backups are performed and that recovery procedures are in
place. For example, test the process of restoring data from backups
to ensure it works as intended.

• Assess procedures for data handling and classification: Ensure

data is classified according to sensitivity and handled
appropriately. For instance, verify that confidential documents are
stored in secure locations and only accessible by authorised
personnel.

• Inspect the security of storage mediums and devices: Review

security measures for devices like hard drives and USB drives. For
example, ensure that these devices are encrypted and protected
with access controls.

3|Page
4. Device Protection Mechanisms:

• Verify installation of
antivirus and anti-malware
tools: Ensure that all
endpoints have up-to-date
antivirus software installed.
For example, check if the
antivirus program on
employee laptops is current
and regularly scans for
Alt text: Endpoint security malware.

• Review endpoint security settings and configurations: Review

settings for endpoint protection tools to ensure they are configured
correctly. For instance, confirm that firewalls on endpoints are
enabled and properly configured.

• Ensure all security patches and updates are current: Verify that
software on endpoints is up to date with the latest security patches.
For example, check that operating systems and applications are
patched against known vulnerabilities.

• Examine encryption practices on devices: Ensure that sensitive

data on devices is encrypted. For instance, check that full-disk
encryption is enabled on laptops to protect data in case of theft.

5. Response to Security Incidents:

• Assess the completeness of incident
response strategies: Review the
organisation’s incident response plan to
ensure it is comprehensive and up to
date. For example, ensure the plan
includes steps for identifying,
containing, and eradicating threats.
Alt text: Incident response

4|Page
 • Confirm the presence of a dedicated response team: Confirm that
an incident response team is in place and includes members with
defined roles and responsibilities. For example, ensure that the team
includes experts in IT, legal, and communications.

• Review communication channels and notification protocols:

Evaluate how the organisation communicates during incidents. For
instance, check that procedures are in place for notifying
stakeholders and regulatory bodies as required.

• Analyse procedures for post-incident analysis and

improvements: Examine how the organisation analyses and learns
from incidents. For example, ensure that post-incident reviews are
conducted to identify weaknesses and improve the incident
response plan.

6. On-Site Security Controls:

• Check physical access

systems for restricted areas:
Review security measures for
physical access, such as key
card systems or biometric
scanners. For example, ensure
that access to server rooms is
restricted to authorised
personnel only.

• Assess surveillance and

monitoring solutions: Check

Alt text: Physical security that surveillance systems are

in place and functioning
correctly.
For instance, verify that security cameras are operational and
monitor critical areas.

5|Page
 • Ensure the security of server locations and data centers: Ensure
that physical security measures are in place for server rooms and
data centers. For example, check for environmental controls and
secure access points.

• Verify methods for the safe disposal of confidential materials:

Review how sensitive information is securely disposed of. For
instance, ensure that documents are shredded, and electronic data
is securely wiped before disposal.

7. Security Governance and Procedures:

• Examine the adequacy of existing
security policies: Review the
organisation’s security policies to
ensure they are comprehensive
and up to date. For example, check
if policies cover areas like data
protection, access control, and
incident response. Alt text: Security policies

• Verify adherence to established security protocols: Ensure that

security procedures are being followed. For instance, check if
password policies are enforced and if employee training is
conducted.

• Assess employee awareness and training efforts: Evaluate the

effectiveness of training programs for raising security awareness.
For example, ensure that employees receive regular training on
security best practices and emerging threats.

• Monitor enforcement and compliance with security policies:

Check how adherence to security policies is monitored and
enforced. For instance, review audit logs and reports to ensure
compliance with established policies.

6|Page
8. External Vendor Security:

Alt text: Third-party security

• Review the security measures employed by third-party vendors:

Assess the security measures of external vendors to ensure they
align with your organisation’s standards. For example, verify that
vendors handling sensitive data follow robust security practices.

• Verify protections for data shared with external parties: Ensure

that data shared with third parties is protected. For instance, check
that data transfers are encrypted and that third-party agreements
include security requirements.

• Examine contractual security clauses with third parties: Review

contracts with third parties to ensure they include adequate
security clauses. For example, ensure that contracts specify security
responsibilities and data protection measures.

• Ensure proper access controls for third-party entities: Examine

how access is managed for third-party entities. For instance, ensure
that third parties have limited access to only the necessary systems
and data.

7|Page
9. Regulatory Compliance and Standards:

• Ensure compliance with industry-specific standards: Check that

the organisation complies with industry standards such as ISO/IEC
27001 or PCI DSS (Payment Card Industry Data Security Standard).
For example, ensure that security practices align with these
standards.

Alt text: Regulatory requirements

• Assess conformity with data protection regulations: Ensure that

the organisation complies with data protection regulations like
GDPR (General Data Protection Regulation) or CCPA (California
Consumer Privacy Act). For instance, verify that data handling
practices meet regulatory requirements.
• Verify internal policy compliance with security requirements:
Confirm that internal security policies are being followed. For
example, check if policies are consistently applied across all
departments.
• Review the documentation for compliance efforts: Examine
documentation related to compliance to ensure it is accurate and
complete. For instance, review audit reports and compliance
certificates.

8|Page
10. Event Logging and Surveillance:

• Verify the capture of

key security events:
Ensure that security
events are logged
effectively. For example,
verify that logs capture
critical events such as
failed login attempts or
system changes. Alt text: Log management

• Review log storage, retention,

and analysis practices: Review how logs are retained and analysed.
For instance, check that logs are stored securely and reviewed
regularly for signs of suspicious activity.

• Ensure real-time monitoring of security events: Verify that real-

time monitoring is in place to detect and respond to security
incidents promptly. For example, ensure that alerts are generated
for unusual activities.

• Assess incident detection and alerting systems: Examine how

incidents are detected and alerts are generated. For instance,
check if monitoring tools are configured to alert the security team of
potential threats.

11. Application and Software Security:

• Review security measures in

web-based applications: Assess
the security measures in place for
web applications. For example,
check for vulnerabilities such as
SQL injection or cross-site
scripting (XSS).
Alt text: Software security

9|Page
 • Verify secure development and coding practices: Ensure that
coding practices follow security standards. For instance, verify that
developers use secure coding guidelines to prevent vulnerabilities.

• Assess software patching and update processes: Confirm that

software updates and patches are applied promptly. For example,
ensure that security patches are installed as soon as they are released.

• Analyse the security of custom-built software solutions: Evaluate

the security of software developed in-house. For instance, check if
custom applications undergo security testing and code reviews.

12. Cloud-Based Security (Where Applicable):

Alt text: Cloud security

• Verify cloud environment configurations for security: Ensure that cloud

services are configured securely. For example, check that cloud storage
and computing resources are protected by proper access controls.

• Assess identity and access management in the cloud: Review how

identities and access are managed in cloud environments. For instance,
ensure that cloud accounts use MFA (Multi-factor authentication) and
follow the principle of least privilege.

• Review encryption standards in cloud platforms: Check that data is

encrypted both at rest and in transit in cloud environments. For
example, verify that encryption protocols meet industry standards.

10 | P a g e
Guidelines in Security Audits

Security audits follow industry-standard frameworks, such as the CIS

(Center for Internet Security) Controls and NIST (National Institute of
Standards and Technology) Cybersecurity Framework, which guide your
efforts in identifying vulnerabilities, preventing data breaches, and
ensuring compliance with legal regulations. Understanding these
frameworks and the tools associated with them is critical in performing an
effective audit.

The Center for Internet Security (CIS) Controls provides a set of prioritised
cybersecurity practices aimed at
protecting organisations against the most
common cyber threats.

Practical Example:

During an audit, you might use a tool like

Nmap to inventory all the devices
connected to the network. The checklist
could include verifying the security
configurations of each device, ensuring
they're not running outdated software. Alt text: Internet security
centre
The NIST Cybersecurity
Framework provides a
comprehensive risk-based
approach. It breaks cybersecurity
efforts into five functions: Identify,
Protect, Detect, Respond, and
Recover. Each of these functions
allows you to systematically
approach various aspects of
Alt text: NIST framework cybersecurity.

11 | P a g e
Practical Example:

For the Identify function, your task during an audit might be to assess the
company's asset management process, ensuring all critical hardware and
software are identified and documented. You could use tools like Asset
Panda or Lansweeper to gather this information.

Benefits of Security Frameworks

Following the CIS Controls or NIST Cybersecurity Framework has several

advantages:

• Comprehensive Guidance: Both frameworks cover a wide range of

cybersecurity aspects, helping you ensure that nothing is overlooked.

• Flexibility: Each organisation can tailor the implementation of these

frameworks to suit its specific needs.

• Industry Recognition: Using these frameworks can demonstrate to

stakeholders and regulatory bodies that your organisation follows best
practices, improving trust and compliance.

Understanding these tools will allow you to systematically identify

weaknesses and recommend effective solutions, equipping you with the
skills needed to assist in a security audit successfully.

12 | P a g e