IT Audits & Assessments
Sagacent's '2nd Opinion IT Audits & Assessments'
At Sagacent, we typically bring on one or two new clients every month and we also perform what we call '2nd Opinion Network IT Audits & Assessments' at a rate of one to one and a half every two months. This puts us in the position to be looking at a lot of business networking environments.
Sadly, what we regularly see used to shock us, but now we've become used to it.
- Networks that are configured wrong - either leading to major security issues or poor performance!
- Businesses that sometimes have most of the right components in place, but not running!
- Environments without the proper security, firewalls, anti-virus installed!
- Companies without a data backup for months, and occasionally years!
Our '2nd Opinion Assessment' is a very inexpensive check of your computing systems. We look at and document 21 points within your network and chat with key personnel. Afterwhich, we sit down with the business owner(s) and key decision makers and share our findings. Normally the whole process only takes an hour to an hour and a half.
Network IT Audits & Assessments
When an assessment just isn't enough.
These are much more involved than the above Assessments. An audit can take a day or two of detailed investigations and onsite system testing alone. Once that is done, we return to our offices and write up our findings. Normally, these reports are in the neighborhood of 15 to 25 pages, loaded with details and diagrams of the client's network and end with a list of things that we feel should be addressed, in order of urgency.
4 Areas To Cover On An It Audit Checklist
When companies toss around the term IT audit, it evokes images of dark-robed inquisitors looking for data breaches. It is an understandable fear, since 2018 saw nearly 450 million records exposed.
In reality, IT reaches into nearly every part of a modern business. IT drives marketing with customer relationship management software. Your website would likely implode without some attention from your IT department.
That is to say nothing of automated billing systems, digital timekeeping systems, and inventory control. Plus, let's not forget all the physical hardware that this software runs on.
Any IT audit checklist will cover a lot of ground, but they should probably always cover four key areas. Keep reading and we will give you a snapshot of those areas.
Cybersecurity is the area where a lot of businesses fall down. Some of that failure stems from the difficulty and complexity of the work. Some of it stems from a dearth of available cybersecurity professionals.
After all, you cannot fix what no one on staff knows presents a security risk. There are, however, components of security that any company can effectively manage.
At the very least, you should have a handle on physical security around sensitive data. An audit checklist should include whether server rooms can lock or require security badges for access.
The audit should also look at whether or not application updates and patches get installed promptly. That goes double for any anti-virus software package you use.
You should also take a look at essential network security practices. Do remote workers use a VPN when they sign in to your system? Do you lock out risky sites, such as adult content and file sharing sites?
A few other essentials you should add to your list include:
- Safe password practices
- Firewall installation
- Multifactor authentication
- Secure wireless on-site
- Enable database security features
These represent just the tip of the security best practices iceberg, but they do make your business a harder target.
2. Regulatory Compliance
As data security and online privacy become bigger and bigger issues, governments pass increasingly stringent laws regarding them. For example, any business that does business with European customers must now comply with the General Data Protection Regulation.
U.S.-based businesses all face a variety of data protection regulations that, when not followed, can open you up to civil action. Certain industries also face regulations targeted specifically at them.
Health care providers of all stripes must maintain compliance with the well-known HIPAA regulations. They must also maintain compliance with the HITECH Act, which governs the protection of digital health information.
Financial organizations must also comply with federal regulations. The two biggest ones, from an IT standpoint, are the Sarbanes-Oxley Act of 2002 and the PCI DSS.
The Sarbanes-Oxley or SOX applies deals with financial reporting and record-keeping. IT plays a supporting role in delivering reports and maintaining sound records.
PCI DSS deals primarily with security around payment processing. Specifically, it lays out rules for data security, network and system security, and access control. IT plays a primary role in meeting these standards.
If your business or organization falls under one of these regulations, your checklist must include all the requirements set out by the regulation.
3. Data Backups
Data backups are a best practice for businesses, even though many businesses ignore it as a policy. For all practical purposes, data backups serve as a defensive action. You do them as a part of disaster planning and business continuity planning.
The idea goes that if your building burns downs, gets flooded, or some other kind of catastrophe destroys your on-site equipment, you can get up and running again in a minimum amount of time. You can simply order new servers, set them up, and download your data.
Your business is alive again from a data and computing perspective.
The more serious problem is when you maintain a data backup policy and employees do not follow it. That can leave you with days or weeks of missing information if that disaster does come rolling down the pike.
Your audit checklist should include a review of data backups themselves, as well as data backup procedures. Most off-site data backup companies, such as cloud storage services, offer automation features. If you use an automated backup process, review the automation process to ensure it works properly.
It is often an afterthought for many companies, but your IT equipment is the backbone of your IT infrastructure. As your equipment ages, it grows less efficient and more error-prone. While that might not prove disastrous for the manager's laptop, it can prove disastrous for server hardware.
The typical replacement lifecycle for IT hardware runs approximately 3 years to 5 years. Variables that affect the lifecycle include quality of the hardware at purchase, the intensity of use, and how much your business scales up over time.
For example, let's say you bought a mid-grade server for your one-person app development business two years ago. If you are now a two-person business with light server loads, you can probably keep that server another two years. If you now run a 15-person firm with heavy server loads, you probably already need a new server.
Your IT audit checklist should include an inventory of hardware that notes the age and overall performance demands of each piece of hardware. This information will keep you aware of when hardware nears the end of its lifecycle and assist in future resource planning.