What are security auditing and compliance?

- Before we get into what it takes to be a security auditor, let's talk about what a security audit actually is. A security audit is an independent, non-biased review of an organization's security posture to determine the adequacy of their data protection. Many organizations, depending on their line of business and the data they house, are held to compliance standards. A security audit helps ensure compliance with the applicable compliance framework. One of the goals of a security audit is to make sure compliance is met, but the other is to communicate and advise organizations on the gaps it may have in its security posture so it may work toward compliance. To give an example, one particular compliance audit and framework called PCI, which we'll talk about a bit later, ensures that if an organization is processing or storing credit cards, there are appropriate security controls in place. There's a few ways that they do this, like building and maintaining a secure network and systems, protecting account data, and maintaining a vulnerability management program, as well as lots of others. At a high level, these particular requirements are in place to ensure customer credit card data remains safe. During a security audit, each of these requirements are broken down into several low level sub controls. An example of an auditing function would be to ask the organization to provide evidence that proper Windows update and patching is occurring on a regular basis. During a security audit, an auditor would not only conduct interviews with the appropriate system administrators, but also review evidence of a patching schedule. Furthermore, screenshots of a sample set of patch servers would also be reviewed. Many times, evidence collection is used to ensure that controls are being met properly. The complexity and requirements of security auditing can vary significantly, depending on which compliance framework an organization is held to. Auditing can be seen as cumbersome and costly for organizations because of the time and resources involved for an audit. Many times an audit can produce findings that can cause an organization to spend unplanned money in order to remediate a security gap. If we determine that a point of sale system across multiple stores is out of date or end of its life cycle, they would need to be replaced before compliance can be achieved. As a security auditor, you should always have the mindset of not only looking for security gaps, but also have the ability to advise an organization on multiple avenues to achieve compliance. Security auditing should always be conducted by a third party, non-biased auditor. This ensures that there is no conflict of interest during an audit. An audit conducted by a third party auditor typically has no prior knowledge of an organization. Because of this, a deeper, more thorough audit will occur. When a successful security audit is completed and compliance is met, an organization can be confident that a strong security posture is in place. A security audit is typically completed yearly to ensure that the security of an organization stays strong moving forward.