With increasing pressure to reduce costs, most government IT operations are lucky to keep their budgets at operational levels. In light of the many demands placed on government IT shops, IT managers often relegate security and disaster recovery solutions—which much of the private sector has spent more on in recent years—to the back burner.
Given this situation, how can you get additional funds to bolster your department's security? Or, if you can't boost your budget, how you can at least document your concern about these issues?
One approach that may surprise you is an IT audit. While IT managers often regard auditors with fear, auditors can actually become your ally. Part of their job is to point out weaknesses of IT departments, which can help emphasize your needs to decision-makers.
If your IT department houses the financial system for your organization, you're already subject to required external audits that validate government financial statements. Most departments don't like to receive negative ratings on their audits. That means if a specific area receives an unsatisfactory rating, the powers-that-be may be more likely to grant your requests for additional resources.
The three broad categories of an IT audit
What should you expect from an IT audit? In general, the IT auditor examines the controls that should be in place within the IT organization of an enterprise—be it public, private, or government—and independently confirms the controls' existence or identifies the extent of control weaknesses.
In my experience, auditors focus on three broad categories:
- Hardware security controls
- Software and database security controls
- Operations controls
Hardware security controls
The first area focuses on the physical plant, disaster recovery capabilities, and vulnerabilities to natural and human disasters. Auditors want to know about physical access to the facility, the facility's security, off-site backup, and the center's susceptibility to flood or water damage.
In addition, auditors look at the backup and recovery plan. Have you documented and communicated the plan? How are your recovery capabilities? Does recovery mean days, weeks, or months? These issues all play into your overall assessment.
Software and database security controls
The second category addresses systems security issues, such as how well you perform identity management and who has access to what systems and at what levels. Do you revoke access to systems when employees leave the organization? What are your password policies? What kind of firewalls, virus protection, and intrusion detection do you employ?
This is an area in which IT shops tend to be weak. Policies often are established and then disappear or weaken over time as workloads increase.
The last area addresses policy and procedure. What policies and procedures are in place? Has the department appropriately documented them? How do you enforce them?
It's not uncommon for well-run shops to practice and enforce controls that aren't on paper. These controls are typically the result of the staff's best practices. This often occurs when staffing is very thin and no one has the time or inclination to actually put the procedures into writing.
Use audits to your advantage
Now that you know what to expect from an audit, let's look at why audits are both necessary and beneficial. First, a good auditor can help identify areas where needed controls are lacking. He or she can independently validate the controls in place to ensure they're working.
By evaluating a department on a periodic basis, auditors can give a baseline with which to compare progress and also communicate new controls that have developed because of new threats. Finally, they provide documented third-party assessments that departments can use for strategic planning, budgeting, systems design, and so on.
If your department isn't subject to regular audits, consider performing an audit at least every two years, if not annually. If an IT audit is already part of your organization's financial audit, be as upfront and forthcoming as possible. Volunteer information that you feel the auditor may be overlooking.
Remember: If you're doing the best you can with what you have, it isn't a criticism of your management abilities if an audit isn't perfect. It's difficult to perform miracles without some help: Use an audit as one means to get it.
We want your feedback
Is your IT department subject to audits? How do you prepare for them? How do you use the results to your advantage? Share your comments in our discussion forum, or e-mail us your thoughts about surviving an IT audit.