Part 2 of this article appeared in the December 2017
issue of Compliance & Ethics Professional.
In the last two articles of this series, I discussed the role of maturity assessment and security assessment
as connected though distinct aspects of
a strong security program. This article
will delve into a third and comparatively
more in-depth component.
Security auditing builds upon the
information collected as a result of
the security assessment portion in
order to come to conclusions about
the efficiency of an organization’s
A security audit focuses
on the completeness, design,
implementation, and efficacy of internal
security controls. Although controls are
identified during the security assessment
to mitigate identified risks, a security
assessment provides only a rudimentary
evaluation of the control design. Perhaps
more importantly, a security assessment is
conducted under the assumption that the
controls are effective in mitigating risks.
Conversely, a security audit will delve
much deeper into how a particular control
is designed and how it is implemented
over a period of review. Periods of review
are decided by management based on the
amount of assurance desired that a control is
operating as expected. This period typically
lasts 12 months but can ultimately be any
length of time depending upon the needs of
Security audits can vary widely in their
scope and rigor. Although some controls
are identified during the security risk
assessment, security auditing is another
method of independently reviewing the
The components of strong
cybersecurity plans, Part 3:
» Maturity assessments lay the groundwork for cybersecurity programs and allow management to establish desired
improvement in comparison to current capabilities.
» A security assessment helps establish security governance by providing an independent check on information technology
staff, increased awareness of security risks and threats, and prioritization of IT spending for the purposes of risk mitigation.
» A security audit focuses on the completeness, design, implementation, and efficacy of internal security controls.
» Vulnerability scanning is an ongoing process in an organization that is both offensive and defensive depending on its use.
» Ultimately, a penetration test is only a fraction of developing a strong cybersecurity plan. However, these tests are frequently
needed for compliance with regulations that set the minimum requirements for cybersecurity programs.
By Mark Lanterman