What Is A Security Audit?

A security audit is a test of controls securing a system, application or process. It is conducted to document compliance with regulation e.g. PCI-DSS, SOX, SSAE16 etc. It is conducted per generally accepted auditing standards by either internal or external auditors and demonstrates independence from management influence. An audit report will be prepared and management (system owner / team) will be asked for their remediation plans, if there are any observations (issues) noted in a security audit. Usually the action plan agreed upon with management is also part of the audit report. If management does not plan to fix the security issue or observation they will provide reasons. Management may decide to assume the risk arising due to the security issue noted and will provide the max loss to the business if the threat outlined is

What Is A Security Assessment? How Is It Different From A Security Audit?

Security assessment / review is performed if management or business wants to test the security of their own system or application or process. If the audit department is called to assist the process is called a controls advisory. The reviewer tests the security of the system / application or process against an agreed upon framework like NIST or ISO 27001 etc.

The main difference between a security audit and a security assessment is who initiates the review. If your system was selected as part of this year’s audit plan the internal audit department conducts the audit.

If you would like an assurance that your shiny new system is indeed secure and want an independent third party to come and test it, it is called a security assessment (review). You could even bring in the internal auditors to conduct a security assessment or contract third party experts.
What are the reasons for a security audit?

Management wants to demonstrate that their systems are in compliance with regulations or because they need to conduct audits for regulatory reasons (SOX).

Is there a need for security assessment?

Yes! Usually security assessments are conducted to provide assurance to the product team that they have a secure product. You could have a security assessment of the code (code review), or a platform or infrastructure.

What are the common frameworks used for security assessment / audit?

Commonly used standards for IT security are below:
NIST – http://www.nist.gov/cyberframework/
COBIT 5 – http://www.isaca.org/COBIT/Pages/default.aspx
SSAE 16 – http://www.aicpa.org/Research/Standards/AuditAttest/Pages/SSAE.aspx
SOX – http://www.aicpa.org/interestareas/centerforauditquality/Pages/CAQ.aspx
ISO / IEC 27001 – http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
PCI DSS – https://www.pcisecuritystandards.org/

Share your experience with security audits or security assessments in the comments below.