Skip to main content

There were days when businesses were dependent on their IT infrastructure. Nowadays, IT is the business. This paradigm shift in IT and its contribution to the business has introduced cyber threats. Cybersecurity incidents can have a huge impact on the business in terms of reputation, operations and of course finances. Cybersecurity incidents are like car accidents, every driver on the road thinks he can’t meet an accident. The road accident only happens to others on the road.

Cyber security incidents are the reality that every business has to face. It can be a ransomware attack, unavailability of services, theft of data. So it is highly critical to know the security posture of your organisation.

To measure the security readiness and effectiveness of security controls in your organisation Cyber Security health checks, Cyber security reviews and Internal security audits are performed. 

The cyber security health checks, reviews and internal audits can help you identify and prepare for cyber security concerns, which is ultimately good for your business and customer trust.

Cyber Security Review vs Internal Security Audit vs Cyber Security Health Check

Cyber Security Review

A cyber security review is measuring the current security posture with industry standards or benchmarks. Information for a security review is usually collected in a few different ways, including surveys, interviews, comparison with external standards, statistics, or reviews of records and reports showing historical information. The outcome of a security review is usually a report with recommendations at a high level and there’s time and scope to remedy any issues if clear vulnerabilities or a security gap exist. A good example of a security review is interviewing staff on firewall management. The Analyst will ask questions about how firewalls are managed. If they are managed by using local user accounts or default accounts are active. A gap is identified and a recommendation is provided to improve the firewall management processes and introduce Active Directory accounts to manage a firewall.

The cyber security review can also consider the previous risk and compliance assessments to list the findings and gaps. In general, a review is usually a more high-level look at risks and compliance, rather than a deep dive into the details. A security review should be conducted at least every six months, if not more frequently. A security review must be considered any time there’s a major structural change to the business, to help identify new risks to the business.

Internal Security Audit

The primary purpose of an Internal Security audit is to check whether the complete IT infrastructure or a subset is deployed, configured, and managed according to the best practices, industry standards and/or industry guidelines. An audit is performed by a qualified auditor. An organisation can be legally subjected to an external audit. An Internal IT Audit can help an organisation to prepare for external audits. An example of a security audit would be the PCI Security Standards Council or an audit performed to check compliance to ISO 27001 standard to maintain ISO certificate.

An Internal security audit goes deeper than a security review and looks at PPT(People, Process and Technology) to determine whether relevant standards and regulations are being complied with properly. An internal security audit involves searching for holes in policies or procedures, while also performing a physical assessment of what hardware and devices you have as part of your infrastructure. Internal Security audits also involve an assessment of access control and vulnerabilities, to ensure permissions and access are correctly configured and there are no software, hardware, or policy vulnerabilities that could lead to a breach or intrusion. Audits will also look at your design processes to examine how you create your services and system setups. Security audits review all your standard operating procedures and your backup disaster recovery and general disaster recovery plans.

Cyber Security Health Check

A cyber security health check is a high-level measurement of security controls in an organisation. A security health check is usually the first step for any organisation to understand its current security posture. The process of a security health check is usually similar to a security review. A security health check is performed by interviewing key stakeholders to understand the gap. The outcome of a security health check is usually a roadmap with recommendations.

What is the outcome of a cyber security review?

A security health check is a high-level measurement of security controls in an organisation. A security health check is usually the first step for any organisation to understand its current security posture. The process of a security health check is usually similar to a security review. A security health check is performed by interviewing key stakeholders to understand the gap. The outcome of a security health check is usually a roadmap with recommendations.

Which one is the Right Tool(s) for you?

By conducting an IT security review, you can measure your current security posture and compare it with industry minimum standards. NITS CSF recommends a minimum level of three (3) on the scale of CMM (Capability Maturity Matrix). A security review will help you identify the gaps and roadmap to achieve a CMM level 3 maturity. An organisation that considers itself somewhat mature in cybersecurity will typically go for a security review.

An internal Security audit is required if an organisation is subjected to legal regulations or laws. An organisation handling personal data is subjected to comply with Privacy Act 1988 or GDPR. An internal security audit will identify gaps in security and compliance, and help you prepare for external audits. It is recommended to perform a security review before performing an internal security audit. 

A security health check is advisable for a small scale business that is beginning its cybersecurity journey. A health check will identify gaps in their current technology and processes. An organisation that is new to cyberspace and does not have internal cybersecurity staff should go for a security health check. Usually, such organisations perform cybersecurity activities on an ad-hoc basis leading to exposure of data or systems to cyber threats.

Our recommendation is to adopt a layered approach. Depending upon the size and maturity of an organisation, we recommend performing a security health check or a security review as the first step. Based on the outcome of the security review or health check, build a roadmap and an action plan to perform an internal security audit. 

Cybersecurity is what we do

Rabbon is a Cybersecurity company based with offices in Sydney and Melbourne. We lead a team of Cyber security Consultants and GRC Consultants, who help organisations become cyber resilient by providing access to effective and affordable cybersecurity services. We believe that “Cybersecurity is for everyone

You can contact our Cyber Security Consultants for an obligation free consultation.

Phone : +61 2 80513207

Email: [email protected]

Leave a Reply