This is a segment of any review or audit that is rising to the top of the ‘must have’ for your board, or your sanity. Any IT security review or audit needs to include a security check at a base level, finding out things like how often users are forced to change their passwords. It would also include how complex those passwords need to be, how your anti-virus (endpoint protection) software is configured and working, things like that.
But then the curve rises to start reporting other security risks at a higher level. This might include a data discovery to find out where all your data actually is and how it is (or isn’t) protected, or a network penetration test. These can be time-consuming but revealing processes.
A classic security mistake some IT teams make is to create a new virtual server in Azure, Microsoft’s cloud service, or in Amazon Web Services (AWS), and then forget to put any endpoint protection (‘anti-virus’) on that server. A server in Azure or AWS is no different to a server on your premises; it must be protected. These sorts of issues are highlighted in the IT Audit – Security phase.