iconimage - Fotolia
IoT extends the power and connectivity of the internet to just about any online device. To ensure all aspects of an IoT environment perform properly, organizations need to audit IoT controls at least annually. IoT audits should be scheduled more frequently if changes to the business occur that affect IoT resources.
It is important for IT leaders to understand the IoT auditing process. To start, there are three kinds of audits: first party, second party and third party. A first-party audit is performed by the departments responsible for IoT activities. Second-party audits are performed by an internal audit department within the organization and third-party audits by an external audit firm.
Here, examine the first-party audit process, and receive guidance to prepare for and perform an IoT audit.
What is included in an IoT audit?
To start preparation for an IoT audit, create a list of everything that may connect to the internet, especially assets that affect business operations. A comprehensive IoT inventory should include office desktop systems, laptops, printers, scanners, copiers and fax machines. Include all networked devices in a data center, whether they are located on-site, colocated in another location or in a cloud. Examine social media, as well as external organizations that have frequent connections, such as key clients and vendors.
This list should also include closed-circuit television security systems; physical access control systems, such as proximity card access, HVAC systems, and fire detection and suppression systems; building lighting systems; and backup power systems, such as external diesel generators. Include vending machines, microwave ovens, coffee makers, smartphones, tablets, digital cameras, internal television systems, video conference systems and even office building garage door openers in the list as well.
7 IT general controls used in IoT audits
It is important to audit IT general controls (ITGC) that address issues such as physical and logical access and cybersecurity. The ITGC audit process serves as the foundation on which to build an IoT audit. The IoT audit is virtually the same as a typical IT audit; the difference is the number and type of devices involved can be significantly greater and can have highly diverse responsibilities.
To perform an effective ITGC audit, organizations must understand its scope. The seven controls listed below, as well as examples of relevant control activities, may be examined in the auditing process. Control 7 focuses on an important nuance of the IoT audit: connectivity of internet-connected devices.
Control 1: Physical and environmental security
- Server room is locked with a card access system.
- A limited number of employees have card access to the server room.
- The data center has raised floors and water detectors under the floors.
- An HVAC system alarm sends emails and launches audible signals if there is a system failure.
- Server room fire extinguishers are checked quarterly.
- Physical security procedures are documented.
Control 2: Logical security
- New employees are provided access to system resources after being approved by HR.
- Terminated employees have their access credentials revoked within 15 minutes of notification by HR.
- Windows Active Directory authenticates users requesting system resources.
- Logical security procedures are documented.
Control 3: Change management
- Test and production environments are segregated from each other.
- Production changes and patches are tested, documented and approved before being placed into service.
Control 4: Backup and recovery
- Data is backed up daily according to a documented process and schedule.
- Technology disaster recovery plans are documented for critical systems -- including IoT assets -- and are tested annually.
Control 5: Incident management
- Daily activity reports are generated for review by IT management.
- An incident response process is documented and used regularly when responding to abnormal situations.
Control 6: Information security
- Firewalls are used to protect the network perimeter from suspicious activities.
- Antimalware is used to prevent damage from malware threats.
- Incoming and outgoing data traffic is monitored 24/7 to identify potential phishing attacks, distributed denial-of-service attacks and other attempts to penetrate the network perimeter.
- Penetration testing is performed twice annually to check for vulnerabilities.
- Cybersecurity policies and procedures are documented.
Control 7: Connectivity of IoT devices
- Relevant IoT devices and their network connections are identified and documented.
- Priority of IoT devices for recovery and restoration is established and documented.
- Alternate or backup IoT equipment is identified and cataloged.
- Policies and procedures for IoT technology management are documented.
How to prepare for an IoT audit
When preparing for an IoT audit, begin by securing authorization and budget to conduct the audit, and determine who will perform the audit. Next, identify which controls are likely to be audited. If using an internal or external auditor, be sure the audit team is familiar with auditing IT systems and the nuances of IoT technology. Identify the IT department team that will support the audit, and establish a work area for the audit team. Secure -- and have ready as evidence -- a variety of documents, reports and other information for examination by the auditors.
When performing the IoT audit, examine each of the seven ITGC using a combination of the following techniques:
- Interview employees and managers responsible for IoT resources.
- Examine documentation such as written procedures, policies and technical manuals.
- Obtain visual evidence, such as screenshots, to verify the performance of specific controls.
- Document personal observations -- for example, watching how employees perform tasks relating to the control.
How to conduct an IoT audit
The following is a recommended sequence of steps in an IoT technology audit activity:
- Prepare the IoT audit plan, which includes the audit scope, audit approach and schedule.
- Review and summarize information gathered for the audit, such as technical documentation, questionnaires, risk reports and previous audit documents.
- Identify gaps in existing documentation, and update the information as appropriate.
- Review and apply standards, regulations, legislation and good practice documents to validate preliminary findings.
- Identify audit controls, and prepare work papers that reflect IoT audit metrics established and defined by standards groups, regulators, legislators and others.
- Following audit interviews and discovery activities, prepare a draft IoT audit opinion report for discussion with interested parties in your organization.
- Complete a final IoT audit report that includes results of discussions and recommended actions.
- Complete an action plan and time frame to remediate IoT audit findings and recommendations.
- Ensure the action plan to remediate IoT audit findings is implemented within the agreed-upon time frame.
- Schedule the next IoT audit, and include IoT as part of future IT audits.