If you have reached this point in the framework, then congratulations! You have taken the initiative to not only think about but also plan and implement a comprehensive cybersecurity program for your business. This shows that you take the safety of your customers, employees, and assets seriously.
One important part of implementing a cybersecurity program that many forget is the need for regular audits to ensure ongoing compliance with cybersecurity standards. For many, it is desirable to implement the best new security controls and technologies, then sit back and forget about it all. After all, security precautions have been added, isn’t it all up to them to do all the work now? Wrong. It doesn’t need to be said that the world’s digital landscape is changing every day. And as new technologies and developments come and go, threat actors come up with new methods for compromising important data around the world. Tomorrow morning, a brand new cyberattack could be uncovered that bypasses every single control you implemented over the course of this framework. What do you do then?
Another issue that I have frequently come across in small business cybersecurity programs is the unstable performance of security technologies and controls. It is easy to implement new technologies into your business environment, but just like anything else, they require regular maintenance, recalibration, and sometimes even re-configuration to keep working as intended.
A cybersecurity audit is a regular checkup on all aspects of an organization’s cybersecurity program to ensure that it is working properly and meeting basic standards for security. A base framework or standard serves as the checklist for which controls, processes, and policies need to be present. If certain requirements are not met, the business fails the audit and must remediate the issues. In many cases, there will be some form of fine or other penalty for non-compliance.
For this framework, the auditing requirements are laxer. Recall how in Stage 1, you conducted a gap analysis to compare the current state of your organization’s cybersecurity with a desired future state. The future state of the cybersecurity program was in the form of a checklist containing all the standard security controls and policies outlined in this framework. That same checklist will be the basis for audits in this framework.
Below you will find the CyberLadder Compliance Checklist available for download and printing. You should plan on performing an audit of your organization’s digital infrastructure once a year, as well as immediately after any major cybersecurity crisis. When it comes to auditing, there are two major approaches. Internal Auditing is an audit performed from within your organization, usually by you or a designated employee. On the other hand, external auditing is an audit performed by a qualified or mandated third party with expertise in the specific frameworks/standards/regulations you are being audited for.
For the CyberLadder framework, an internal audit suffices, as the audit is for you to ensure continuing security provided by the program you have implemented. However, there may be cases where you feel you lack the technical familiarity or judgment to conduct a proper assessment. In that case, you may want to look into having a qualified third party conduct an external audit. For example, you could have a local IT consultancy firm or penetration testing company conduct the audit by scanning your network and noting the level of compliance with the checklist.
No matter how you choose to perform audits of your cybersecurity program, make sure that they are complete and well-documented. Ensure that you store copies of each audit report and share them with your steering committee for insights. For any areas of non-compliance, aim to resolve them quickly, with thorough testing and documentation of the resolution. In a way, you can think of this section on Audits and the Stage 1 section on Gap Analysis as the point where the framework loops back around. The CyberLadder framework is meant to be a repeatable process to keep up with the newest threats and technological advances. Therefore, the results of an Audit and the content of a Gap Analysis can be the same exact thing, presenting you with the pretext to begin another iteration of the CyberLadder framework.