IT External Audit

We would like to have our IT infrastructure and policies audited by an external company. Annually, we have an auditor review financial transactions and HR information but, they don’t look at IT.

Does anyone have any recommendations?

I think this is a great idea Steven! There are several IT support firms that participate in CITN that provide this service. Full disclosure: I work for one of them.
I hate to list names for fear that I’ll forget someone, but off the top of my head Enable, BEMA, MBS, and HigherGround come to mind as church IT specialists that could very likely fulfill this need for you.
Others can likely share their experiences with some of us in a less-biased way!

Travis,

Do you or others you suggested do penetration testing? I know our cyber insurance requesting we have that done, and couple of people on here have suggested SecureWorks and Depth Security.

I have a company that focuses on church IT, mostly in the APAC region, and we also do assessments… mostly M365/Azure configuration, CIS, and PDPA. I know that BEMA and Enable are both knowledgeable and worth talking to for an audit, I don’t have much insight on the other players though. The important thing with an assessment is scoping the assessment. Usually they are cybersecurity audits against a framework, which is good to have, but you might also want to look at advisory beyond that into where technology investment could enhance ministry, which tends to be a higher level conversation, but can be well worth it to get input on your broader use of technology in a ministry engagement strategy.

Not very common that churches need a pen test. Make sure you find out what kind of pen test needs to be done before you decide on a vendor. There are different types and scopes to those and the costs will vary wildly based on scope. For example, do they need an OWASP pen test of your website, do they need a network penetration test. Do they only need PCI stuff pen tested? Do they want a physical break-in done? And then, how thorough? Some are a guy sitting at a desk hacking away at your systems for a week while others are a guy going down a checklist for XSS vulnerabilities.

That said, I do not envy you guys, real pen testing is not cheap! :scream:

Seconding what Isaac has said… What most people think of when they say pen testing is actually vulnerability scanning. That’s generally quite affordable, though not exceptionally useful in the long run. Penetration testing crosses the line of actually paying a firm to hack you through all means necessary and provide and after action report. They are extremely expensive and can be disruptive to your environment in many cases.

Chris Green

At the risk of piling on…
I’m honestly surprised to hear your cyber insurance carrier is requesting a pen test. Most carriers are definitely starting to request (and require) vulnerability scanning as Chris mentioned above. Those two things are very, very different animals with vastly different price points. I’ll also offer this advice: ‘requesting’ and ‘requiring’ are two very different things and you shouldn’t hesitate to split hairs on that with your carrier. You should confirm exactly what they ‘require’ and what the impact is if you don’t necessarily do everything they ‘request.’ With all cyber policies, you have the ability to write back long-form answers to their questionnaires and requests explaining how you mitigate certain issues maybe in a different way than they are calling out. This is normal and acceptable practice and I highly encourage you use that technique.

With all of that said, yes, Enable (company I work for) does offer both vulnerability scanning and pen testing services if you find that you do, indeed, have a need for either or both.

We do this very thing annually for the same reasons to which you allude. We use SecureWorks each time and have never been disappointed. We have them perform a variety of evaluations.

Hi all, we service quite a few Churches in southern Kentucky and we have been seeing more and more of this type of question asking us to do a penetration test. There are lots of great Penetration Testing companies out there and if we can offer any advice please do not hesitate to reach out. I was a member of CITN when I worked for a local Church as their IT Director and re-registered when I opened my IT Company for support questions just like this. We always have a minute for a free call, it may just help in the long run.

Documentation is key! Due diligence is the goal!
Brian

Before I became the IT Director at Bayside, I owned a network security company. As Chris and Travis mentioned, you should have a Vulnerability Assessment performed. A Pentest is used to prove proof of vulnerability. This is rarely ever cost justified or necessary. If you do have a vulnerability, you either need to patch, plug the hole or change permissions most of the time. I’d recommend asking for a follow up vulnerability scan as part of your scope of services. Then you can remediate the issues and get a second scan to see if you’ve fixed the issues.

For your policies, I’d reference an industry standard like NIST 800-53, ISO/IEC 27000 or COBIT. Most auditors will compare your policies against one of these standards.

I am surprised the auditing firm does not include IT, at least an IT review. The one who did an audit for our church also had someone in their firm conduct an IT review.

Penetration testing is sometimes done by the firm that handles your credit card transactions, as part of PCI compliance.

  • Greg

Typically a financial audit will only audit the processes used by IT and other departments. The scans done for PCI compliance are little more than a port scan or basic vulnerability scan and are optimized for low cost to catch glaringly bad problems but are really nothing compared to an actual penetration test.

IMO, the value chain starts with validating you have appropriate policies and procedures: Updates, account lifecycle management, data management, etc. followed by an automated scan to validate your compliance with those policies. Once you have those in place, getting a penetration test done to see where the gaps in your policy and implementations are is also very valuable but without the first two you really don’t have a viable path to remediation and ongoing prevention of the issues found.

The policies and procedures you mentioned were evaluated by the person performing the IT review. It was not a full audit in the manner of fiscal audit, but it was pretty in depth looking at security practices, updates, accounts, etc. It was pretty thorough, and came back with recommendations and a list of good practices that were in place.
The scan performed by PCI compliance provider is preceded by answering an extensive questionnaire about practices.