There are many duties and responsibilities for security auditors that depend upon the level of security auditing that needs to be completed. Some auditors may work as part of a team to determine the integrity of the security system for a company or they may conduct the audit on their own.
Work performed by a security auditor may also include the testing of policies put forward by a company to determine whether there are risks associated with them. The auditor may also review or interview members of the staff to learn about any security risks or other complications within the company.
- Develop methods to monitor and measure risk, compliance, and assurance efforts
- Participate in the development of information security plans, strategy and policy to support and align with organizational mission and initiatives
- Perform assessments of systems and networks to identify where those systems/networks deviate from acceptable configurations, policy, or compliance requirements.
- Measure effectiveness of defense-in-depth architecture against known vulnerabilities
- Analyzes digital evidence and investigate computer security incidents to derive useful information in support of system/network vulnerability mitigation.
Requirements and skills
Security auditors work with a company to provide an audit of security systems used by that company. Once completed, the security auditor will provide the company with a detailed report of information systems. These reports will outline whether the system runs efficiently or effectively. This can help the company make changes where necessary to improve the integrity of their system.
At minimum, a bachelor's degree must be earned in order to become a security auditor. Certification is often highly recommended and may be required by some employers prior to hiring. This certification is recognized worldwide as completion of a standardized security auditing certification program.
- Minimum 3 years of experience in security or compliance or advisory work in in support of a highly technical environment
- One or more of the following information security certifications or advanced degree in information security/cybersecurity.
- CISSP, SSCP, CISM, CRSC, CISA, HISP or equivalent
- Demonstrated experience in information security auditing and risk management.
- Knowledge of computer networking concepts and protocols, and network security methodologies.
- Knowledge of laws, regulations, policies, and ethics as they relate to Information Security.
- Knowledge of enterprise information security architecture system.
- Expert Knowledge of information security principles used to manage risks related to the use, processing, storage, and transmission of information or data.
- Knowledge of information security principles and organizational requirements.
- Advanced knowledge of Risk Management Frameworks and processes.
- Knowledge and ability to keep abreast of new and emerging information technology and security technologies.
- Knowledge of information classification concepts and procedures for information compromise.
- Knowledge of penetration testing principles, tools, and techniques.
- Knowledge of Personally Identifiable Information (PII) data security standards.
- Knowledge of Payment Card Industry (PCI) data security standards.
- Knowledge of Personal Health Information (PHI) data security standards.
- Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
- Bachelor’s degree and 5+ years’ experience (or equivalent combination)