When the whole application portfolio is known, an audit can be carried out. The aim of this step is to highlight the vulnerabilities of applications at company level so that the necessary corrective measures and actions tailored to the various detected vulnerabilities can be taken.
Typically, audits are a four-step process:
- Scoping
In this phase, all of the application media (i.e. the application scope) that should be taken into account during the audit are defined. The organisation’s processes and businesses are examined in this regard.
- Classification of risks
The second step is to identify the system’s risk areas and classify them based on the level of risk and the priority of action.
- Performance of assessments and tests
This phase comprises a series of assessments, tests (e.g. penetration tests, or pen tests) and controls which highlight the vulnerabilities and weaknesses or non-conformities (e.g. obsolete applications) in the IT system.
- Listing of results and performance of countermeasures
Finally, a summary of the results is provided. This report includes a list of corrective actions that need to be applied to correct the vulnerabilities and shortcomings revealed by the audit.
It is important to remember here that the audit is not an end in itself, but that it is meant to feed into a process of subsequent security protection and corrective work.
