skip to main content

About Cybersecurity Audits

What is a cybersecurity audit?

Cybersecurity audits examine information technology systems used in government operations. They look for weaknesses in that technology and propose solutions to help strengthen those systems. Cybersecurity audits are a type of performance audit and are provided at no cost to state and local governments, thanks to 2005’s voter-approved Initiative 900.

Cybersecurity audits protect the people of Washington

People depend on Washington’s state and local governments for many different services – such as public safety, tax collection, social services, and transportation systems. Governments depend on technology to provide these services. The security of these systems and related data are vital to public confidence, the continuity of government operations, and the safety and well-being of the state and its residents. Across the country and throughout the world, that technology is increasingly under attack, leaving people vulnerable. Those attacks add up, costing taxpayers money and eroding trust in institutions.

How cybersecurity audits work

The State Auditor’s Office (SAO) has worked with state and local governments to improve IT security for more than a decade. In recent years, we’ve increased cybersecurity assistance and training because of the ever-increasing danger of cyber technology being attacked.

We coordinate IT security work with both the Office of CyberSecurity (OCS) at Washington Technology Solutions (WaTech) and the Washington State Military Department. By coordinating, we’re able to reduce the impact of testing on agency operations, and ensure our work complements that of OCS and the Military Department to further strengthen cybersecurity throughout Washington. Audits can include:

  • Penetration testing: Real-time security assessments of applications, systems and networks. Our auditors identify and assess risks and determine if they could be exploited by bad actors. We work collaboratively with governments to identify the critical applications for testing.
  • IT security controls: A review of policies, procedures and technical implementation compared to leading practices and required state standards.

Because of the sensitive nature of cybersecurity audits – and to avoid helping bad actors exploit any potential vulnerabilities before they’re fixed – the final public reports contain little explicit information. However, the governing bodies of governments that receive a cybersecurity audit receive a detailed report to allow quick and thorough remediation of issues.

About the auditors

Our team of IT auditors and security specialists combine traditional auditing experience with deep technical expertise. The members of our cybersecurity audit team hold a variety of technical and audit certifications, including:

  • Certified Internal Auditor (CIA)
  • Certified Information Systems Auditor (CISA)
  • Global Information Assurance Certification (GIAC)
  • GIAC Information Security Fundamentals (CISF)
  • GIAC Critical Controls Certification (GCCC)
  • Certified Fraud Examiner (CFE)
  • Certified Information Systems Security Professional (CISSP)
  • Microsoft Certified Systems Engineer (MCSE)
  • Certified Ethical Hacker (CEH)
  • Cisco Certified Network Associate (CCNA)
  • Security +
  • Network +