About IT Audits

What is a cybersecurity audit?

Cybersecurity audits examine information technology systems used in government operations. They look for weaknesses in that technology and propose solutions to help strengthen those systems. Cybersecurity audits are a type of performance audit and are provided at no cost to state and local governments, thanks to 2005's voter-approved Initiative 900.

Cybersecurity audits protect the people of Washington

People depend on Washington's state and local governments for many different services – such as public safety, tax collection, social services, and transportation systems. Governments depend on technology to provide these services. The security of these systems and related data are vital to public confidence, the continuity of government operations, and the safety and well-being of the state and its residents. Across the country and throughout the world, that technology is increasingly under attack, leaving people vulnerable. Those attacks add up, costing taxpayers money and eroding trust in institutions.

Read this special report to learn our cybersecurity work in 2022.

Read this report to learn about our cybersecurity work in 2020 and 2021.

How cybersecurity audits work

The State Auditor's Office has worked with state and local governments to improve IT security for more than a decade. In recent years, we've increased cybersecurity assistance and training because of the ever-increasing danger that IT systems and services will be attacked.

We coordinate IT security work with both the Office of CyberSecurity (OCS) at Washington Technology Solutions (WaTech) and the Washington State Military Department. By coordinating, we're able to reduce the impact of testing on agency operations, and ensure our work complements that of OCS and the Military Department to further strengthen cybersecurity throughout Washington. Audits can include:

  • Penetration testing: Real-time security assessments of applications, systems and networks. Our auditors identify and assess risks and determine if they could be exploited by bad actors. We work collaboratively with governments to identify the critical applications for testing.
  • IT security controls: A review of policies, procedures and technical implementation compared to leading practices and required state standards.

Because of the sensitive nature of cybersecurity audits – and to avoid helping bad actors exploit any potential vulnerabilities before they're fixed – the final public reports contain little explicit information. However, the governing bodies of governments that receive a cybersecurity audit receive a detailed report to allow quick and thorough remediation of issues.

Additional services we offer

IT security standards engagements

Our Office has developed agreed-upon procedures for the use of both Washington's Office of the Chief Information Officer (OCIO) and the Department of Licensing (DOL). These engagements include reviewing policies, procedures and the implementation of controls required by OCIO Standard 141.10. At the conclusion of the engagement, we provide the agency with the results of our work. If you have questions about these engagements, please contact the System Audit Team at SAOITAudit@sao.wa.gov.

Computer forensics

SAO has staff trained in Digital Forensics and our office can be contracted to conduct or support these investigations. A sample of the digital forensics services we can provide include:

  • Bit stream image of the device.
  • Review of existing data on the device.
  • Analysis of internet activity.
  • Review of deleted items when recoverable.
  • Review of event files to reconstruct events on a machine.

About the auditors

Our team of IT auditors and security specialists combine traditional auditing experience with deep technical expertise. The members of our cybersecurity audit team hold a variety of technical and audit certifications, including:

Apple Certified: iOS Technician (ACiT), Mac Technician (ACMT) Green Belt – Lean Six Sigma 
Certified Ethical Hacker (CEH) ITIL 3 Foundations
Certified Fraud Examiner (CFE) ITIL v3 including: IT Service Transition, Service Design, Service Operation, Continual Service Improvement
Certified Information Systems Auditor (CISA) Master of Cybersecurity and Leadership (MCL)
Certified Information Systems Security Professional (CISSP) Microsoft Certified Professional
Certified Internal Auditor (CIA) Microsoft Certified Solutions Associate: Windows Server 2008
Certified Network Defense Architect (CNDA) Microsoft Certified Technology Specialists: Windows Server 2008 Network Infrastructure, Configuration
CompTIA including: A+, Security +, Network +, Project +

 

Offensive Security Certified Professional (OSCP)
Cyber Resilience Review (CRR) / External Dependency Management (EDM) Systems Security Certified Practitioner (SSCP)
Cybersecurity Analyst + (CySA+) Security +
GIAC including: Security Essentials (GSEC), Information Security
Fundamentals (GISF), Critical Controls Certification (GCCC),
Incident Handler Certification (GCIH), Penetration Tester (GPEN), Information Security Professional (GISP)
Network +

For more information about these audits or to request an audit for your state or local government, email SAOITAudit@sao.wa.gov.