Does Your Firm Pass This Cybersecurity Audit Question?

I want to cover an interesting question I saw on a recent cybersecurity audit. The audit came from one of the largest commercial insurance firms in the world, and the law firm who represents this firm is Onward’s client.

  • Does your organization conduct continuous monitoring, and/or use systems on an ongoing basis to detect changes in information systems that may create or indicate vulnerabilities?
Answers (check all that apply):
    • Our organization schedules manual vulnerability assessment engagements on at least an annual basis, or upon significant system change
    • Vulnerability scanning tools are implemented, and the results are analyzed and reviewed
    • Risk assessments are conducted, reviewed and approved, and new and emerging risks are considered
    • Our organization scans for vulnerabilities in our information systems and applications

Depending on the definitions of these terms, some firms may find their answers changing. These audits can also incur a lot of cost for a firm, depending on the definition.


The question asks about “continuous monitoring” and uses the word “ongoing.” At Onward, clients who need continuous monitoring use OnwardSIEM with Autowatch, which provides 24/7 Security Incident & Event Monitoring services. However, the available responses don’t even discuss real-time or continuous monitoring in a technical sense.


Instead, the listed responses ask about scheduled, manual vulnerability assessments (many organizations conduct them quarterly or annually) (Onward offers this service, too) which are vulnerability snapshots – a list of vulnerabilities found at a point in time from a vulnerability scanner or network of scanners. Quite different from continuous monitoring.

Firms can also respond that they conduct risk assessments – anyone who has ever conducted a risk assessment knows this is a lengthy process with weigh-in from various departments (legal, finance, HR, operations) to determine how risky something is and what weight it should have relative to other risks from other departments.

Finally, firms can respond that they do conduct a scan for vulnerabilities without providing any evidence or validation. According to this language, a technician could take a walk around the office and report that nothing looks unlocked or vulnerable and pass this audit.


Firms are at risk of both overreacting and underreacting to this audit question, depending on how the terms are defined at the next audit cycle. If a firm reads this audit question as requiring only a quarterly vulnerability scan and annual risk assessment, their budget will be out of alignment next year if the term is changed to require SIEM services.


I always recommend to my clients to start by assessing the risks, and address the risks up to their comfort level. Passing the audit is important, but many firms find they need the increased security and responsiveness of a SIEM even if it’s not mandatory in a cybersecurity audit.

I also tell firms not to twist their existing security policy or product definitions to meet the audit requirement. If a firm is responding to this audit and hasn’t had a proper penetration test/vulnerability scan in the last quarter, I always tell them to have that done before responding to the audit, rather than trying to use some free scan results as a workaround.

Above all – I tell clients to read the language as cautiously as possible. If the data our client is supposed to protect is highly sensitive (patient data or financial data, for example), firms must be prepared to over-protect that data rather than under-protect. If the worst happens and we have to defend our responses in the audit, we need to be sure we did our best to protect the data and the customers, rather than simply passing an audit.


Many of Onward’s customers have large companies as their customers or clients. For example, our client may be a law firm who represents a large insurance company or hospital network. Those large insurance companies have cybersecurity policies they follow and frameworks they require their vendors (law firms, IT providers, custodial services vendors, logistics companies, etc.) to follow, and a department who puts the vendors through audits to make sure.

Audits can be a simple Excel spreadsheet with questions and answers, an onsite vulnerability scan, in-person or virtual interviews, or anything in between.

Many of our clients have limited time to respond to these audits, much less time to draft cybersecurity policy and maintain detailed technical documentation required for these audits. Fortunately, Onward’s Managed Services Gold Plan includes these services.

Just For You: Trending Blogs

5 Game-Changing Reasons to Outsource Your Help Desk

As businesses grow and expand, it can become increasingly challenging to manage all the tasks and responsibilities that come with running a successful operation. One area that can be particularly difficult to handle is the help desk. Customers expect fast and...

‘Tis the Season for Cybercriminals

Welcome to the season of joy, festivities, and a touch of digital vigilance! As we deck the halls and spread cheer, it's essential to safeguard our online presence from potential cyber grinches. In our interconnected world, where holiday shopping, virtual gatherings,...

Why We Love Security Awareness Training Solutions

Security Awareness Training was a small but vibrant corner of cybersecurity until recently. About 3 years ago, cyber-insurance policies became more widespread (concurrent with a huge increase in ransomware, not surprisingly). Many cyber insurance policies asked in the...

Three Facets of Security to Focus On

When it comes to a business’ cybersecurity, there is no magic bullet to solve every problem. No miracle cure, no panacea, no Staples “that was easy” button. Instead, you need to deploy various means of protecting your operations. Let’s discuss how your business’...

What Business Managers Should Know About Their IT Environments 

What should non-technical managers know about their networks?  I work with many non-IT managers who are responsible for oversight of the IT department. These are smart people with training and experience who make smart decisions about IT when given good information....

Chrome Adds Color Coded Tabs and We’re So Thankful

Google Chrome is adding a cool feature over the next week or so (it may already have been released for you). The next feature is sure to make a big difference for some and will be non-descript for others. Let’s unpack colorful tabs in Google Chrome.   Adding More...

Don’t Let Scammers Scare You with COVID-19 

Slava Ruderman, President - Onward The COVID-19 pandemic has resulted in a great number of people working from home. While this is good for public health, it may unfortunately lead your employees toward a laxer view of cybersecurity. Cybercriminals are sure to take...