The Kiewit Federal Group IT Infrastructure Audit Checklist

Kiewit has long been one of the premier construction and engineering firms across North America, taking on projects of all kinds from tunneling through mountains to building bridges that connect communities.

Passwords are an organization’s first line of defense against hackers and must be updated frequently and securely. An IT audit should evaluate password protocols and account management policies.

1. Network Security
Physical security must also be regularly audited in addition to cyber threats. This involves auditing everything from theft of IT equipment and natural disasters that may lead to data loss; to minimize these risks, companies must test backups and security measures regularly in order to minimize these risks.

Every organization should conduct at least one annual network security audit to detect weaknesses in its security system and protect data from cyber attacks.

An important component of network security auditing is evaluating the security of firewalls, including logs, rules and permissions to identify potential weaknesses in them. Furthermore, software used on the network must also be evaluated carefully along with anti-malware and antivirus systems; additionally employee training policies should prevent employees from opening suspicious links or using thumb drives on company computers.

2. Data Backups
Backup and Recovery Plans are essential elements of IT infrastructure, covering all aspects of computer operations in case of an adverse event affecting IT systems, including data backup and recovery (figure 1). Principles for an effective BCP/DRP include steps to identify critical applications, rank them by importance to an entity, and give BCP/DRP teams a blueprint to restore app software if disaster strikes (figure 2).

Documentation is key in conducting an effective backup and recovery audit, including electronic and hard copy documentation of backup and archive processes. Documents should address:

Firms should review security protocols and ensure employees understand and abide by them. Furthermore, firms must create a documented process for verifying permanent deletion of documents no longer needed, so as to reduce risks related to disaster situations.

3. Disaster Recovery
Disasters come in all shapes and forms, from simple data backups to entire sites being destroyed by natural disaster or cyber attack. No matter the cause of a disaster, having an efficient plan in place so you can recover quickly from such events without losing key data is essential for business survival.

IT audits include testing your disaster recovery plans. These highly specific processes offer procedures on what should happen during an incident and in case of disaster; for example, creating lists of critical assets, determining RTO/RPO for each asset and how often backups should occur.

Kiewit is currently involved with several large projects, such as the Elmendorf military airport runway extension in Alaska and its construction of Bank Back Levee and Empire Floodgate in Louisiana as well as Oroville Dam emergency spillways reconstruction project in California.

4. Physical Security
Physical security refers to an array of strategies, barriers and techniques designed to defend computer infrastructure against theft, vandalism, natural disasters, manmade catastrophes or accidental damages (such as electrical surges and coffee spillage). An audit will evaluate your building site as well as interior construction details like layout and lighting which could potentially be exploited by bad actors.

Risk analyses also assess the effectiveness of current security measures implemented by companies, such as access control systems and video surveillance systems. A security expert can recommend suitable technologies that will best protect a building’s assets and employees; from touchless access controls that prevent common points of contact to powerful cameras that provide situational awareness.

Interviewing employees will enable organizations to discover security flaws that might otherwise go undetected, while giving employees an opportunity to feel valued within the organization and become responsible for adhering to established security protocols both inside and outside their workplaces.