How to approach your first security audit!
Having an audit conducted on your organization’s security program is not an event that most people look forward to. They are filled with auditors who make a living trying to find deficiencies and weaknesses in the implemented, or not implemented, controls that are part of your industry. Multiple triggers can push the audit, but two of the common triggers are – 1) business associate/partner could require it if the organization is retaining their data or 2) federal mandates and laws require it. These audits can range from an initial shadow audit where the organization is looking to gain a high-level understanding of their security posture, to a full assessment where each control is evaluated based on the security categorization of the organization. The organization’s level of maturity will determine which approach they will take.
Most mid-level organizations are new to the requirement of having an audit performed against their information systems. The Auditors will evaluate more than just the technical implementation of the controls, they will verify that there is a policy and procedure associated with each control. In their eyes – if the control isn’t documented or audited, then it is not implemented. Our biggest push to our clients is to make them understand that everything must be repeatable and auditable.
If the organization has not performed an audit in the past, we always recommend that the organization select a subset of the controls which have been identified as applicable and perform a self-assessment. If they cannot perform this task, due to time or resource constraints, we are able to come in and assist with this Shadow Audit. This will give your organization a score card and baseline that your security team and system owners can work from. Having this baseline will provide a starting point with a small set of controls which doesn’t overwhelm the engineers or management team when trying to understand how to approach a full audit containing over eight hundred controls that may have failed or passed.
Starting small and working into the full audit is a reasonable approach and will also show the auditors that the organization is performing its due diligence in creating a proper security program that will ultimately lower its level of risk. Once completed, the organization can then grab a next set of controls and work on mitigating or lowering their risk against each business unit. The goal is to lower risk to a manageable level but if the wrong approach is taken, the chances are high that none of the controls will be satisfied.