How to prepare for your next audit
No matter what sector or industry you belong to, the point of an audit is to use your policies and test their effectiveness. Improper policies will result in non-compliance, and certainly not adhering to the policy will result in non-compliance-not to mention a higher risk of having your company's name pop up on the front page of the newspaper over a data breach.
Responsiveness to auditors' requests demonstrates effective controls, so it is essential that an organization has the processes in place to ensure timely responsiveness. Don't keep your auditor waiting. Delaying or not responding to audit requests will result in a failure, and precious resources will fly out the window in the form of lost time and money.
So, what is the auditor going to be looking for, and how can you be prepared? The following are three tips I have found valuable:
Tip No. 1: Make sure that you have an automated reporting system. Writing changes on paper are not going to be well received.
Tip No. 2: Categorize your systems based on their criticality and the sensitivity of the data that may be stored.
Tip No. 3: Ensure that you are able to prove that your policies allow for the following: Passwords can be automatically changed on a regular basis corresponding to a set interval (for example, every 60 days); passwords can be automatically changed when requested; passwords can be changed automatically after a short amount of time after checkout (for example, 30 minutes); passwords are changed automatically between each usage and that, if required, only one person at a time can have access; and the ability to show that you are able to verify the passwords on a regular basis to ensure that no unauthorized changes to a password has occurred.
One statistic that I can be sure about is that there is a 100 percent chance that some organization somewhere is currently suffering from improper use of their systems due to the misuse of privileged accounts. And sooner rather than later, yet another organization will make the headlines because they didn't take the necessary precautions to protect themselves. It's always raining somewhere, so be sure to do everything in your power to protect yourself now before the storm hits.
A veteran of a Military Intelligence unit, Udi holds a law degree (L.L.B.) from Hebrew University in Jerusalem, and is completing the Science of Management Master's program at Boston University. He can be reached at [email protected].