Security and compliance audits are a necessary part of conducting business for organizations that store or transmit sensitive data. Often, aligning business practices and operations with that of your security framework requirements becomes a challenge—but it doesn’t have to be. If you follow our steps, you can simplify the process be prepared for any audit.
In part I of this series, we covered how to identify what assets need protection based on the framework you want to comply with and get certified in (if applicable), how to engage an auditor, how to align your processes and procedures with your desired outcome, how to build an inventory of assets, and how to perform a risk assessment. If you haven’t already read part I, we encourage you to do so before moving into these next steps. We’ll also recap what to expect during and after the audit.
Step 7 – Document your business systems development, implementation, and maintenance activities as well as their associated security controls. Also, document the operational and change process and their outputs as it pertains to your compliance (and certification) scope.
Now that the in-scope systems and their respective risks are understood, it is time to ensure you have the associated documentation, outlining the security controls associated with mitigated risks and operational activities (performed by personnel) that may impact the integrity, confidentiality or availability of the in-scope systems and services. Also include how changes to those services occur. When your organization is audited, you need to demonstrate how you protect sensitive assets, what happens within the environment where they reside, and how changes to the environment are authorized and executed to minimize impact. For instance, you’ll need to prove you’re able to detect unexpected events and activities consistently and repetitively. Auditors will ask for written documents/guides and processes, as well as evidence of proper execution and outcomes of those processes. Such evidence will include reports from security controls, change tickets, generated system alerts, logs and more.
For those interested in what kind of security controls can be used or are available, NIST SP-800-53r4 Appendix-F provides a useful list of control options applicable to different aspects of the organization, services and systems.
Step 8 – Perform and document security training for all staff.
You should develop and administer security training to all employees and applicable contractors covering policy content, expectations for behavior, threat awareness and incident reporting. It’s a good practice to add topics associated with specific job functions. For example, systems and network administrators should receive an additional training on their responsibilities related to security systems during setup, operation and decommissioning, and access management. Consider applicable security training content addressing their potential participation and support in an incident investigation. Beyond the general training, organizations are required to show evidence of incident management training and business continuity and disaster recovery training. For both of those training courses, it’s essential to prove that you’re training people on the process and their expected roles and responsibilities in order to practice handling of such events in a timely, efficient and collaborative manner.
Step 9 – Document HR processes and involve your HR to support your security certification audit.
All security frameworks aim to address the risks associated with insider threats, and more specifically, the employee onboarding and departure processes. Regardless of the security framework, your auditor will most likely ask to speak with the organization’s HR representative to review the hiring process, including if and what type of background checks are used, what documents and acknowledgement forms employees have to sign as part of employment, what training employees must complete, and how new employees are granted access to systems. A similar set of questions are asked about the employee departure process (both voluntarily and involuntary) regarding exit interviews, access removal and more. The security framework requirements will vary in regards to the level of background checks required and the documents employees have to sign when they are hired or leave. Your HR department should document those processes to have for reference during the audit. Auditors commonly ask for a list of new hires and recent terminations; they’ll want to review any associated tickets with approvals, access requests, removal requests, proof of training completion, and signed policies acknowledgment forms.
Step 10 – Prior the audit, ask your auditor to provide the list of evidence requirements for your certification.
When you are ready for the audit, ask your auditor to give you a list of evidence requirements for the agreed certification scope and decide on the audit date. Be aware that the bigger the audit scope, the more evidence requirements there will be; you will need time to collect all the required evidence and materials. I recommend using a naming convention that follows the requirements IDs. At the beginning of the individual evidence file name, add the ID of the associated requirement as a prefix. This will help the auditors quickly review your materials and adequately link them to the specific framework requirements. Ensure that you have all the required evidence in a single, secure place and ready to be delivered to the auditors when needed.
During the Audit
When the auditor is at your premises, don’t panic. Ensure that you have reserved a quiet place for you and the auditor to discuss various topics of interest. Be prepared to go over your specific organization’s business, disclose the systems you use and provide information about employees and locations. It is common for the auditors to ask for a walk through of the site to observe the physical aspects of your environment and associated controls. Work with your auditor to securely transfer the necessary audit evidence to them. Expect to invite other stakeholders – HR representative, system owners, managers – to provide insights into specific systems, processes or decisions. As a general rule for the audit, the better prepared you are and the more you know about your environment, the faster it will go. Be aware that the auditors will point out areas for improvement and/or any aspects that are not exactly as they have seen before, and this is fine. You may address minor findings on the spot or agree on a remediation plan. Auditors are responsible for identifying deficiencies, per the respective security framework requirements, but they are not allowed to tell you how to solve those deficiencies.
After the Audit
After the completion of an onsite audit, auditors may come back with more questions, request clarification and/or additional evidence. Spend enough time clarifying all topics that may have caused uncertainty or confusion. Sometimes, auditors’ lack of details on your specific business use cases may lead them to areas that could be outside of the intended audit scope. Be as clear as possible and deliver the additional evidence in a timely fashion. Follow up regularly on the audit reports and associated QA process progress. Review the preliminary audit report when it’s available, and ensure the desired scope, control points and findings are reflected correctly. Auditors are also human and can make mistakes. Work with them to ensure the accuracy of your report data. Pay attention to any recommendations and deficiencies they may have identified and implement remediation or improvements as needed. Once the entire process is complete, it’s time to start preparations for the next audit cycle.
As an organization that has undergone major audits to achieve top certifications like HiTrust and PCI, we can pass along insights to simplify the process. OnRamp specializes in helping organizations assess risk, remediate issues through technology, people, and processes and ultimately, remain complaint. Learn about our professional security services and contact us today to see how we can work together.