Security audits have become a fact of life in many industries, especially in financial, healthcare, hosting services, and government service providers. All security frameworks intend to guide organizations on how to manage their risks, protect their valuables and safely conduct business. Nevertheless, in most cases, alignment of an organization’s business practices to the applicable security frameworks is not a simple thing; meeting security specifications requires monetary investment, often causes confusion and in some cases, even results in a loss of direction. Here are a few steps that you can use to simplify the alignment between your organization and your security requirements to better prepare for certification audits.
Step 1 – Know your business and what valuable assets (physical, logical and people) are part of the business processes input and outcome.
While this may sound obvious, all security frameworks are based on your awareness of valuable assets and what risks may apply to them in order to identify how to protect them. As you may know, not every data set requires the same level of protection.
Different security frameworks explicitly identify assets as valuable. For example, PCI defines valuable assets to be cardholder data, card PAN, and CVV numbers, while HIPAA determines that PHI/ePHI data is classified as valuable. Beyond what the frameworks say, you should be able to identify important and valuable elements unique to your business case and your company. In many instances, auditors will ask you for a list of assets you have and their classification. Their classification is how you differentiate all assets based on the value they have for your business and how they relate to your respective framework requirements.
Step 2 – Identify the security frameworks you want to comply with and become certified. You’ll also need to identify an auditor to work with on your certification.
Companies often get pressure from customers or business partners to get certified for certain frameworks. When you decide on a security framework that you wish to certify for, it’s a good idea to select an auditor company to work with on your certification project. When you start your search, you will find that many companies provide the services you need, so it’s important to research them. Find out:
- What is their company size?
- What experience do they have?
- How many audits have they performed it the past year?
- What other frameworks do they audit and certify for?
- What are their total fees? What do those fees include?
I suggest building a mini-RFP where you can ask auditor companies to bid for your business and at the same time gather information that can help you make a selection using more than just price as a factor. It’s important to ask if the auditor has any fees associated with third parties. For example, the HiTrust audit has fees associated with the HiTrust Alliance, and this cost is independent of the auditor engagement fees. When this type of information is included in the audit engagement proposal, it shows that the auditor has experience, values transparency and is trying to establish trust. Ensure that you sign an NDA with your auditor, as you will have to provide them with a lot of sensitive information as part of the audit process.
Step 3 – Identify which parts of the security framework apply to your business—you’ll be subject to these requirements during your compliance audit.
Most security frameworks have a broad set of requirements and not all of them will be applicable to the business services you provide. Consider that PCI targets credit card processing and would only apply to you if you process credit card payments internally. It would not be applicable, however, to a hosting provider that offers colocation space to payment processing companies if the hosting provider only offers the physical security of the environment. Keep in mind that the payment processing company will have to show during their security audit that the hosting provider’s physical security is at or above the level required by PCI. Therefore, the payment provider may ask the hosting provider to certify itself for the subset of the PCI requirements limited to the hosting site for physical security. The same logic can be applied to different security frameworks where companies may decide to exclude specific sections based on business justifications, as long as those exclusions do not invalidate the security framework objective. It’s a good idea to have a preliminary discussion on scope definition and potential limitations during the auditor selection process, as they can provide insights and guide you through the security framework scoping process.
Step 4 – Develop and align organizational policies and procedures that meet your security framework requirements for the scope you have selected.
This is a critical point for any compliance audit you choose. Auditors always ask what policies and procedures you have in place and want to know what you are trying to accomplish and how are you trying to achieve it. You need to prepare policies describing your security program objectives with assigned roles and responsibilities across the organization. Be sure to show how your executive management team is involved and how they hold everyone accountable for achieving the security objectives. You’ll need to develop and implement policies describing assets classification, risk management, physical and logical systems security, access control, acceptable assets usage, security monitoring, and incident management. Your organizations must demonstrate how these policies are communicated to staff and other applicable stakeholders—for instance, the policies can be published on your intranet portal.
Step 5 – Build an inventory of assets—including systems, software and people—as required in your security framework scope.
Performing an asset inventory of the components in scope of the compliance audit can be a challenging exercise. It is often unclear which assets must be included—especially in complex environments. A rule of thumb is to start with a list of everything that participates in the delivery of your business services and is under your control, together with associated security controls, as well as anyone that participates in the business functions in scope. For example, if you target the physical security scope of a security framework, you will need to list systems associated with CCTV, physical access (badges, biometrics, etc.), building fire protection, cooling, power management, visitor management and all associated hosting and security elements where those components may be deployed. For environments associated with card transaction processing (PCI-DSS full scope), beyond the above mentioned elements, you’ll have to also list servers, applications and databases where the card data resides or that are part of the card processing; these include logical access components, firewalls, antivirus systems, intrusion detection/protection, log management, patch management and other applicable systems.
However, the inventory list should exclude external systems that are part of the card transaction processing, such as external ACH providers systems. Document this information separately, as you’ll need to disclose information about external systems that handle data exchange in order to validate their security. Once you have a comprehensive assets inventory for items that may be in scope, you will go over it with your auditors to check for potential exclusions or additions based on the specific business cases and the agreed audit scope.
Step 6 – Perform a risk assessment on in-scope business services, systems, software and people to ensure risks are identified and assessed. You’ll need to develop a mitigation strategy and associated response plan for each risk.
This step is perceived as the most challenging, and often organizations mistakenly believe they need to buy special tools to achieve it. In reality, this is a simple step that requires a bit of creativity (and healthy paranoia), some excel skills and a basic understanding of your organization’s business systems and underlying IT infrastructure. The approach I recommend is as follows:
- List your individual business systems (each will be inclusive of all its IT components) that are in scope, along with their respective owner. For example, individual business systems could be CCTV video surveillance, email service, physical access management system, firewalling service, etc. – one business service per excel file or sheet.
- The next task is to list in what kind of threats you believe apply to each business system (in another row). This may require some out of the box thinking; think like a criminal and try to identify how you can break the particular business service or gain unauthorized access. If you have trouble with this, leverage the list of potential threat events listed in NIST SP-800-30r1 Appendix-E. Note that threat events can be applicable to one or more components participating in your business service. For instance, in our CCTV example, you have a risk of damage applicable to cameras, camera cables, hardware on which the video system is deployed, signal concentrators (switches), and the storage for video records.
- For each threat event/risk, identify the probability of it occurring and impact it would have on your business. These designators can be as simple as low, medium or high. For each risk for which probability and impact are medium and above, you can select a risk mitigation strategy, e. reduce – apply security control, transfer risk – outsource or buy insurance, avoid – change of process, function, design, etc. You may declare that all other risks where impact or probability are low will be accepted. Of course, such risk acceptance should be done at the executive management level and well documented due to the potential business consequences.
- For each selected mitigation strategy provide details about how it will be applied, who will be the owner to implement the chosen risk mitigation, and an acceptable timeframe to complete the activities.
In order to have a successful outcome in risk management, repeat the steps above on a regular basis— security frameworks require that a risk review to be conducted annually.
For those interested in a more comprehensive risk management framework with better capability for risks prioritization, NIST SP-800-30r1 can provide more details on how to do this.
In part II of this series, we will cover steps 7-10 in preparing for your security or compliance audit. You’ll also get a better understanding of what to expect during the audit itself and what happens after the audit.
OnRamp specializes in offering compute, storage, and networking solutions for organizations with highly sensitive data. Having undergone major audits ourselves to achieve top certifications like HiTrust, we can offer support and insights to simplify the process. Learn about our professional security services and contact us today to see how we can work together.