Five questions auditors will ask about your security policy

Nov. 25, 2015
Organizations must have total control over each aspect of their business as it relates to security and compliance

Many organizations still fail to answer fairly simple questions asked by external auditors about their security policy. While it may be easy to treat validation tests like a simple check-box exercise, the risks can be great if companies merely create an illusion of compliance rather than trying to actually fulfill the requirements. The fact is as many as 80 percent of companies failed to comply with all the requirements of the PCI standard, according to the 2015 Verizon PCI Compliance Report.   

Such an approach does more harm than good, as it provides organizations with a false sense of security and leaves them extremely vulnerable to data breaches. To be prepared, consider the answer to these five common questions to determine if your organization is ready to face the auditors:

  1. Do you have a documented security policy? Auditors need to make sure that rules and regulations are in place to maintain IT infrastructure security and proactively address security incidents. When evaluating the adequacy and reliability of a security policy, auditors will compare measures outlined in the policy with a company’s internal processes; obviously, those processes should match.
  1. Are access privileges in your organization adequately granted? Since a lack of control over privileged accounts continues to be a main security risk, a company needs to prove that all its permissions are granted in accordance with the existing security policy and employees’ business needs. IT auditors will not only verify who has access to what (and why); they will also check a company’s ability to detect insider misuse or abuse of privileges.
  1. What methods do you use to protect your data? Most existing compliance standards focus on protecting sensitive data, such as confidential customer records. A company should be ready to present reports about its methods of data classification and segregation (e.g., placing data into a 24/7 protected network) and prove that its most valuable assets will not be compromised easily.
  1. Do you have a disaster recovery plan? A well-structured, clear and viable emergency plan that describes what actions to take in case of a security violation significantly increases a company’s chances of passing an external audit. A good disaster recovery plan includes information about employees’ roles and responsibilities, how they should react if a security breach occurs and what they should do to stop data leaks and minimize their negative consequences.
  1. Are your employees familiar with existing security procedures and policies? Practice shows that auditors are particularly interested in the methods a company uses to encourage its employees to follow internal security policies. A company might need to prove that it regularly trains employees and informs them about existing security procedures.

Passing compliance audits is vital for maintaining the security of the IT environment. Yet, it doesn’t give you 100 percent protection against cyber threats.  Any compliance audit shows the state of the IT infrastructure at a certain point; however data must be secured during the entire period between validation assessments. It’s critical that companies gain complete visibility into what is happening across their most critical systems and establish absolute control over each security component. Only then will regulatory compliance be considered not as a burden, but as an opportunity to improve business processes and strengthen cyber security.

About the Author:

 Michael Fimin is an accomplished expert in information security, CEO and co-founder of Netwrix. Netwrix delivers complete visibility into who did what, when and where across the entire IT infrastructure.