You don’t have to work in IT to know that data security is a pressing issue for most organizations. Whether it’s a retailer, restaurant, or voting system, all you have to do is read or watch the news to understand someone or something is always trying access data they shouldn’t. Businesses must always be vigilant about keeping their data secure—especially when they’re also responsible for client data—and security audits are one of the primary tools for making sure data security processes are sound and data is protected.
IWCO Direct has always leveraged the Defense in Depth principle, in which multiple layers of security controls are placed throughout an information technology system. The goal is to provide security redundancy in the event a control fails. Compliance audits like ISO 27001, PCI, and HITRUST help us focus our efforts to meet the various industry risks our clients face.
Our security audits originate from multiple sources, including internal audits, client audits, and external compliance audits. We complete dozens of security audits annually, which helps us identify areas where we can improve our security posture.
We also believe it’s important to get input from a variety of experts. Although clients, internal Information Security, and external security professionals may all perceive risk differently, each can bring a unique viewpoint and identify potential problems others may not have detected.
Security Audits Focused on Vendor Risk Management and Access Control
One of the hottest topics in the IT realm is Vendor Risk Management. We work to ensure our vendors are informed of the latest threats and always meet our security standards. Additionally, Access Control related to the cloud is another topic gaining steam. If a company is utilizing the cloud to host an application or store data, it’s critical to understand where your data is and how to protect it.
IWCO Direct continues to strengthen our Vendor Risk program. We’ve put particular effort into vetting and validating the security controls of our higher-risk vendors. As we’ve begun to leverage the cloud for select client systems, we’ve moved carefully to ensure we are fully prepared and have all the important prerequisites for a safe transition. One is establishing a Privacy Level Agreement with the cloud provider before entering into an agreement. (You may not have the ability to do this after the fact.) In addition, a cloud risk assessment needs to be performed to ensure the correct level of security is applied to all cloud systems. Doing this after your cloud system is established can alter your cost projections in determining if moving systems to the cloud is affordable.
Security audits help us achieve the principle of security in depth by providing information and perspectives we may have not previously considered. We have never viewed a security audit as a burden. To the contrary, we welcome all audits, because they make us better overall.
Subscribe to SpeakingDIRECT to have new articles delivered to your inbox as they post. We promise to keep it fresh and interesting.