For many people, the end of the year means making plans for the holidays at home or a reminder that annual reports will soon be due at the office. Amid the usual hustle and bustle, teams at IWCO Direct are busy gearing up for the data security audits we will be conducting in the coming year.
If you’ve been following our information security blogs, you know that IWCO Direct holds ISO 27001:2013, PCI DSSv3.2 and HITRUST certifications. We chose those certifications to demonstrate our commitment to building an effective information security management system and protecting our clients’ sensitive data.
As those in the compliance and security field know, the data security audits for each of those standards require a rigorous annual assessment of an organization’s security controls, including, but not limited to, policy, access control, physical security, incident management, human resources, and asset management. That’s a lofty list of items to audit, but they are all crucial to efficient and effective security practices and deserve the utmost scrutiny.
Our philosophy concerning security audits is they are opportunities to expand and grow our standards and practices and avoid resting on our laurels, rather than tests we simply need to pass. That’s why, in addition to these annual assessments of our information security practice, we host dozens of onsite audits from our clients in highly regulated industries (such as finance and healthcare) throughout the year. When we have a break from external audits, our internal teams point the microscope at ourselves, ensuring the monitoring and reporting of our information security management system never stops.
What Does a Good Data Security Audit Look Like?
The key to a smooth and effective data security audit is preparedness for both the auditor and the auditee. Those conducting the audit should clearly communicate the scope, objectives, and methodology of the audit. They should also seek to understand the organization being audited—its structure, business model, management practices, and place in the industry—to deliver meaningful results beyond a checklist.
Those being audited should organize the necessary evidence (e.g., policies, procedures, screenshots, etc.) ahead of time and ensure the availability and participation of key subject matter experts. Auditees should be truthful and comprehensive to ensure that evidence and statements support actual data security practices.
Of course, data security audits require the engagement of more than just the Information Security team. Teams in departments such as Human Resources, Operations, Maintenance, Procurement, and Finance should all be prepared to participate as subject matter experts during an audit. As those of us in the security and compliance field like to say again and again, security is everyone’s responsibility.
There’s No Such Thing as “Too Secure”
This might all seem daunting, but continuous monitoring and reporting is essential to maintaining an effective information security management system—and audits are one of the best ways of achieving that. Whether conducted by an external compliance auditor or by an internal assessor, data security audits are valuable tools to show business leaders where an organization is doing well and where practices can be improved.
Every finding, whether confirming compliance or highlighting a gap in protection, should be used to calibrate the future of an organization’s security efforts. By continually challenging ourselves and being challenged by others, we avoid complacency, allowing us to deliver the best possible security results for ourselves and our customers.
Subscribe to SpeakingDIRECT to have new articles delivered to your inbox as they post. We promise to keep it fresh and interesting.