How to breeze through your next compliance audit

Share this article:
Bill Evans (left) and Tim Sedlack (right) of Dell Software.
Bill Evans (left) and Tim Sedlack (right) of Dell Software.

If you were to ask an IT professional to name the one thing they dread most, a visit from the auditor would likely be right up there next to Windows XP migration. Due to the massive and ever-growing list of compliance regulations, organizations are finding themselves in the crosshairs of audits. In a perfect world, these enterprises would know exactly when an auditor is going to show up, the questions they will ask, and data would be presented on a silver platter ready to prove the organization's compliance. Nevertheless, compliance audits do not work that way, but there are a number of ways to minimize the fear before an audit.

Eliminate complexity and consolidate data. If an organization's IT infrastructure is set up in silos and has a separate administrator for every platform, each will need to perform a search and query to show which data an employee has access to, along with how they obtained that access. An auditor may ask, “How many systems/applications are currently accessed?” Say there are nine systems. That means that at least nine administrators have to search to see if someone has access, then look through event logs to determine where that access came from. It's also likely that nine different applications exist within the same organization, leaving administrators to show then that someone is not able to access those applications. Needless to say, it would be easier to eliminate the complexity and store all of the data in one searchable database.

Get the auditor out of the office as quickly as possible. You don't need to rush the auditor out the door, but all data should be easily accessible and searchable so the auditor doesn't need to wait while you search for the proverbal needle in a haystack. For example, if identity access data is consolidated in one location and can be searched quickly, an auditor will be able to run their report and be on their way in a timely manner.

Explain continuous control. Sharing data with an auditor is risky. If you offer too much information, they will likely dig deeper and spend more time auditing your company. Impart to the auditor that you have software in place that keeps your organization in compliance. This data may answer the auditor's question about how your organization maintains continuous control. By exposing the software and processes your organization has in place will prove to the auditor that your organization is truly compliant in a 24/7 fashion. Keeping methods in place that alert you to non-compliance and long-term log storage configuration will also help to prove continuous control.

Take on the role of the auditor to find errors first. Discovering a compliance violation is not ideal for any organization, but finding it during an audit is worse because it leaves IT scrambling to fix something that was missed. Why not run reports ahead of time? For example, if you know the auditor is coming to evaluate how your organization adheres to PCI requirements, it would be helpful to run reports specific to those requirements to see how your organization stacks up. If you do find an error or violation you can address it before the audit begins. This will prevent an IT department from being caught off guard during an audit.

Following these steps can help you fly smoothly through your next audit in an efficient and potentially rewarding way for you and your auditor.
Share this article:
You must be a registered member of SC Magazine to post a comment.
close

Next Article in Opinions

Sign up to our newsletters

More in Opinions

Falling off the 'Wagon of Things'

Falling off the 'Wagon of Things'

The Internet of Things promises so much. And so the question arises, how are we going to keep all this 'stuff' safe and secure?

Know your traffic: The case for egress monitoring and filtering

Know your traffic: The case for egress monitoring ...

Our networks are our field; no one knows our network better than us, the people who maintain it. We need to use that to our advantage.

Breach shaming and the need for a new model to discuss data breaches

Breach shaming and the need for a new ...

The breach shaming trend impedes forward progress in preventing such incidents in the future and leaves consumers worrying without educating them.