Not long ago, audits were a sporadic occurrence for an IT department. While most regulatory mandates included sections that addressed IT controls, these portions of the regulations were not the initial focus of auditors, so they were largely ignored.
Therefore, even though validating IT security controls part of the law, soothe laws failed to provide any evidence that appropriate security measures had actually been implemented until years after the laws were initially enacted when auditors changed their enforcement focus.
This initial enforcement gap left executives with a false sense of confidence that, in some cases, provided the opportunity to manipulate financial and personal information. As regulatory audits began to shift their focus to an organization's IT controls, there was little advance preparation and almost no automated technology capable of providing appropriate validation of controls. This led to lengthy audit preparation, usually requiring tremendous manual efforts involving significant outsourcing.
Unfortunately, many organizations are still following this short-sighted approach. While no one relishes the audit process, when approached correctly, the end result can provide additional value through improved business processes and reduced risk of exposure. After all, the intent of compliance laws is to prove that organizations are properly protecting sensitive information.
To do so, organizations must establish policies to protect the security of information and develop processes for validating the policies are followed. For example, how does the company ensure data access is restricted to only those who need it for business purposes? What is the process for managing password and lockout policies? Is Human Resources provided with proof that access rights are disabled for terminated employees?
Typically, businesses have contended with audits in a haphazard manner—pulling staff away from core competencies to conduct a huge manual documentation effort in the weeks preceding the event to try and anticipate the auditor's potential questions. However, treating audits as a one-time event is counter-productive.
First, many businesses are now subject to multiple regulations. Publicly-held pharmaceutical companies in the U.S, for example, must comply with HIPAA Privacy Rules if they interact with patients and doctors, Sarbanes-Oxley in regard to financial accounting records, and the FDA's 21 CFR Part 11 rules regulating controls over electronic records and signatures used in pharmacological, medical device, biotechnology, food, cosmetics, and health care companies.
Likewise, financial companies are subject to the Gramm-Leach-Bliley Act for protecting the security and confidentiality of consumer financial information, Sarbanes-Oxley if they are publicly traded, as well as FDIC mandates pertaining to the security of consumer transactions. In fact, there are very few organizations today that aren't seeing multiple auditors on a regular basis.
In addition, the number of regulatory requirements businesses face continues to expand even while existing mandate themselves are evolving and changing. The Department of the Treasury is considering its own version of Sarbanes-Oxley, while the Securities and Exchange Commission, tasked with oversight of Sarbanes-Oxley, has recently adopted Auditing Standard No. 5 that is more focused on security risk. Meanwhile, legislators across the country are lobbying for bills to tighten practices for safeguarding customers' private information. Consumers are demanding laws that afford greater insight into breach incidents. In many states, businesses are now required to notify consumers anytime their personal data has been compromised.
It no longer makes sense to think of each of these audits as a one-off event, only to repeat a similar process a few weeks or months down the road when the next regulatory audit arrives.
A better alternative is to implement processes and train staff to turn audit preparation into a repeatable, sustainable process. It's much like passing a test. If you cram for one test at the last minute, you might pass it, but how much knowledge will you retain? And how well prepared will you be for the next test? The same goes for audits. You might squeak through one audit unscathed but without automated, comprehensive security measures in place, the odds of passing multiple subsequent audits is unlikely.
Businesses need to consider data security as a whole, not merely as part of the audit process. This approach not only helps reduce the overall length of the audit process, it eliminates unnecessary vulnerability in the organization—providing a far greater reward than merely passing the audit. After all, if an organization suffers an exploit of security vulnerability, they'll face a far more costly and disruptive scenario than any compliance audit could cause. Without having a holistic approach to data security, organizations are doomed to reinvent the wheel.
Audits require businesses to validate controls over thousands of servers and desktops. Often the task of pulling this information together is time-consuming and costly. Having a means to automatically track and monitor these security practices improves the ability to comply with mandates, lowers the cost of audit preparation, and reduces overall security risks. It's equally important that the information be in an easily accessible format, giving the company the flexibility to adapt reports on demand as required by auditors.
Another critical factor to consider is how security practices are maintained as the IT environment changes. Leading industry analysts all estimate that between 60 to 85 percent of downtime is caused by misconfigurations caused by people and process issues. By understanding your environment, how it's configured, and how it will impacted by new changes, the organization can minimize security vulnerabilities. This frees organizations from extensive audit preparation, with lower cost and less disruption of business-focused IT projects. This approach eliminates guesswork and enables organizations to find and remediate issues faster and more efficiently.
Ultimately, those businesses that take a proactive approach to data security will find audits are far less painful and costly. Moreover, organizations that consider audit preparation an opportunity to understand and improve their environment will achieve stronger security measures and better overall business practices in the long run.