There isn’t an individual in any company who doesn’t worry about failing an audit for non-compliance. And whether it’s PCI, SOX, HIPAA, NERC, ISO 27001, FFIEC, FISMA or FERPA, when it comes to audit compliance of dozens or even hundreds of deployed applications, IT is not exempt from its share of requirements (or pain). Not only are there costly penalties when violations are discovered, but when a business is not in compliance with specific regulations, it can be particularly damaging to a business’ reputation.
To better prepare for a compliance audit, here are a few tips that companies in any industry can use:
1. Perform a Self-Audit
The best way to figure out how your company will fare in an audit is to conduct one in-house. You could appoint an internal team to perform the audit, but an independent auditor may prove a better alternative, especially if internal resources are scarce. Either way, being prepared with the proper documentation and follow-up processes to correct any deficiencies are essential to passing any audit.
2. Identify Users Accessing Shared Credentials
Require individual credentials in a secondary identification window in order to log onto a server or network, even when using a shared account (such as “administrator” or “root”). This will ensure that every action will be attributed to an individual user.
3. Ensure You Have an Audit Trail
An audit trail of user actions, including a record of the changes that have been made to a database, file, or other applications, is a key factor in passing an audit. You must be able to track exact actions and have textual user activity logs for reporting.
4. Monitor Activity of Privileged Users, Business Users & Vendors
Visual recordings of all user activity on any server or workstation makes auditing and compliance easier, no matter what applications or resources the user accessed. It’s bulletproof evidence of who did what and how they did it.
5. Stay Tuned to Security Events Within Your Industry
If a competitor experiences a security incident, analyze your internal systems and ensure all access into your network is protected. Trouble at another company within your industry may prompt compliance auditors to investigate your organization for similar security inefficiencies.
6. Watch Out for New Regulations
Technology is always changing, and staying compliant involves myriad people and systems. It’s important to stay up-to-date on the changing security landscape to anticipate the enforcement priorities within regulatory agencies. For example, NISPOM Conforming Change II requires that DoD contractors have a written program plan in place to begin implementing insider threat requirements of Change II no later than November 30, 2016.
7. Train All Users on Security Policies
Ensure that all users (remote and on-site) have been informed of, and have agreed to security policies and procedures that establish how confidential information is to be handled, backed-up/recovered, archived and/or destroyed. Additionally, train users on internet safety concerns, including spear-fishing emails, how to create strong passwords, and other security topics related to your business.
8. Be Prepared to Quickly Produce Documentation
Historically companies might have had days or weeks to furnish documentation requested by a regulator. Now compliance auditors expect companies to product documents quickly, even on-demand in some cases.
Following these tips can help an enterprise pass a compliance audit. But it’s important to know that ultimately, every compliance violation can be traced back to the specific actions of a particular user: an employee, contractor or remote vendor involved in the collection, storage and transmission of sensitive data. Ensuring the safety of sensitive data in accordance with compliance regulations should be a first priority for any security team.
Can we help you? ObserveIT provides monitoring and investigation software to ensure your IT organization can comply with regulations. We monitor every application session from start to finish, and track the identity of shared “administrator” accounts. Simple to deploy, ObserveIT’s solution can remediate your audit findings in less than an hour. See how ObserveIT maps to specific regulations here.