Preparing for a compliance audit…and why companies aren’t … Part 2 Steps to Compliance

Compliance Audit

In my last article I discussed compliance in an ideal world, but then talked about the reality that companies face regarding compliance efforts in the real world.  If you are ready to move your organization’s compliance and security posture closer to the ideal world, here are seven steps every IT organization should take whether they are scheduled to undergo an assessment or want to get started implementing a security program.

STEP 1: Understand the context of the security or compliance assessment

An organization should understand the standards and regulations against which they are going to be assessed.  This may seem like common sense but many companies try to schedule assessments without even reading the applicable standard, much less implementing controls to satisfy the requirements.

STEP 2: Assign responsibility for security

As stated before, an organization may not have any designated security personnel. This all but ensures security measures will not be implemented correctly, if at all.  Someone in an organization with the authority to direct resources and projects must be designated as the security official and must be backed by management’s commitment to implement security functions.

STEP 3: Assess your current state

An organization must first understand its current state before implementing security functions.  An organization should document the following:

  • The types of data it stores in its systems
  • The boundaries of its networks
  • All devices attached to those networks, including the device owner (employee responsible for its function)
  • All connections to systems where company data is transmitted to a third party
  • Personnel with IT operational responsibilities
  • Key system and organizational stakeholders (personnel who should be involved in steering IT decisions)
  • Any vendors involved in storing, transmitting, or processing company data (more on this in step 5)

STEP 4: Classify your data and systems

Classification is essential in prioritizing your organizations efforts to implement security functions.  It is a waste of time and resources to secure every system at the same level, as some present more severe security vulnerabilities than others.  There are many different frameworks for classifying data, such as FIPS 199 implemented by the National Institute of Standards and Technology (NIST). Basically, key stakeholders determine the impact of loss, corruption, theft, or modification different data types to the organization.  The impacts are described in classification levels, such as confidential, internal, and public.  Systems that store critical data should be the focus of the organization’s security program.

STEP 5: Perform a risk assessment

A risk assessment is simply the documentation of an organizations potential vulnerabilities (weaknesses) and its plans to either remediate (fix) or mitigate (make less weak) those vulnerabilities.  Risk assessments may seem complex and arbitrary, and many seem to dread performing one.  It doesn’t have to be that way, especially when it becomes clear to management that an organization is usually already performing risk management activities on an ad hoc basis. A risk assessment process simply sets guidelines for the process and ensures results are documented and communicated.

As stated, a vulnerability is a weakness.  Vulnerabilities can be:

  • Organizational (e.g. divisions in the company do not share information, or personnel are not trained to spot phishing attempts)
  • Technical (e.g. company servers are running an outdated O/S that is easily exploited)
  • Physical (Company headquarters is not equipped with a video surveillance system, headquarters is in a flood zone)

Once vulnerabilities are documented, remediation plans should be drafted and executed. Remediation may can include implementing a process to eliminate the vulnerability, like installing a video surveillance system or upgrading server O/S.  In the case of flooding an organization may not wish to relocate outside the flood zone, so instead flood insurance is purchased to transfer the financial risk of flooding to the insurance company.

These are decisions that executive management already makes. A risk assessment and management process ensures the decisions are proactive, not reactive.

STEP 6: Review your vendor agreements for security requirements

It is rare in this age for any organization to provide services without the use of third party applications. However, many companies fail to appropriately document security requirements in vendor agreements. Vendor security has been increasingly scrutinized in all types of compliance assessments. To ensure compliance management should:

  • Document requirements for security vendors – vendors with access to sensitive data and systems should be subject to more stringent requirements
  • Implement a process where any vendor must undergo a security review before services and systems are procured
  • Monitor vendor compliance with requirements on a periodic basis

STEP 7: Backups, business continuity, and disaster recovery

Most organizations understand the importance of backing up critical data. However, performing scheduled backups is not enough. An organization should:

  • Perform a business impact that determines how long an organization can withstand the loss of critical systems before catastrophic damage is done to the company’s service or reputation
  • Draft plans to ensure those critical systems, if corrupted, lost, or damaged, can be restored within that time
  • Test the plans to ensure personnel have the knowledge and resources to perform continuity and recovery within the required time frame

If this seems overwhelming, and it can be, or you don’t have the resources to complete these steps, you can contact us to see how we can help.


Bryan Graf

Principal Consultant, Sienna Group LLC