Handling High-Stakes Data Security Audits

Audit.

It’s a word that if not scares, at the very least, makes IT Management, the Security team, and Executives uncomfortable. When you’re doing everything you can to keep things running, the last thing you want is to have someone come in and tell you you’re doing it wrong. Almost as bad as hearing that you may be doing it right, but you can’t prove it.

I manage the security program for a Federally-regulated not for profit. As an organization, our security program is subject to third-party review and an audit by Federal regulators annually. We use Apptega’s Assessment+ tool to manage how we maintain and present our security program to outside organizations. It’s been a game-changer for us. Sit back, relax, and I’ll take you through our process.

The Audit

After meeting with the auditor and defining the scope of the review, the auditor presents an Evidence Request List. The list contains all of the documentation that would show that you’re doing the things you’re supposed to be doing over the past year. You immediately have a panic attack to go along with the to-do list that’s longer than your arm. You start requesting copies of evidence from all of the people that should produce it, as well as tackling the list that you are responsible yourself.

A week before the audit starts you’re still gathering documentation, following up with people, and trying to get everything ready for the auditor to show up. You have a directory that’s hopefully some form of organization, but still contains more information than you need in some places and far less in others.

The auditor arrives and spends a few days interviewing staff and asking you questions and reviewing the evidence you have provided. At the end of each day, you feel like you’ve been through the wringer. You have to know and be able to articulate how you meet each control, each process and each procedure. It’s the longest oral exam you’ve ever been in.

The auditor leaves and hopefully you did your job well, getting an issue-free report. Otherwise, you have a list of things that you have to implement, change, or otherwise do to disrupt your staff.

The Process

We’ve gone through several iterations of finding methods to track and maintain our evidence, our security program and its related tasks, and above all, to protect the sensitive information that we’re charged with protecting.

1. We started with the top-level directory and mapped the evidence to the ERL. It worked, but was difficult to maintain.

Files were scattered in the same directory.

2. We moved to separate the evidence by control families – our security framework specifies 18 of them. Now I have 18 directories each with a bunch of stuff to maintain. It’s more searching to find what I need, but interviews do tend to be grouped by control family. Things were better and worse at the same time.

Separate the evidence
by control families.

3. More organization is better, right? Each control family has between 4 and 25 controls where we have to demonstrate compliance. The next step in our evolution was to create more sub-directories for each control. This method allowed us to ensure that every control was addressed, but in the cases where we could use the same piece of evidence for multiple controls, we had multiple copies of the same file.

Evidence has an expiration date, and this method made keeping all of the evidence fresh more difficult. Version control was also a nightmare. There were several cases where we would have several versions of the same evidence in separate control directories. Refreshing evidence was also a manual and resource-intensive process. We also ran into some issues with our directory names getting too long for Microsoft’s liking.

Evidence organized down
to individual control families.

The Solution

If you’ve made it this far, you really must want to know how we solved this. The answer is… well we’re still evolving. We partnered with Apptega and are using their platform to manage our security program. Over the past year, we’ve migrated our evidence and artifacts into their platform and have been working to organize things.

There have been a few missteps along the way:

• We initially uploaded multiple copies of artifacts and tied each to the controls to which they applied. This led to the same issue we had with multiple copies in the previous iteration. Apptega has a great solution for linking documents to multiple controls – we just needed to apply it properly.
• Scheduling and calendaring tasks over multiple days made for a very crowded calendar.
• Teaching our auditors to use Apptega for their review and helping them to understand how we are using the product has been a challenge.
• Naming conventions should be worked out and agreed upon before using the tool to maintain evidence.

The Apptega framework gives us much better ways to represent our security program to both the casual observer and the auditor alike. High-level graphs are combined with drill downs to narratives with one more click required to get to evidence of compliance.

Apptega provides tracking for control families and document management.

All in all, we’re very happy with the tool. Our annual 3rd party audit interviews were brief, direct, and to the point. There weren’t any surprises. The audit was completed with a handful of recommendations to bolster our evidence of compliance, but no findings or areas where we were deficient. The normally stressful audit was almost a non-event.

Upcoming Webinar:
A Step-By-Step Guide to Navigating High-Stakes Audits

For more details on how to prepare for your audits, join Art Provost for a webinar on Wednesday, March 22 at 1PM Eastern. Participants will leave this presentation with a better understanding of what to expect when an audit comes, and how to leverage internal and external resources to pass it confidently — and at minimal cost and business disruption.