Thank you, our adivisors will calling you.
par Lepide • 02 Apr 2019
One of the biggest reasons that audits fail is because those involved do not fully understand why it is taking place, what’s involved and why it’s important. The IT department, and particularly the CISO, already often has trouble communicating the importance of data security and speaking in a language the rest of the organization understands. Audits quite often exacerbate this problem.
One of the most important ways to overcome communication issues is by making sure you tailor your language depending on who you are speaking to. Don’t use techno-abbreviations, acronyms or jargon that they are unlikely to understand – even if it seems common sense to you. When conducting interviews for audits, it’s likely you will be asking technical questions to employees that aren’t necessarily technical. In that case, you need to adjust what you’re saying so that they don’t switch off.
If you don’t thoroughly plan your audit before you start, then you could find yourself quickly deviating into side projects and consuming both time and money. It’s a good idea to use any compliance mandates that you may be bound by (such as HIPAA, GDPR, PCI or others) as a starting point to help you define the scope of your audit. Of course, simply doing enough to satisfy compliance requirements may not be enough to ensure that your organization is secure, but they are a good place to start.
You have to ensure that when you define the scope of your audit, you focus on what matters to the board and top executives in your organization. Focus on risk. The board care about, and speak in terms of risk to the organization, and that should be what you focus on with your audit.
Most of the time, you may be tempted to audit past events and use them as an indicator of risk. Instead of doing this, you need to ensure that you are focusing on the current security posture of your organization and determining how that posture may affect risk in the future. If you understand what the capabilities of your current security strategy are (solutions, policies and practices), then you will be able to make an informed determination about what security challenges you are most likely to face in the future, and you can take this information to the board.
If you don’t have intelligent change auditing solutions in place, and you’re having to rely on native auditing to gather audit data, then your audit is going to take a long time and cost you a lot of money. Using native auditing to investigate anomalous change events or permissions changes is both too time-consuming and lacks the detail required to satisfy audit requirements.
Make sure you have invested in a change auditing solution like LepideAuditor that provides you with key audit information at the click of a button. When you have this, you’ll be able to save heaps of time and money whenever you come to do an audit (which should be often).