Compliance & Regulatory Audits
Compliance is the Foundation for Security
A compliance audit is a review of an organization’s adherence to regulatory guidelines set by the regulatory authority of that particular industry. Some of the main areas that SECNAP provides consultative services include:
- Financial Industry Regulatory Authority (FINRA)
- General Data Protection Regulation (GDPR)
- Gramm–Leach–Bliley Act (GLBA)
- Health Insurance Portability and Accountability (HIPAA)
- Health Information Technology for Economic and Clinical Health (HiTech)
- Payment Card Industry Data Security Standard (PCI DSS)
- Sarbanes–Oxley (SOX)
- Supersedes Statement on Standards for Attestation Engagements (SSAE 18)
- California Consumer Privacy Act (CCPA)
A growing body of regulation imposes enormous burdens on institutions to safeguard their information systems, transaction processes and sensitive databases.
Failure to comply with applicable regulatory standards can result in the exploitation of vulnerabilities by hackers and other cybercriminals. Identities may be stolen, and sensitive information abused for malicious profit. Security breaches can have far-reaching impacts, ranging from remediation costs and damages payable to victims, to the incalculable toll of negative publicity, customer churn, and lost business. For these reasons, compliance audits should be conducted on a regular basis.
Our Professional and Experienced Team
SECNAP’s professionally certified security auditors leverage a complete audit tool kit in combination with extensive experience in compliance audits. Tools may include automated testing, network and wireless scans, personnel interviews, social engineering techniques, policy reviews, procedural and process evaluations, in-depth analyses and more.
By leveraging SECNAP as a third-party auditor, organizations ensure that objective experts are engaged and that in-house IT and audit personnel are able to remain focused on mission-critical responsibilities.
At the executive level, we will demonstrate where you stand relative to other companies in your industry, and outline steps that can be taken to improve your security profile, enhance compliance, and reduce risk. Results of the automated scans and any other tests are summarized. An outline of possible employee abuses or violations of your policies is provided. This report may be useful in allocating budget for remediation.
Designed to be used as an actionable guide for the compliance officer and similar stakeholders as well as appropriate IT management and staff, this detailed report outlines recommendations for changes to written security and Internet use policies, security handling procedures, and any additional measures to bring your company into compliance with applicable standards in addition to best security practices for your industry.
At the close of our work, you’ll possess the information necessary to bring your security program up to date and into compliance, and earn some well-deserved peace of mind in the process.
The Compliance Audit Process
Interviews and Reviews
- Conduct interviews and review audit questionnaire with senior IT management
- Review Internet use policies
- Review security exception handling procedures
- Review current firewall rules and logging
- Review laptop and remote access security
- Install SECNAP audit appliance to monitor network
Preparation of Full Network Map
- Develop list of all servers, hosts and services resident on network
- Perform external penetration and vulnerability tests on all external IP addresses
- Perform internal vulnerability tests on all IP devices on network
- Complete full port scan for every external IP address on network
- Select and execute from suite of more than 13,000 specific tests available
- Test user password policy
- Review written IT security policies in detail and compare to actual implementation
- Review physical security policies and compare with written policies
- Interview senior members of corporate staff relative to security awareness and policy implementation
- Review audit controls
- Check authorization controls electronically and manually to ensure they are being followed and are effective in preventing unauthorized information access
- Review computer incident response follow-up procedures to ensure intended and accidental alarms are fully investigated, loss determined, and methods implemented to prevent similar intrusions
- Check incident response process to ensure necessary controls are in place to contain the incidents and minimize damage
- Review IT and procedural components in the context of applicable regulations and requirements
- Review security management processes to ensure adequate protections exist to avoid abuses
- Review administrative procedures, physical safeguards and technical security mechanisms to confirm they are adequate to ensure compliance
Upon completion of the compliance audit, deliverables include a draft and final Detailed Report, an Executive Summary, and supporting data in both paper and electronic form.