Compliance & Regulatory Audits
Compliance is Key
A growing body of regulation imposes enormous burdens on institutions to safeguard their information systems, transaction processes and sensitive databases. Among them are Sarbanes-Oxley (SOX), ISO 27001, Gramm-Leach-Bliley Act (GLBA), Fair and Accurate Credit Transactions Act (FACTA), Health Insurance Portability and Accountability Act (HIPAA), and the latest requirements, adopted as part of the ARRA of 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act.
Failure to comply with applicable regulatory standards can result in the exploitation of vulnerabilities by hackers and other cybercriminals. Identities may be stolen, and sensitive information abused for malicious profit. Security breaches can have far-reaching impacts, ranging from remediation costs and damages payable to victims, to the incalculable toll of negative publicity, customer churn, and lost business. For these reasons, compliance audits should be conducted on a regular basis.
SECNAP’s professionally certified security auditors leverage a complete audit tool kit—in tandem with their extensive, in-depth experience in conducting compliance audits—to ensure that you receive useful, comprehensive information suitable for immediate action. Tools may include automated testing, network and wireless scans, personnel interviews, social engineering techniques, policy reviews, procedural and process evaluations, in-depth analyses and more.
By leveraging third-party support for compliance audit projects, organizations ensure that experienced, objective experts are engaged appropriately, and that in-house IT and audit personnel are able to remain focused on mission-critical responsibilities.
The Compliance Audit Process
Interviews and Reviews
- Conduct interviews and review audit questionnaire with senior IT management
- Review Internet use policies
- Review security exception handling procedures
- Review current firewall rules and logging
- Review laptop and remote access security
- Install SECNAP audit appliance to monitor network
Preparation of Full Network Map (IP address and services assessment)
- Develop list of all servers, hosts and services resident on network
- Perform external penetration and vulnerability tests on all external IP addresses
- Perform internal vulnerability tests on all IP devices on network
- Complete full port scan for every external IP address on network
- Select and execute from suite of more than 13,000 specific tests available
- Test user password policy
- Review written IT security policies in detail and compare to actual implementation
- Review physical security policies and compare with written policies
- Interview senior members of corporate staff relative to security awareness and policy implementation
- Review audit controls
- Check authorization controls electronically and manually to ensure they are being followed and are effective in preventing unauthorized information access
- Review computer incident response follow-up procedures to ensure intended and accidental alarms are fully investigated, loss determined, and methods implemented to prevent similar intrusions
- Check incident response process to ensure necessary controls are in place to contain the incidents and minimize damage
- Review IT and procedural components in the context of applicable regulations and requirements
- Review security management processes to ensure adequate protections exist to avoid abuses
- Review administrative procedures, physical safeguards and technical security mechanisms to confirm they are adequate to ensure compliance
Upon completion of the compliance audit, deliverables include a draft and final Detailed Report, an Executive Summary, and supporting data in both paper and electronic form.
At the executive level, we will demonstrate where you stand relative to other companies in your industry, and outline steps that can be taken to improve your security profile, enhance compliance, and reduce risk. Results of the automated scans and any other tests are summarized. An outline of possible employee abuses or violations of your policies is provided. This report may be useful in allocating budget for remediation.
Designed to be used as an actionable guide for the compliance officer and similar stakeholders as well as appropriate IT management and staff, this detailed report outlines recommendations for changes to written security and Internet use policies, security handling procedures, and any additional measures to bring your company into compliance with applicable standards in addition to best security practices for your industry.
At the close of our work, you’ll possess the information necessary to bring your security program up to date and into compliance, and earn some well-deserved peace of mind in the process.