Many organisations still fail to provide answers to fairly simple questions asked by external IT auditors, according to Netwrix. Despite popular frameworks designed to help companies pass compliance audits, according to the 2015 Verizon PCI Compliance Report, around 80% of companies still failed to comply with all the requirements of PCI.
"By treating validation tests as a tick-box exercise, companies often focus their efforts on creating an illusion of compliance rather than trying to actually fulfil the requirements," says Michael Fimin, CEO and co-founder of Netwrix.
"Such an approach does more harm than good, as it provides organisations with a false sense of security and leaves them extremely vulnerable to data breaches."
Netwrix surveyed its customers’ audit experiences and has compiled the top five questions asked by auditors to determine whether a company is able to safeguard its most valuable assets:
1. Do you have a documented security policy?
Auditors need to make sure that rules and regulations are in place to maintain IT infrastructure security and proactively address security incidents. When evaluating the adequacy and reliability of a security policy, auditors will compare measures outlined in the policy with a company’s internal processes to make sure they match.
2. Are access privileges in your organisation granted adequately?
Since a lack of control over privileged accounts continues to be a main security risk, a company needs to prove that all its permissions are granted in accordance with the existing security policy and employees’ business needs. IT auditors will not only verify who has access to what (and why); they will also check a company’s ability to detect insider misuse or abuse of privileges.
3. What methods do you use to protect your data?
Most existing compliance standards focus on protecting sensitive data, such as confidential customer records. A company should be ready to present reports about its methods of data classification and segregation such as placing data into a 24/7 protected network and prove that its most valuable assets will not be compromised easily.
4. Do you have a disaster recovery plan?
A well-structured, clear and viable emergency plan that describes what actions to take in case of a security violation significantly increases a company’s chances of passing an external audit. A good disaster recovery plan includes information about employees’ roles and responsibilities, how they should react if a security breach occurs and what they should do to stop data leaks and minimise their negative consequences.
5. Are your employees familiar with existing security procedures and policies?
Practice shows that auditors are particularly interested in the methods a company uses to encourage its employees to follow internal security policies. A company might need to prove that it regularly trains employees and informs them about existing security procedures.
"Although passing compliance audits is vital for maintaining the security of the IT environment, it doesn’t give you 100% protection against cyber threats," said Michael Fimin.
"Any compliance audit shows the state of the IT infrastructure at a certain point; however data must be secured during the entire period between validation assessments. Therefore companies need to have complete visibility into what is happening across their most critical systems and establish absolute control over each security component.
"Only then will regulatory compliance be considered not as a burden, but as an opportunity to improve business processes and strengthen cyber security."