Last week, in “Breaches, Hackers and Audits,” we talked about some recent software glitches and security failures that have been making news lately. Breaches and hackers send chills down the spine of IT security personnel – and rightly so. If the word “audit” has also caused you anxiety, we’d like to tell you that it’s really OK – an audit isn’t intended to punish you. In fact, it can actually help you defend against those other chill-inducing threats.
Embracing the Audit
An audit is a learning tool. It can help you identify and rectify security vulnerabilities, errors in code or compliance problems. An audit can also give IT staffers the evidence needed to persuade higher-ups their department needs money for upgrades. It’s easy to ask for a new server, if an external auditor says yours is at risk because its warranty is expired.
Before you being looking for someone to perform an audit, do your own internal audit first, and decide exactly what you want to learn from the whole process. An audit could be highly specific – such as a thorough examination of your Sarbanes-Oxley compliance procedures – or it can provide broad recommendations for improved risk prevention. If you aren’t sure what to measure, ask for input from auditors.
Choosing an Auditor
An effective auditor is one who thinks about context, has a good sense of intuition and asks great questions. In an article in Computer Weekly, Mike Gillespie, director of cyber research and security for The Security Institute, explained why those qualities are important.
Gillespie proposed a hypothetical scenario in which a person working with sensitive information leaves his door unlocked – if perimeter security is effective, an unlocked door may not be a threat. But an auditor who disregards perimeter security to conclude that worker is creating a risk doesn’t understand the spirit of a compliance policy.
To find the right person (or people) to conduct an audit, you may need to interview several candidates – and definitely request references from companies that have used their services.
You’ll find auditors may have various types of certifications, such as CIA (certified internal auditor), or CISA (certified information systems auditor). Credentials are important, but so is on-the-job experience.
Small businesses and start-ups may lack the resources to hire people with years of experience in the IT security field. So rather than worry about security problems and compliance requirements, some companies choose to outsource some or all of their data management.
Lifeline Data Centers has expert-level experience in regulatory compliance and risk management, and we have rigorous requirements for our third-party providers, as well as our own employees, to minimize risk for our tenants’ data. Find out why many businesses choose Lifeline when searching for a place to house servers and provide other IT services. Schedule a tour of our building today.