As an IT security professional, over the past 10+ years, I’ve had the distinct pleasure of grinding through compliance audits in both government and commercial sectors. I have also assisted many other security pros with audits—I have to say the hardest lesson I learned is that audits are an on-going "process," which does not end once you pass an audit. However, compliance doesn’t always fall on the security pro’s shoulders. Many network and system admins need to know how to do compliance as well. So to help you out, here are some compliance best practices. In this post, I will pass along some suggestions based on my experiences in the trenches with the hope that you will provide some of your own!
1. DOCUMENT, DOCUMENT, DOCUMENT!!! Documentation is hands down the most tedious part of preparing for an audit. It’s also the most neglected. Thorough documentation will serve you well, even long after passing an audit. If you have been tasked with securing the network and preparing for audits, organizing and documenting your policies and procedures for EVERYTHING is critical. Always approach documentation with a mindset of “If I am not here, can anyone follow these procedures?" Finally, always remember that an audit is an on-going process. Always keep your information current by scheduling time to review and revise your documentation throughout the year.
2. Clearly understand your compliance requirements and DON’T SKIP ANYTHING. Every regulated industry is different. Understanding what is required for your particular industry can be a challenge. Some compliance requirements are clearly defined while others provide only vague details. Make sure you know what specifics your industry requires.
3. Identify devices. Now that you have everything documented and a clear understanding of your requirements, identify which network devices, systems, and applications must be monitored for compliance. The sooner you accomplish this the better. It is especially important if you are deploying a SIEM or Log Management solution. These may require additional applications to collect logs. One tidbit I have learned when communicating with different department heads is to assign a dollar value to the risks of non-compliance.
4. Automate wherever possible. When collecting audit trails, you will quickly see that the data volume is immense and seemingly impossible to review. Automating can help simplify things. Develop or configure automated reporting and scheduled reports specific to your compliance requirements. Also, leverage any real-time/near real-time alerting and notification functionality. Most of today's Log Management solutions provide some form of alerts or notifications, which is a good compliance audit best practice because it proves that you are "actively reviewing" your logs.
5. Review policies and procedures. If you consistently review your procedures and compare them with the most updated requirements, you should always be prepared for an audit. At a minimum, I strongly recommend quarterly reviews—monthly is ideal.Meeting compliance regulations can be challenging when it comes to collecting the necessary audit trails. Hopefully, these suggestions give you some ideas or jog your memory and motivate you to start that compliance review!
Want more specific information? Check out these additional links: