Now that you have been placed in charge of security and compliance, how will you prepare for an audit? Here are some best practices that should help you ALWAYS be prepared for future audits.
DOCUMENT, DOCUMENT, DOCUMENT!!! Documentation is hands down the most tedious part of preparing for an audit. It’s also the most neglected. Thorough documentation will serve you well, even long after passing an audit. If you are tasked with securing your network and preparing for audits, organizing and documenting your policies and procedures for EVERYTHING is critical. Always approach documentation with a mindset of “If I am not here, can anyone follow these procedures?" Finally, always remember that an audit is an on-going process. Always keep your information current by scheduling time to review and revise your documentation throughout the year. The security landscape changes daily and compliance has become a huge focus over the past few years. I recommend reviewing your documentation at least monthly. However, if you have the resources, a weekly review will help you stay on top of the latest security and compliance events.
Clearly understand your compliance requirements and DON'T SKIP ANYTHING. Every regulated industry is different. Understanding what is required for your particular industry can be a challenge. Some compliance requirements are clearly defined while others provide only vague details. It’s best to be proactive when it comes to understanding new compliance requirements. If at all possible, talk to a QSA (Qualified Security Assessor) or at least review online guidance from a QSA. They are trained in the compliance requirements for specific industries. For example, here is a simplified checklist for PCI posted by QSA, Charles Denyer http://www.pciassessment.org/pci-dss-framework/pci-compliance-audit-requirements-and-checklist-part-i. Also, here is a simplified template for HIPAA that does a great job of breaking down each requirement https://www.aace.com/files/aaceversionhipaamanual-second_edition.pdf.
Identify devices, systems, and applications. Now that you have everything documented and a clear understanding of your requirements, identify which devices, systems, and applications you need to monitor for compliance. If you are a one-man security, networking, helpdesk, and system admin shop, your job is a bit easier as you control everything. Life gets a little more difficult when you have to meet with every IT department and explain why you have to start collecting logs from their systems. Either way, it’s best to complete this task as soon as possible, especially if you are deploying a SIEM or Log Management solution. Many of these solutions provide automated reporting features, however, some log management solutions may require additional applications to collect logs. One tidbit I have learned when communicating with different department heads is to assign a dollar value to the risks of non-compliance.
Secure log collection and storage. Most regulated industries require a secured log collection process. This is classified as “Chain of Custody,” which basically ensures that data is protected from collection to storage. Log Management systems that use agents make this very simple; however, there are technologies like Snare that offer an encryption feature. Securing your log storage is also critical and it is common to apply or enable encryption on the data store along with restricting access through permissions. Finally, as per my earlier recommendation, make sure you document this process and keep a complete audit trail of ANYONE who accesses the log data.
Review policies and procedures. The security landscape and IT environments change constantly so it is important to frequently review your data collection criteria. Many industries like HIPAA, PCI, and SOX already require an ongoing review of audit trails. In my experience, most IT departments review their policies and procedures quarterly. However, for security purposes, I recommend a monthly or weekly review.
a. Monitor for updates and upgrades to current devices, operating systems, and applications, paying particular attention to any audit or logging changes.
b. Review your network architecture and determine whether there are new devices, applications, or systems that need to be added or fall under the scope of compliance.
c. Review compliance documentation for changes to monitoring and audit requirements. More importantly, review and revise your own policies and procedures to accommodate changes.
Meeting compliance regulations can be challenging when it comes to collecting the necessary audit trails. Hopefully, these suggestions give you some ideas or jog your memory and motivate you to start that compliance review!
This post is part of our Best Practices for Compliance Series. For more best practices, check out the index post here: Best Practices for Compliance