The Reality of Security Audit Preparation

Audit Liaison gets contacted every week from companies around the world asking questions about a request they received, generally from a large customer or prospect, for a SOC, ISO, HIPAA/HITRUST, PCI or FISMA audit report.  Let us break down the recurring themes of those calls and what it means in real terms for the parties asking the questions.

“What is a SOC (or ISO, et al.) audit report?” #

The SOC, ISO, and other audit reports you are being asked about are security audits.  They are audits specifically geared to assessing an entity’s program to help ensure the security, availability, integrity, confidentiality, and privacy of the data that it holds and the systems that process that data.  The data that customers are generally concerned about is their data that you are receiving, processing or storing. Additionally, some data is so sensitive (e.g. intellectual property or data with federal security implications, for example) that there may be regulatory concerns.

“Why are they asking us if we have an audit report?” #

We generate the answer for the inquirers by asking some questions around the nature of the product or service they provide and the type of data they handle.  In short, if you have access to your customers’ user IDs and passwords or your customers’ personally-identifiable information (PII) or other sensitive data, that represents the justification for their request for your security audit report.

“How do we get ready for a security audit?” #

Please listen as this is the most important part of this short article and really the purpose of writing it.  You have to implement a security and compliance program.  The security and compliance program will be independently assessed during the audit against the respective standard required by your prospects and clients.  First point, you do not or should not get ready by asking the auditors who will be conducting the audit for the evidence request list.   While this may or may not help you achieve successful audit results based on how mature your existing security and compliance program is, you are missing a golden opportunity to get executive-level support for making impactful changes.  What we always say to our clients and prospects is:  “we can help you achieve successful audit results without question, but if we haven’t helped you control your security and data risks, we have failed you”.

I hope that helps frame what a security audit really is all about.  Yes, it’s a bit of a burden, and yes, you will have some upfront preparation costs along with recurring costs to support your program and retain the independent auditor who performs the audit and provides you with the audit report.  However, what you are really doing is implementing a security and compliance framework built around identifying where and how you receive, process, and store sensitive customer and proprietary data.  You will identify who has access to that data, what systems are used to monitor your users and your infrastructure, and what processes and controls are in place to keep the data secure, available, untainted, and confidential.   Pretty cool right?

“How much will it cost us to prepare?” #

With the right internal people or the right partner, not as much as you think.  We have written some other articles about how to prepare for an ISO 27001 or SOC 2 audit.  Feel free to download them here.

You need someone on your team who is fairly well versed in implementing either a security or compliance program to do it well and efficiently.  There are companies that promise if you buy their software, you will be prepared.  However, I think you can see from the previous answers that having a functioning security and compliance program is going to take more than implementing some software.  Do not get me wrong, we are partnered with some outstanding governance, risk, and compliance (GRC) software providers who have built some outstanding tools to help document the security and compliance program and retain the documentation.  However, you need processes, controls, and owners who are executing relevant controls on a daily basis.  Essentially, you need to prove to well-trained, independent auditors how you are protecting sensitive data and the systems that handle it.  A software program is not going to do that alone.

The good news is for most of these security audits, you do not need thousands or even hundreds of consultant or internal personnel hours.  FISMA and FedRAMP audit readiness requires more hours than the other types of audits discussed here, but nonetheless, there are ways to make the federal security audit preparation process more efficient.  If you’d like to get a quote to assist you, please contact us.

“What do our ongoing costs look like if we decide to undergo a security audit each year?” #

If you have someone who can manage your security and compliance program internally, the only recurring cost for most of the audit standards is the annual audit fee for the independent auditor.  Under PCI or one of the federal audits, there may be annual penetration test or self-assessment requirements, as well, based on your entity’s assessed risk level.

I hope that you have found this article helpful.  We’ would love to hear from you.  With more and more competitors coming into the marketplace and more claims about the ability to automate your security and compliance program, we wanted to shed some light on the reality of these security audits and what will be expected from your organization.