Compliance audits are like doctor’s appointments. Nobody likes them, but virtually everybody needs them. Once your company gets beyond a certain size, it’s inevitable that you will be engaging in activities or collecting data that makes you subject to various regulations, whether it’s a hospital subject to HIPAA or a company collecting emails subject to the GDPR. And eventually, you’re going to have to prove that you’re following those regulations successfully. That’s where the compliance audit comes in.
What is a compliance audit?A compliance audit is quite literally an audit to see how closely you’re following the rules and regulations to which your company is subject, but it’s also more than that. It’s about making sure you follow YOUR OWN rules. Many companies think that all they need is to follow “best practices”, but that’s a fallacy, and for more than one reason. First, where best practices DO exist, they are the absolute minimum that must be done to be effective. They’re essentially an excuse to stop thinking about how to solve a problem. And as the absolute minimum, there’s one group who absolutely LOVES them: hackers. They know what these “best practices” are, and they’ve had decades to learn how to get around them. But there’s another important reason to go beyond this notion of “best practices”, and that’s that they simply do not exist. The technology world moves fast and any activity that’s been around long enough to be considered a “best practice” has been around long enough to be outdated. In a world where data is money and the average data breach costs $3.6 million, a compliance audit is meant to ensure that you are following all of the security and legal controls necessary for your business, and not just blindly playing it by ear and hoping for the best.
How to do a compliance auditWhether you hire a vendor or decide to do a compliance audit yourself, the process is essentially the same.
Step 1: Determine what you’re trying to accomplishThe first thing you need to ask yourself is the simplest: Why are you doing this? Do you have an audit due? Have you been compromised? What keeps you up at night? Ultimately you will be judged on your adherence to your particular regulatory scheme. In some cases you can choose a scheme to which you want to prove you’re being held, such as NIST or FedRamp. In others, your line of business will dictate that for you, such as HIPAA for medical institutions, PCI for companies that accept credit cards, or GDPR for companies storing personally identifiable information. When making your decision, make sure that you are being realistic. It may sound like a great idea to shoot for the ultra-secure FedRamp High, but do you really want to spend a year and a million or so dollars to do that when you’re not actually providing a product to the United States Federal Government?
Step 2: Decide what needs to be doneThe next step is to determine the roadmap of your audit. How you proceed from here depends on whether you’re doing the audit yourself or hiring an outside vendor. If you’re hiring an outside vendor, they will most likely provide you with a questionnaire that will enable them to get started without wasting time in your first meetings. If you’re performing the audit yourself (perhaps to ensure you’ll pass the third party audit), you’ll likely download the information detailing what you’ll need to check. For example, NIST compliance requires you to satisfy 600-700 different security controls. FedRamp Moderate consists of 325 controls in 16 categories and 8 major areas.
Step 3: Establish appropriate permissionsThe whole point of this exercise is making sure that your systems are secure, so presumably the auditors will need permission to access various areas of your infrastructure, such as the network, servers, and so on. Make sure to establish these permissions in such a way that they can be removed later, when the audit is over.
Step 4: Perform the actual assessmentThis, of course, is the meat of the process, where auditors document information such as:
- How many nodes do you have?
- What is the networking situation?
- What about antivirus protection? How is it kept up-to-date?
- Do you have an incident response plan? Is it up-to-date?
- Do you store event logs? Do you go through those stored logs?
- Can you prove it?
Step 5: Develop the gap analysis between what should be and what actually isThe whole point of doing a compliance audit is to identify places where you’re falling short and document them so you can correct the problem. At the end of this process, you should have a full gap analysis report, as well as one other crucial piece of information: the remediation plan. A gap analysis that tells you you have problems but doesn’t provide the means for correcting them is only half the story.
What about hiring a compliance auditor?While you certainly could perform your own compliance audit, it’s usually not in your best interests to do so, for several reasons:
- Most companies don’t have compliance experts on staff
- Staff members who take on this burden are operating from an “insider” perspective and are likely to just assume things are being done properly without digging deeper
- The compliance auditor is always the most hated person in the room
- While you don’t need to have a third party perform an audit, if you want the audit to be taken seriously — for example, if you’re trying to prove to your board that you need money for remediation — it’s better to have a third party audit.