Cheat sheet: 10 ways to prep for auditors

By Charlie Russo, News Writer 30 Jun 2005 | SearchCIO.com

Digg This!     StumbleUpon     Del.icio.us

If you're like plenty of CIOs, compliance requirements have impacted your entire organization -- and your auditors have made surprising requests that cost you more than you anticipated.

Other articles on IT audits MassMutual's CISO speaks the language of business Report: IT shops lax about logging Four ways to measure security success

With one year of Sarbanes-Oxley experience under their belts, IT executives have learned valuable lesssons in preparing for audits, such as establishing comparative metrics before the auditors arrive.

One tip sheet for "increasing your audibility" is available in The Visible Ops Handbook, distributed by the Information Technology Process Institute.

To date, 17,000 copies of the $19.95 handbook have been sold, according to Kevin Behr, president and founder of the Information Technology Process Institute, a not-for-profit group focused on researching, benchmarking and developing best practices for IT executives. Here is a portion of one of its popular cheat sheets, excerpted from the handbook.

1. Ask the auditors what they are looking for before an audit. Ask them for their audit objectives, if any pre-audit checklists.
2. Make sure to list your perceived risks. Sort them in descending order with the highest risks at the top, along with the controls you created to mitigate them.
3. Document your preventative controls, and have detective controls in place to show they work. Document the change management process. For each authorized change, document the configuration changes from the detective controls to show that the changes made were within the scope of the work order. File the data collected about change requests and make it readily accessible. In some organizations, all of the above information lives in a physical three-ring binder.
4. Use Change Advisory Board meeting minutes to show that meetings are being attended and used to manage change.
5. Keep a current and accurate asset inventory of hardware and software.
6. Document all internal audit procedures. For example, if your policies state that firewall logs are monitored by a system with exceptions reviewed, then you must have proof of following that policy through logs of one form or another.
7. Document all outages and unscheduled downtime in the systems along with corrective actions taken.
8. Keep current documentation of all exceptions to policies.
9. List any security incidents along with corrective actions taken.
10. Be able to produce previous audit findings, analysis of the findings and progress made against findings that warranted corrective action.

"More control doesn't equal more bureaucracy equals more work," Behr said. "It turns out, those with control can do more with less and do it more quickly and with better quality."

This article originally appeared on SearchCIO.com.

Tags: IT Security Audits,  Gramm-Leach-Bliley Act (GLBA),  Sarbanes-Oxley Act,  HIPAA,  Working with auditors,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT IT Security Audits Standards compliance does not equal sound information security risk management Tony Spinelli: Prioritize Information Security over Compliance How to prepare for a FERPA audit MasterCard increases PCI compliance requirements for some merchants How to select a set of network security audit guidelines How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Forensic accounting success depends on information security support HIPAA compliance: New regulations change the game Gramm-Leach-Bliley Act (GLBA) Implement security and compliance in a risk management context The road to compliance IBM to boost security spending, push PCI DSS program ISO 27001 could bridge the regulatory divide, expert says Policies and regulatory compliance Where hard drives go to die, or do they? Compliance guide for managers: Lessons learned and best decisions Become compliant -- without breaking the bank Compliance Guide for Managers Making sense of the maze Gramm-Leach-Bliley Act (GLBA) Research Sarbanes-Oxley Act SOX compliance burdens midmarket security teams Ex-SEC chief Pitt decries state of Sarbanes-Oxley, risk management Information security book excerpts and reviews Internal audits for Sarbanes Oxley and internal IT support Internal auditors and CISOs mitigate similar risks Implement security and compliance in a risk management context Does password sharing in international branches violate SOX? Consensus Controls project aims to set benchmarks for compliance Security visualization helps make log files work The Little Black Book of Computer Security, 2nd Edition Sarbanes-Oxley Act Research

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary