By Clinton Henry, CISM, CISSP, Senior Director, Datacenter Infrastructure & Security for Worldnow
From time to time, it’s common to undergo an IT security audit. Having participated in more than 30 audits across multiple standards (SAS 70, SSAE 16, HIPAA, PCI, SOC 1 and SOC 2), I’ve gained some insights that may assist others embarking on the experience for the first time. Below are four rules to help you get through an audit quickly and efficiently – especially when the auditor is on site.
1. Ducks in a Row
Mike Tyson, the infamous boxer, was once asked how he handles boxing unknown opponents who’ve spent months studying everything about him and have developed elaborate strategies to defeat him. His response: “Everyone has a plan until they get punched in the face.”
Amusing quotes aside, planning ahead is essential for a successful audit. If you have a well-run team with clear policies, controls and enforcement, then you’re halfway there. Audits are about controls – you need to demonstrate that those controls are in place, documented, enforced, reevaluated and tested against regularly. Preparing and organizing documentation for an auditor prior to the audit is a key process, and allows you to respond to their requests quickly when they arise. It also forces you to re-evaluate policies that you may not have looked at in a while, and gives you a chance to document policies that may already be in place, but haven’t been officially documented or disseminated yet.
If your organization deals with third-party providers, it’s important to show an auditor that these vendors have been thoroughly vetted and held to stringent controls. At Worldnow, we leverage several vendors, including Internap and Salesforce. Internap provides colocation services and managed hosting for some of our critical equipment. Having their SOC 2 reports on hand is incredibly helpful to us and our auditor. Never leverage a provider who is not subject to standard industry controls such as SOC, HIPAA, or ISO 27002/17799 – you’re only asking for a headache when undergoing an audit.
2. Chinese Wall
In large firms when a single organization is representing interests of opposing parties, a “Chinese Wall” must be established to avoid conflicts. In financial firms, the trading desks are not allowed to know what analysts at the firm are going to say about a stock or company prior to it being released to the general public. During the security audit, a different kind of Chinese Wall should be established between the auditor and the company it audits. When the auditor is on site, be extremely mindful of “hallway meetings” because an overheard or misunderstood statement can lead to additional questions, which can bog down an audit for weeks or months. This is an adversarial relationship – it’s cordial, but please remember not to “speak out of school.”
It’s usually best to have a single point of contact with the auditor. This person interfaces with the auditor, collects and provides all documentation and is effectively a gatekeeper. This creates a streamlined process, prevents confusing email chains and will be appreciated by the auditor as it’s much easier to go through a single person for all information than coordinate with multiple people.
3. Don’t volunteer, elaborate, distort (lie) or speculate.
If you do interact directly with the auditor, and they ask you a “yes” or “no” question and you know the answer, say “yes” or “no”. If you elaborate, it could lead to multiple follow ups that wouldn’t have been asked otherwise – this should be avoided. Remember; don’t answer a question that isn’t asked. If you’ve ever been deposed, it’s the exact same process. Providing a history of the company, your architecture or anything else can only hurt you – this is a “point in time” audit, and discussing what was or what will be is counterproductive (tweet this).
What happens when you are asked a question that you don’t understand, don’t know the answer to, or know the answer but don’t think the auditor will like it? Don’t feel pressure to respond right away. The correct answer is, “I need to confirm that” or “I’m not sure” and offer to provide the information as soon as you can. This will prevent a lot of headaches — please trust me on this.
The auditor usually has an assistant who takes detailed notes of all your responses; these will be reviewed off site and will generate more follow-ups. This is where most people get burned – follow these steps to minimize the number of follow ups.
4. Keep your team in the loop
As with anything else, communication is key. Before, during, and after an audit, keep your team apprised of the situation. They should be just as prepared as you for the audit and kept updated with any significant developments. Keep your third-party partners in the loop as well. They are there to help you succeed and will usually provide a resource if questions arise from the auditor that pertain directly to them. Internap gave my auditor a guided tour of one of their data center facilities. This sort of service from your partners goes a long way with the auditor – it makes their job easier, which only helps you.
Audits can be a stressful thing, with a lot riding on successful completion. Each audit presents its own puzzles and challenges, but they do get easier over time. Those who surround themselves with smart people, communicate effectively, and prepare accordingly are usually rewarded with a passing grade. At least that’s the plan – just ask Mike Tyson.
