A compliance audit consists of an independent evaluation to ensure a company follows external laws, rules, and regulations or internal guidelines, such as corporate bylaws, controls, and policies and procedures. To prepare for these audits, clients need robust compliance programs to mitigate the risk of noncompliance. I have provided a few points to consider when evaluating the strength of your client’s cybersecurity compliance program.
Documented Process
Does your client have a documented process that allows them to comply with cybersecurity standard(s) or regulation(s)? Documented processes (also process documentation) provide a detailed description of how to execute processes to achieve a business objective or compliance. These documents reduce confusion as personnel have guidance on roles, responsibilities, and how to perform particular tasks. As personnel perform the various tasks, documented processes serve as a baseline for process improvement. The organization can review the processes and its production output to determine how to improve operations. This review permits the company to adapt its processes to new technologies, business solutions, laws, regulations, etc.
Risk Management
Does your client have a robust IT risk management program? Risk management remains a foundational component of any compliance program. Risk management consists of a formal process to quantify, qualify, and mitigate specific risks as defined by an organization. Risk is the potential for loss, damage or destruction of assets or data caused by a threat. Risk comes in numerous forms such as an insider threat or a cyberattack. Failing to manage risk may result in financial and monetary loss, reputation, legal or compliance issues, or potential loss of life.
A robust risk management program regardless of the framework should include the following.
- Identify the risk(s).
- Analyze the likelihood and impact of each risk.
- Prioritize risk based on enterprise objectives.
- Treat or respond to the risk conditions.
- Monitor results and adjust as necessary.
Your client can use numerous risk management frameworks to serve as a guide to developing or improving their risk posture including NIST’s Risk Management Framework.
Internal Controls
Does your client implement internal controls to reduce the risk of noncompliance? Internal controls consist of a series of policies, procedures, and/or technical protections that protect assets, promote operational effectiveness and efficiency, and minimize the risk of noncompliance.
Internal controls can be classified as preventative, detective, or corrective. Preventative controls avert negative events from occurring. Detective controls detect and report a negative event, and corrective controls minimize the impact of or correct a negative event.
Evidence Retention
What kind(s) of evidence must your client retain to demonstrate compliance to auditors? How long must your client retain that evidence? Your client should have a documented process to address this topic. Failing to gather, collect, store, and preserve evidence appropriately will lead to a finding of noncompliance. Your client should have a process to retain electronic and physical evidence.
On a final note, this list does not address many components of a compliance program such as access management, network security, physical security, configuration and change management, backup policies, data life cycle, etc. Remember, compliance programs must be customized to the needs of your client.