Many organisations are failing to provide answers to fairly simple questions asked by external IT auditors, according to new research from Netwrix.
The firm’s CEO and co-founder, Michael Fimin, believes that companies are focusing their efforts more on creating the illusion of compliance rather than actually fulfilling the requirements.
“Such an approach does more harm than good, as it provides organisations with a false sense of security and leaves them extremely vulnerable to data breaches,” said Fimin.
Netwrix surveyed its customers’ audit experiences and has compiled the top five questions asked by auditors to determine whether a company is able to safeguard its most valuable assets:
1. Do you have a documented security policy?
Auditors need to make sure that rules and regulations are in place to maintain IT infrastructure security and proactively address security incidents. When evaluating the adequacy and reliability of a security policy, auditors will compare measures outlined in the policy with a company’s internal processes to make sure they match.
2. Are access privileges in your organisation granted adequately?
Since a lack of control over privileged accounts continues to be a main security risk, a company needs to prove that all its permissions are granted in accordance with the existing security policy and employees’ business needs. IT auditors will not only verify who has access to what (and why); they will also check a company’s ability to detect insider misuse or abuse of privileges.
3. What methods do you use to protect your data?
Most existing compliance standards focus on protecting sensitive data, such as confidential customer records. A company should be ready to present reports about its methods of data classification and segregation such as placing data into a 24/7 protected network and prove that its most valuable assets will not be compromised easily.
4. Do you have a disaster recovery plan?
A well-structured, clear and viable emergency plan that describes what actions to take in case of a security violation significantly increases a company’s chances of passing an external audit. A good disaster recovery plan includes information about employees’ roles and responsibilities, how they should react if a security breach occurs and what they should do to stop data leaks and minimise their negative consequences.
5. Are your employees familiar with existing security procedures and policies?
Practice shows that auditors are particularly interested in the methods a company uses to encourage its employees to follow internal security policies. A company might need to prove that it regularly trains employees and informs them about existing security procedures.
Image source: Shutterstock