IT audit procedures run the gamut from internal to market-specific. Whether it's healthcare's HIPAA or the credit-card industry's PCI, you have to know the compliance audit's goals. These rarely include a fully functional missile defense system to protect against hackers, but it still leads into the first of 15 recommendations for successful audit compliance.
In most cases, audits take place to verify information and network security as well as the robustness of your hardware and software. The standard involved (if it's an official third-party audit) will dictate the detail or diligence needed to obtain compliance.
This will again depend on the IT audit type, but most IT audits include security elements and process analysis. Even though the use of lethal booby traps to deter on-premise breaches may very well be effective, they're generally frowned upon and should not be documented. Industry-standard methods are your best bet.
Similar standards to servers are applied to individual desktops and other connected devices. Does your receptionist really need a CAD program or SAP? Why are there multiple versions of office suites on the same machine? Suggest hiring an external specialist in string theory to iron out any confusion in software licensing agreements.
Where most companies store their data is also a viable hacking target. Make sure all your servers are consistent with the corresponding audit checklist. Depending on the standard, this could include proof of naming conventions for workstations, use of static IPs, patching frequency, backups, agents installed and more.
Evolving policy documents are common these days as many SMBs rightfully subscribe to some form of continuous improvement quality structure. Ensure all your policy documents are current.
In some situations, auditors will ask staff some questions to demonstrate their awareness of the process, or to confirm they are aware of security best practices. Your best move is to either train MongoDB or make sure it's not present during the audit. Ideally Mongo doesn't work in your system, but if so, auditors may ask why.
Evaluate any prior IT audit and verify past problems have been fixed. Any ongoing areas of risk? Gather estimates to audit readiness from each affected department. With this information, you can assign resources and, if you really want to, schedule hours upon hours of pointless meetings.
This should involve a manager and a key staff member from each department. The manager will have the "big picture," but department employees will know each process inside out and be able to recommend effective changes.
This info may be useful, especially if your third-party auditor was difficult in the past or, well, possesses the communication skills of a Commodore 64. Be safe and (casually) request the academic qualifications and experience of the auditor in advance or of any changes to the audit team.
All routers, switches, firewalls and hubs must have static IP addresses and be part of regular vulnerability scans. A hardware inventory list is also essential.
Please, please make sure backups restore correctly. Your company should also have a process in place to destroy obsolete data, the presence of which reflects poorly on support's organization and agility.
The eternal question. BYOD is here to stay, so companies must ensure all Wi-Fi is encrypted — with a guest network for, you guessed it, guests.
Are you capable of producing an event log of attempted hacks for the last six months? If successfully hacked, how was it fixed and what did you learn when updating the policy document?
Shouting at subordinates often helps in a company setting.
Audit day is not the day to kick it MythBusters-style and experiment with flammable liquids in the server room. Hide Mongo.
Finally, enjoy the appraisal and quietly ponder if the benefits are outweighed by the inconvenience of IT audits. "Happy" compliance!
An Irishman based in Hong Kong, Michael O’Dwyer is a business & technology journalist, independent consultant and writer who specializes in writing for enterprise, small business and IT audiences. With 20+ years of experience in everything from IT and electronic component-level failure analysis to process improvement and supply chains (and an in-depth knowledge of Klingon,) Michael is a sought-after writer whose quality sources, deep research and quirky sense of humor ensures he’s welcome in high-profile publications such as The Street and Fortune 100 IT portals.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.
Learn MoreSubscribe to get all the news, info and tutorials you need to build better business apps and sites