It’s October and the leaves and the weather are turning a golden brown. We are beginning to embrace the first few weeks of Autumn and usually a noticeable change in weather. As with many industry insiders we are beginning to prepare for the end of the traditional fiscal year and some of the biggest shopping days just ahead of us in the hopes of a great holiday season. Now is the perfect opportunity to pause, reflect, and ensure your business is safe, secure and positioned for success in 2015.
Most credit unions, banks and other financial institutions are preparing for their year end projects and are locking their systems down for the holiday freeze so that their systems are able to handle the rigors of many high transaction days and heavy loads while defending against the vast threats the Internet can offer. It’s crunch time!
Security audits, penetration tests, vendor due diligence and other routine services exist to add credibility to the assertion that your organization and its security practices are current, safe against attack and will pass any pending audit (GLBA, FFIEC, PCI, HIPAA, ISO) with no significant findings. Technology changes frequently and vulnerabilities are found daily, so we need to establish yearly security audits by an objective third party to ensure that security guidelines and best practices are followed.
Are you ready for your year end? Let’s examine some best practices for the end of the year.
What can my business or institution expect when conducting a yearly security audit?
1. Document and or prepare the following policies to ensure they are accurate and reflect the company’s positions on all intellectual property, the company’s physical equipment and how to interact with each other and other acceptable uses of technology. The auditors will use this to help assess your level of risk.
- Acceptable Use Policy
- Internet Access Policy
- Email and Communications Policy
- Network Security Policy
- Remote Access Policy
- Encryption Policy
2. Prepare a full asset listing of assets including: servers, network devices, workstations, laptops, routers, networking equipment, printers, cameras, smart phones, VOIP phones, Email, Web servers, Databases, Employee access cards. The auditor is going to want to see that you have adequate controls on each of your access points.
- Equipment Name
- Naming convention
- Network Configuration
- Host intrusion prevention/firewall
- Remote access
- UPS and power saving
- Domain joined
- Administrator account renamed and password set
- SNMP configured
- Agents installed
- Penetration and vulnerability scans
3. Be direct with your auditor before you start to ensure you are getting the services and analysis you and your team’s need. If you need more than a risk assessment, such as a penetration test be sure to include that in your statement of work.
4. Document existing controls and ensure they are implemented as documented. It’s important that you establish a security baseline for existing practices and be able to provide proper documented evidence for the auditor that you are in compliance.
5. Review prior year recommendations made by the auditor to ensure any significant weaknesses have been addressed.
6. Meet with your auditor prior to year end to discuss any significant issues or changes in the management or in the company’s service compliance. Auditor’s, much like accountants, schedules fill up quickly at the end of the year so be sure to schedule the audit in advance and do not leave it to the last minute.
7. Make sure your management team is available and involved in the audit process. Make sure that you and the auditor perform an exit conference at the end of the assessment ensuring that you get the service you requested. This is a great time to review the process and provide the auditor to discuss any initial findings or issues that need resolving.
8. Review your site’s physical security and access to sensitive data. Inform the auditor of systems Including alarms, fire, intrusion, tamper and motion, physical barriers, access points, access methods, guards, closed circuit television, as well as any communication policies planned out in the event of a breach. How are security personnel notified of breaches in security and unauthorized access?
9. Schedule next year’s audit in advance. Use your audits as safety checks to ensure your firm is protected against threats that are evolving each day. Find a partner that is willing to protect your assets and can be backed by the most rigorous of standards. With each audit, the institution will become increasingly less vulnerable.
If you have any other suggestions for our blog please do not hesitate to reply and let us know what content you find the most interesting.