Think like an auditor

Whenever we hear the word ‘audit,’ most cringe at the thought of having to deal with inquiries, endless questions and the stress they create. In today’s world of regulatory compliance, mandates, no one is exempt from frequent internal and external audits. Most IT professionals have been placed in the same category as the business units that have been dealing with audits for years. In fact, leading IT managers now see them as a critical business component in the enterprise that can help focus budget priorities on needed IT security investments.

The new business model
Like it or not, audits are here to stay. Often new to this painful experience, many IT professionals now have to adjust and overcome this challenge and develop new ways of performing their daily functions. What were once considered ‘acceptable risks’ are now recognized as unacceptable practices that the world of IT must deal with. Every unit in the enterprise is responsible for maintaining compliancy and adhering to mandates. The IT department is in fact sometimes the most critical focus area for compliance.

When in Rome, do as the Romans
When you are going to have an IT audit, think and do what an auditor would do. The best way to prepare for an IT audit is use your experience and find the holes in your security practices. Think and explore as an experienced third-party, looking for improvements and unacceptable risks.
The best way to start is to establish best practices and enforce policies. Work with your line management to develop plans, train users and keep upper management aware of any concerns you have. Educating everyone from the CEO to management to the user base is best way to gain awareness and implement a good IT security training program. Seminars, Webinars, internal communications and other means of getting the word out will be beneficial and reinforce the need for everyone to be aware of policies and procedures.

Everyone is responsible
Compliance systems require solid IT systems and people for success. IT is not only responsible for good systems, but also dependent on the practices of IT users as well. Most data breaches occur from within the enterprise, and usually from units outside the IT department. Set up pre-audit teams and perform walk-throughs find practices inconsistent with security policies and misuse of IT security systems. Make sure workstation are logged off and secured and passwords are not exposed. Look for unauthorized wireless networks and storage devices and any other inconsistencies.

Good housekeeping
Ensuring that your security software is up to date and correctly installed is a major audit criteria that should be a top priority for the IT staff. Anti-virus, encryption and malware detection software should be updated and activated. Keeping security software activated, used, and up to date can prevent these malicious threats from occurring or at least contained.

In the future
We will see more legislation, mandates and thankfully more awareness about IT security, especially data security. Internal breaches will continue to be an issue, but diligence must be maintained with the possibility of internal and outside threats which will not go away and become more complex. The IT security teams will have to keep up with these sophisticated internal and external threats by seeking innovative solutions and think ahead of those that carry out malicious attacks. Embracing internal and external audits as vehicles to help keep organizations constantly prepared for these growing threats. The role of the IT professional will be constantly evolving to fit into the overall business structure as we see further integration of IT technologies into business-critical back room, as well as customer-facing systems. Sharpen your pencil, put on your glasses and start thinking like an auditor; be a shining star in your company.

About George Adams, CEO, SSH Inc.
Adams is responsible for developing and executing strategies to build the company's market position and financial results. He is based in Boston, MA, USA.  Prior to joining SSH in 1999, Adams was with Phoenix Technologies Ltd., a leading supplier of software for enabling standards and enhancing PCs, servers, and information appliances. He earned an MBA from Boston University and a BSEE from the University of Miami. He is a member of IEEE and ISSA.