There is ever-increasing scrutiny on data privacy and safety. In many cases, your customer data is your most valuable asset. You may have gone through the necessary steps to keep it away from inquiring minds, but is it really as safe as you think?
By going through a thorough security audit, you can rest assured knowing that your data is safe. Since 2006, we have been audited annually by a third party IT and compliance firm hired by one of our customers – a major nationwide bank. Following is what you might expect during a security audit.
The first phase of the project will involve reviewing and validating the current network environment, policies and procedures against predetermined criteria such as PCI, HIPAA or GLB. In our case, we were sent a pre-audit questionnaire of 143 questions. The questions covered areas such as:
- Review of current environment technology and security features;
- Mapping touch points to the corporate network;
- Examining access points and network components for security shortcomings;
- Verification that current documented controls meet the specific requirements;
- Scans and penetration tests to validate that the client has attained an appropriate level of security;
- Physical security.
The on-site audit consisted of what is called a “deep dive” into the following:
- Current network diagrams of the appropriate environments;
- Firewall/router configuration details;
- Data retention and disposal procedures;
- Policy and Procedures for physical security;
- Encryption Key Management Policy;
- Incident Response Policy;
- Password Policy;
- Change Control Policy;
- Build/Patch Policy;
- Internal Security Testing Procedures;
- Disaster Recovery & Business Continuity.
So, if you want to be absolutely sure that your data is safe, have your security policies and procedures audited. And, be sure that any third parties that you trust with your data have done likewise!
————————————————————————————————–
Here are some headlines and related links to recent data nightmares:
If it can happen to computer systems maintained by the U.S. Department of Defense, it can happen to anyone’s computer system http://www.heraldonline.com/2012/11/10/4403899/data-breach-shows-need-for-one.html#storylink=cpy
Organizations fail to realize the implications of a data breach
http://www.net-security.org/secworld.php?id=13938
The best breach disclosure events of 2012
http://www.fiercecio.com/story/best-breach-disclosure-events-2012/2012-11-11
How the SEC Almost Shut Down Wall Street
http://www.huffingtonpost.com/adam-levin/did-you-know-the-sec-almo_b_2133962.html
Attorneys Warn of Increased Risk of Big Data Breach Lawsuits
http://threatpost.com/en_us/blogs/attorneys-warn-increased-risk-big-data-breach-lawsuits-102512
One Comment
Excellent post! You’re right — protecting your data is more important than ever. Thank you for providing insight into how to engage a firm in a data audit, and those things that need to be considered. And you’re absolutely correct — making sure that those you share data with also are protected is so important!