It's become commonplace for cyber criminals to set their sights on the data supply chain - third party suppliers, vendors, contractors, and more - as a back door to target organizations' valuable data assets. With less IT and security resources than the large companies that they do businesses with, midsize businesses in particular are a favorite stepping stone for attackers seeking to gain access to their corporate clients' protected systems or networks. As a result, large companies and regulators are now recommending or requiring that major corporations do complete security audits of their third party vendors.
Midsize companies that do business with larger corporations should anticipate being asked by clients to demonstrate the efficacy of the security measures they have in place. Here are five of the most common questions encountered in a security audit, based on our experience with a wide range of customers that have been required to meet stringent client data protection requirements and audited on their ability to do so. Use these questions as a starting point to prepare for your next security audit.
1. Where is sensitive client data located?
Clients will want to be certain that you understand where their data will reside within your organization, and what controls you have in place to track its movement.
Data is not static; it may be stored on local servers, moved to individual desktops, and integrated with other data types. Expect clients to ask whether you have controls in place to prevent sensitive information from all possible egress channels, including email, cloud services, and removable drives.
2. Who in your organization will access or use client data?
Clients will want to know how widely their sensitive data is distributed, and what controls are in place to limit access to it.
Questions about data distribution can include how data is accessed, transmitted, and shared, the screening processes used in hiring, and if any contractors or other non-employees will require access. This can extend to not only people, but also systems that use the data.
3. What do your users do with that data?
The core question in many audits is; “How will my data be handled?” While access control measures may limit information availability, users with legitimate access can copy data, incorporate it in other files, and move it to storage devices.
Audit questions will focus on your ability to track data continuously, in any format, including use cases where files are compressed or sensitive data is embedded into other documents as spreadsheet tables or images.
4. Which applications will access or use that data?
Once a client’s information is within your systems, you need to demonstrate how you protect that data while in use, including its interaction with other applications that use the data to deliver information or products. For example, a design document may be entered into an inventory control system to ensure the necessary parts are available.
Questions about application control many require you to block unauthorized applications and processes from accessing, manipulating, and using data. This can include unknown applications which may be malicious, and legitimate applications which may put data at risk (e.g., peer to peer networking, file sharing).
5. When is client data at risk in your environment?
While static data can be encrypted, clients recognize that their sensitive information must also be used to deliver goods and services back to the client. Data is typically at highest risk when it is used on endpoints. Here, users may take actions such as opening decrypted copies, copying data, sending documents to others, or moving sensitive data to additional drives.
Clients will ask for information about how you control your endpoints from external threats, such as malicious software and advanced threats, as well as internal threats, whether deliberate or inadvertent.
Being able to answer these questions will ensure that you're on the right track to pass your next security audit, but there's still more you can do to make sure you're ready. Download our security audit checklist for more questions to help you prepare.
Data Protection Security Audit Checklist
Are you ready for your next security audit? Our checklist has 12 questions to help you prepare.
Related ArticlesFriday Five: 3/1 Edition
News on a new data privacy bill, the FTC's latest $5.7M fine, and hacking Instagram profiles - catch up on the week's infosec news with this roundup!NIST Guidance Sets Course For Contractors’ Handling Sensitive Data
A new, draft document from NIST provides guidelines for protecting sensitive government information that resides on systemsIn Security Many Things Change, But Much Remains the Same
#TBT: While reviewing our content for 2015 planning we uncovered a gem – the 2006 corporate video for Verdasys/Digital Guardian.