5 Questions to Prepare for Your Next Security Audit

Use these five questions to gauge your audit readiness and prepare to demonstrate your security posture to corporate clients.

It's become commonplace for cyber criminals to set their sights on the data supply chain - third party suppliers, vendors, contractors, and more - as a back door to target organizations' valuable data assets. With less IT and security resources than the large companies that they do businesses with, midsize businesses in particular are a favorite stepping stone for attackers seeking to gain access to their corporate clients' protected systems or networks. As a result, large companies and regulators are now recommending or requiring that major corporations do complete security audits of their third party vendors.

Midsize companies that do business with larger corporations should anticipate being asked by clients to demonstrate the efficacy of the security measures they have in place. Here are five of the most common questions encountered in a security audit, based on our experience with a wide range of customers that have been required to meet stringent client data protection requirements and audited on their ability to do so. Use these questions as a starting point to prepare for your next security audit.

1. Where is sensitive client data located?

Clients will want to be certain that you understand where their data will reside within your organization, and what controls you have in place to track its movement.

Data is not static; it may be stored on local servers, moved to individual desktops, and integrated with other data types. Expect clients to ask whether you have controls in place to prevent sensitive information from all possible egress channels, including email, cloud services, and removable drives.

2. Who in your organization will access or use client data?

Clients will want to know how widely their sensitive data is distributed, and what controls are in place to limit access to it.

Questions about data distribution can include how data is accessed, transmitted, and shared, the screening processes used in hiring, and if any contractors or other non-employees will require access. This can extend to not only people, but also systems that use the data.

3. What do your users do with that data?

The core question in many audits is; “How will my data be handled?” While access control measures may limit information availability, users with legitimate access can copy data, incorporate it in other files, and move it to storage devices.

Audit questions will focus on your ability to track data continuously, in any format, including use cases where files are compressed or sensitive data is embedded into other documents as spreadsheet tables or images.

4. Which applications will access or use that data?

Once a client’s information is within your systems, you need to demonstrate how you protect that data while in use, including its interaction with other applications that use the data to deliver information or products. For example, a design document may be entered into an inventory control system to ensure the necessary parts are available.

Questions about application control many require you to block unauthorized applications and processes from accessing, manipulating, and using data. This can include unknown applications which may be malicious, and legitimate applications which may put data at risk (e.g., peer to peer networking, file sharing).

5. When is client data at risk in your environment?

While static data can be encrypted, clients recognize that their sensitive information must also be used to deliver goods and services back to the client. Data is typically at highest risk when it is used on endpoints. Here, users may take actions such as opening decrypted copies, copying data, sending documents to others, or moving sensitive data to additional drives.

Clients will ask for information about how you control your endpoints from external threats, such as malicious software and advanced threats, as well as internal threats, whether deliberate or inadvertent.

Learn More

Being able to answer these questions will ensure that you're on the right track to pass your next security audit, but there's still more you can do to make sure you're ready. Download our security audit checklist for more questions to help you prepare.

Brian Mullins

Data Protection Security Audit Checklist

Are you ready for your next security audit? Our checklist has 12 questions to help you prepare.

Download Now

Related Articles
Jabil Circuit Wins ISE Southeast Project of the Year Award

Global manufacturer Jabil Circuit recognized for their security-as-a-service initiative in the ISE Southeast Executive Forum and Awards 2015.

Missing in Michaels Data Breach: Harm To Consumers

A federal judge throws out a lawsuit against the craft store Michaels after plaintiffs fail to prove that any damages occurred as a result of the leak.

Friday Five: 11/30 Edition

How do you balance knowing your customer and GDPR? Are IT departments underestimating the value of their business data? This week's Friday Five answers those questions and more.

Brian Mullins

Brian Mullins is vice president of product marketing at Digital Guardian. His team is responsible for strategic marketing at the product line level. Brian has over seven years of security executive experience in both data protection and identity and access management. He is a patent holder and winner of a Business Week International Design Excellence Award.

Please post your comments here