Audits – Three Best Practices For Conducting Security Audits

If Verizon’s 2014 Data Breach Investigations Report is any indication of where our Information Systems (IS) are most vulnerable, the answer is virtually everywhere. Here’s a direct quote:

“We have more incidents, more sources, and more variation than ever before—and trying to approach tens of thousands of incidents using the same techniques simply won’t cut it.” 

The report concluded that 92% of all the confirmed data breaches in 2013 resulted from one of nine attack patterns. Some of the supporting stats as reported by InfoWorld are astounding:

  • Cyber criminals cruising for money make up 60% of hacker attacks
  • Online intellectual property hacks are up to 25%, a sharp increase over previous years
  • Internal threats are responsible for just 10% of cyber attacks, of those responsible, cashiers and end-users make up the bulk of abusers
  • Stolen credit cards lead the hackers list of easiest to attack

As a consumer, this information is frightening, but for a company whose responsibility it is to protect their customers’ identities and personal identifying information (PII) this information should be ringing all sorts of alarm bells.

If you haven’t already conducted a security audit this year, now is the time to do it. The clock is winding down on 2014 but hackers will certainly have more surprises in store for 2015. The best defense is a good offense, so here’s three tried and true tips for conducting a best-in-class security audit.

1.) Know how to manage a successful audit. Believe it or not, but your company’s first line of defense begins with whoever is in charge of reviewing, hiring and overseeing the security audit. It’s crucial that this person understands the auditing process and knows how to select the best auditing firm for your company’s needs. It almost goes without saying that not all auditing firms are created equal. TechTarget offers these suggestions for managing an audit:

  • Establish a security baseline through annual audits.
  • Spell out your objectives.
  • Choose auditors with “real” security experience.
  • Involve business unit managers early.
  • Make sure auditors rely on experience, not just checklists.
  • Insist that the auditor’s report reflects your organization’s risks.

2.) Choose the right auditor for your needs. You need to have a baseline understanding of what you’re goal or expectation is through running your security audit. Is it to discover gaps or inefficiencies? Is it to pinpoint some illegal activity? Is it to determine how much it will cost to make improvements? Whatever your endgame is, you need to find the right player.

Taking the first big brand name that pops up on your initial search, isn’t always the right answer. In the same fashion that you screen your job candidates, you need to screen your auditor. Ask to see their work. Do you understand their reports? Were they delivered in a timely fashion? Is confidential information included in the report (if so, take a pass!)? Take stock of their communication skills. You will be spending a lot of time together, and, therefore, develop a close relationship by default. Is this someone you feel comfortable sharing information with? Do they show discretion in handling sensitive information? Do they get back to you when they say they will? Audits take long enough, you don’t need your time wasted by an auditor with disregard for your deadlines. Experience and certifications can’t be stressed enough. An auditor’s technical resume should be lights out, but, of course, you’ll want to do your own investigation that everything on their resume checks out (we are a background screening agency, after all!).

3.) Give your auditor access. The biggest waste of time for Information Technology and/or IS professionals who just want to get on with their duties, is the back and forth with auditors. This endless time suck of trading data turns into an aggravation for both parties and reinforces the negative stereotypes often associated with audits. This paragraph from a real life IT professional explains why he finally gave his auditor an ALL ACCESS pass:

“Back in those days it was extremely difficult to perform such a feat (not that it is easy today, but it’s definitely easier). I did what I could with the technology that was available (SIEM, log repositories, etc.), and I filled in what was left. He loved the access, and I got to keep working while he dug through the data. And that is why I started testing the process of reporting and granting access to the reports in security tools before I purchased them. And I always requested sample reports from contractors before I bought their services so that I could see how organized they were. Both of these were (and still are) very important factors in giving the auditor wheat he needed so I could keep working.”

Audits are a necessary beast, but there is a way to make them more palatable for everyone involved (and keep you from becoming a statistic on the 2015 Verizon report). With that said, we’d love to hear from you! Are you an auditor who can share insights from your perspective? Or an IS guru who has a real world example of a successful auditing relationship? Or, do you work for a firm who has some IS concerns that you feel an audit could help you ameliorate? We’d love to be your sounding board and share your stories. Email us here!

This entry was posted in Applicant-Entry Solutions, Background Screening, General, Human Resources, Industry Solutions, News, References & Credentialing, Seasonal and tagged , , , , by Patricia Carlson. Bookmark the permalink.

Patricia Carlson is a content writer who specializes in B2C and B2B inbound marketing. She blogs regularly for clients about the background screening and finance industries, and generates newsletters, white papers and email campaigns for a variety of businesses. Patricia also produces a heavy rotation of editorial material for home design, law enforcement, and family magazines. She’s been writing professionally for more than a dozen years, and for Active Screening for more than two of those. Check out LinkedIn for a roster of Patricia’s clients and links to published works. When she’s not interviewing sources or researching trends, she’s living a fast-paced Florida life questioning the antics of her two young children, partner and mischievous cat. Patricia loves to talk tennis and TV on Twitter – give her a shout @pattycfreelance.

 
        
Active ScreeningBarbara S.
Healthcare Industry

"Here at Holland Hospital, we have been extremely pleased with Active Screening. The report results come back quickly, usually within 24 hours or less.  The staff at Active Screening is easy accessible, knowledgeable and responds to our questions promptly."

Active ScreeningLynn C. Staffing Industry

"Benton Mobley has been and remains my Main point of contact at Active Screening from the beginning; so aside from the comfort of dealing with the same person all these years, there is the most important fact of all;  customer satisfaction. Benton knows the business like the back of his hand; and that is what we need in our fast paced industry of staffing. He is the all-time BEST!  MY employer, Leslie, believes in the notion that great service deserves to be rewarded, so we are here for the duration.We get immediate and personalized attention for any and all concerns we need addressed, and in the staffing industry, this is vital."

Active ScreeningCayce R. Education Industry

"My experience working with Active Screening for our background check process has been very positive.  The reports are almost always completed in a very timely fashion. The information reported appears to be very thorough and accurate.  On the rare occasions that we have questions or problems, the customer service team is always very quick to respond and resolve the issue.  Overall, I am very pleased with the service I receive from Active Screening."

Active ScreeningCraig H. Staffing Industry

"Your customer service is excellent.  The turn around time on background checks is quite fast.  Excellent work.  I haven't had a single problem."

Active ScreeningJackie C. Education Industry

"I wanted to thank you and your staff for being so patient and working so diligently with the Human Resources staff during our recent endeavor to process all of our work study students through background screenings.  We have never had to process so many requests within such a short period of time before, but thanks to you and your staff we made it. Again thank you, we made a good choice in selecting Active Screening."

Active ScreeningLindsey W.  Financial Industry

"I wanted to share my appreciation for your wonderful service...switching background screening companies could have been a stressful task, but your company made the transition seamless. Your website was extremely easy to navigate and the turn around time has been great. I appreciate when information is missing or entered incorrectly during ordering, your company notifies me right away to ensure that my error does not hold the reports results, causing us a delay in hiring an individual...Active Screening has been great to us and I would definitely refer them to others."

Active ScreeningTerry S. Property Management

"Working with Active Screening over the last year and half has been a wonderful experience. They deliver fast and informative results at the best price. Their level of professionalism and the speed they respond to our issues is a benefit that any company can value from. I would highly recommend using Active Screening and their amazing team."

Active ScreeningYulesis D.  Staffing Industry

“Interactive Response Technologies (IRT) has more than 2,000 employees at multiple locations across the United States. IRT has been using Active Screening to conduct criminal background checks since 2006. During this time, Active Screening has consistently returned accurate reports, usually with less than 48 hours turnaround. If there are any problems or inconsistencies with the reports, their staff has called to notify us so that we can attempt to rectify the situation. The staff at Active Screening is always courteous and congenial over the phone. In our opinion, Active Screening is outstanding.”

Active ScreeningAndy N. Software Provider

 "Active Screening has helped us screen our applicants in record time for more than two years.... we are very impressed with the professionalism and speed with which their service team responds to our questions. They understand our needs and are a pleasure to work with. I highly recommend them."

Active ScreeningCassie J. Staffing Industry

"The Active Screening team is very informative; they provided a complete consultation on all the services, so I understood what I needed, and saved me hours and hours of my time learning the various services. Their reputation, as being on the cutting edge of employment screening best practices, certainly held true in this instance. The expertise they brought to the table was invaluable to our understanding of our applicants backgrounds. I highly recommend Active Screening to anyone with the task of screening large numbers of applicants and needing reliable customer support."

Active Screening

With over 20 years of law enforcement experience I can attest to the fact that the strongest predictor of future criminal behavior is a person’s criminal history. As the manager of campus safety at my church, I depend on Active Screening to provide a thorough assessment of every criminal history background check we request. For more than 3 years, Active Screening has been faithful to this task with timely, accurate and reliable service.

Active Screening

We have benefited from knowing that we are not exposing the communities we work with or ourselves to unnecessary risk. We continue to have a perfect record in that we have never had a serious incident with a trip participant causing harm or acting inappropriately with any community member or fellow team member- thank goodness!

Active Screening

I would highly recommend any association or organization who conducts background checks to use Active Screening. In addition to my involvement with WAHA, I am an officer in a corporation with over 500 employees who provide treatment, mental health, and correctional services for children and adolescents. Our company is mandated by law to do comprehensive background searches and I can say with the utmost sincerity that Active Screening product rivals that of any government or other private sector process.

Active Screening

We have used Active Screening and their solution VERITY to screen all our coaches and volunteers working with youth. The online system gives us an easy and cost-effective solution to collecting forms and payments from our applicants...and we simply login to view the results of who passed or failed. It's so easy....thank you Active Screening.