Estimated Reading Time: 4 Minutes
One of the core elements in a mature risk management system is gathering evidence of your ongoing activities. To be compliant, you need to be able to demonstrate compliance, and the best way to do that is to collect and store evidence of your activities and have them ready to be verified during an audit. If you can do this work consistently before the audit, your job when dealing with an auditor will be made considerably easier.
In this article, we will explore some of the core elements involved in this process and some tools and methods to make it more straightforward. There is a multitude of procedures, policies, systems and tasks that support this effort.
These include but are not limited to:
At Spector, we consider security policies an essential item for protecting your technology infrastructure – even more than the actual tools that will monitor your structure. They will define how users should behave, and if well implemented, should stop people from putting themselves in danger.
These policies will act as the base that sustains the system, so it’s essential that they are in place and reviewed every two years. We use between 17 and 23 policies with our clients, depending on their requirements. Our system will then gather evidence and save them as screenshots to support the implementation of these policies and controls.
If you have designed an Action Plan to address risk or reach compliance, this plan should have originated a number of tasks and activities that must be performed for your business to attain its goals.
This can include all minuted meetings, preparation for board reports, backup testing, verification of security controls against known norms, etc.. Tasks should be put into a calendarized system which creates automated workloads for responsible bodies.
Every task should have an owner, and there should be one body overlooking the entire process – a Risk/ Compliance Officer. Evidence should be gathered regularly to ensure controls are still in place. If tasks don’t have a completion date, they usually fall on the back burner and never get done.
It can be done on a timed basis or using automated discovery tools and modern SIEM (Security Information Event Management) and vulnerability solutions that report issues in real-time. Technology can be a huge help here. In particular evidence of real-time activity. Running annual vulnerability tests might tick boxes but is no longer enough to be considered best practice.
It’s futile to pretend that incidents will never happen, as there is too much uncertainty in today’s scenario, along with the human factor to take into consideration. Reporting and demonstrating how you discover, handle and remediate these incidents is crucial to show stakeholders and auditors that you can address them effectively.
Preparing reports after a security episode is usually recommended and will help the organisation understand how the incident happened and how to stop it from happening again.
Making sure that you document your approach to change management in terms of risk. Imagine the deployment of a new CRM. Where will the data live and how does the solution provide clarity around current Data protection legislation? These considerations are evidence of proper planning.
We like to think of this system as an organic entity. It grows and changes as the environment changes. There are many ways to handle this process of system building and evidence gathering. We use a risk management platform to assist us with our efforts, but we have clients that successfully manage the system by using calendaring solutions.
There are a wealth of tools that can help in gathering data. These come in different flavours.
Tools that are run at a point in time – Vulnerability assessment and Pen-testing tools such as Qualys, Nessus, Rapidfire Tools. All have their place and discover different levels of details about the potential vulnerabilities in your environment.
Tools that run 24/7 – Now this gets more complicated. This is where current endpoint security and AI protect and detect solutions start to cross over with modern SIEM solutions. SIEM used to harvest log data to be analysed periodically.
Modern SIEM uses AI and inbuilt vulnerability capabilities as well as integration with key security products to provide a 360 real-time view of incidents. Players such as Netsurion have fantastic platforms that extend their solutions and staff right into your organisation at a fraction of the price of manning your own Security Operations Centre (SOC).
The key take away from this chapter is that it supports the next stage – The Audit process. By maintaining this evidence, you can easily prove to an auditor that your business has been compliant with best practices and takes this task seriously.
We recommend utilising tools and specialised services to make this process automatic and as easy as possible. Our suite of tools enables full visibility for an external or internal auditor while maintaining data protection and governance. It can reduce an auditor’s time significantly on-site, and consequently, the stress of business owners.
The next part will address how to get Audit ready and report your progress to the board using the tools and knowledge you already got. If you want to turn this daunting situation into a stress-free, automatic process, then talk to us and keep reading our compliance and risk management content in our blog.