Surviving a third party onsite audit - SANS Internet Storm Center

Surviving a third party onsite audit
How serious are you about your company's information security? You will get very serious quickly when your company is audited by a third party. These aren't third party vendors either, we're talking about the pending alliance will be profitable for your organization, get us through this audit...type of third party audit. Playing these situations to your fullest abilities will not only increase the profitability of your business, it will also result in a tightened down security posture for your company. I know, audits tend to cause headaches, neck pain as well as stress and the related "burn out" syndrome. But, I say expand your horizons, take a look at the big picture. How close are you to the ISO standards? What are those little pet projects that are curtailed by cultural issues which require C-level buy-in? This may be the straw that increases security in your environment. You may even get your pet project going again after frustrating funding delays. I seem to be going through my fair share of these lately and have a few pieces of advice for those facing this same reality. Stay calm and be prepared to the best of your ability. Provide the auditor with a hard and soft copy of your IT Security policy, hopefully one based on Internationally agreed standards. Use post-it flags to mark answers in the policy to any questions provided in advance. Saving the auditor time is a good thing. Make sure your policies include the approval date and revision histories for each section of policy. Set up a clean "routine" image workstation for the auditor to verify at their leisure. Have copies of your Security Awareness Training materials ready. Give heads up to the collateral departments which will need to provide requested documentation. Like HR for background checks and Physical Security for access logs. Practice accessing your logs from any SEIM or logging device. Double check logging enabled settings on all critical servers. Allow the examiner to work in a secured environment away from prying eyes and curious onlookers. Re-evaluate and study your questionnaire answers from the previous phases of the audit. Showing your professionalism and your dedication to security will undoubtedly assist in obtaining the vital business alliances required in our global economy. Let me know some of your audit survival skills and secrets and I'll update this page with your ideas. Mari Nichols - Handler on Duty	Mari Nichols 76 Posts Aug 16th 2009
Thread locked Subscribe	Aug 16th 2009 1 decade ago
12. Do not lie or try to wiggle out of 'trouble'. You only dig your hole deeper. 13. Do not try to hide or cover up problems for two reasons: some auditors do not stop until they have found something. Nobody is perfect and they know it. And secondly: identified issues often provide good leverage towards management for getting those budgets in place to fix things.	tyldis 5 Posts
Quote	Aug 17th 2009 1 decade ago
14. Don't try to hide something from them because they didn't ask a perfectly worded question. If you know what they're looking for, offer it up even if they didn't phrase it perfectly. 15. Don't be afraid to blow your own horn. If they ask about something and you put in protection measures that go beyond the norm, tell them.	Anonymous
Quote	Aug 17th 2009 1 decade ago

How serious are you about your company's information security? You will get very serious quickly when your company is audited by a third party. These aren't third party vendors either, we're talking about the pending alliance will be profitable for your organization, get us through this audit...type of third party audit.

Playing these situations to your fullest abilities will not only increase the profitability of your business, it will also result in a tightened down security posture for your company. I know, audits tend to cause headaches, neck pain as well as stress and the related "burn out" syndrome. But, I say expand your horizons, take a look at the big picture. How close are you to the ISO standards? What are those little pet projects that are curtailed by cultural issues which require C-level buy-in? This may be the straw that increases security in your environment. You may even get your pet project going again after frustrating funding delays.

I seem to be going through my fair share of these lately and have a few pieces of advice for those facing this same reality.

Stay calm and be prepared to the best of your ability.
Provide the auditor with a hard and soft copy of your IT Security policy, hopefully one based on Internationally agreed standards.
Use post-it flags to mark answers in the policy to any questions provided in advance. Saving the auditor time is a good thing.
Make sure your policies include the approval date and revision histories for each section of policy.
Set up a clean "routine" image workstation for the auditor to verify at their leisure.
Have copies of your Security Awareness Training materials ready.
Give heads up to the collateral departments which will need to provide requested documentation. Like HR for background checks and Physical Security for access logs.
Practice accessing your logs from any SEIM or logging device. Double check logging enabled settings on all critical servers.
Allow the examiner to work in a secured environment away from prying eyes and curious onlookers.
Re-evaluate and study your questionnaire answers from the previous phases of the audit.
Showing your professionalism and your dedication to security will undoubtedly assist in obtaining the vital business alliances required in our global economy.

Let me know some of your audit survival skills and secrets and I'll update this page with your ideas.

Mari Nichols - Handler on Duty

Mari Nichols

76 Posts

Aug 16th 2009

12. Do not lie or try to wiggle out of 'trouble'. You only dig your hole deeper.
13. Do not try to hide or cover up problems for two reasons: some auditors do not stop until they have found *something*. Nobody is perfect and they know it. And secondly: identified issues often provide good leverage towards management for getting those budgets in place to fix things.

tyldis

5 Posts

14. Don't try to hide something from them because they didn't ask a perfectly worded question. If you know what they're looking for, offer it up even if they didn't phrase it perfectly.
15. Don't be afraid to blow your own horn. If they ask about something and you put in protection measures that go beyond the norm, tell them.

Anonymous