The Best Way to Prepare for a Data Security Audit
May 21, 2019
By Elana Margulies-Snyderman
At the New York Junior League’s “Technology Talk: Data Security in the Nonprofit Environment,” Lena Licata, a director in EisnerAmper's Process, Risk, and Technology Solutions (PRTS) and Rhina Brito, a senior in PRTS, discussed how firms can prepare for a data security audit, addressing policies and procedures to have in place, how top-level management needs to set the tone, having the appropriate vendor risk management (VRM), how to perform a risk assessment using a framework such as the NIST Framework and finally, how to handle a breach.
Here are a few takeaways the duo mentioned relating to the above-mentioned points.
Policies & Procedures
- Policies should come from top-level management, and be ‘built-to-last’ regardless of minor business changes.
- Procedures should include step-by-step instructions.
- Policies and procedures should be kept in an accessible place and also be kept simple.
- Examples include Information Security Policy, Privileged User Policy, End User Compliance Policy and more.
Setting the ‘Tone at the Top’
- An organization’s ‘tone’ is set by top-level management and leadership. It is paramount that they practice ethical behavior and set an example for their employees to follow.
Vendor Risk Management
- VRM relates to how companies manage relationships with external parties they do business with.
- It is imperative companies control vendor access to their systems and information.
- Companies should protect information assets by assigning IT security to specifically monitor their activities when accessing network and hardware (i.e., hard drives) and, further, consider having an IT Risk Assessment performed that evaluates the controls and safeguards the vendor has in place to ensure that information assets are protected from unauthorized access.
- VRM is a five-step process and companies need to: 1) identify a risk source the vendor can pose; 2) define risk assessment policies for vendors; 3) asses vendor risk; 4) remediate issues by working with critical vendors to ensure remediation and 5) maintain continued vendor compliance through scheduled periodic assessments.
NIST Cybersecurity Framework
- Companies can perform a cybersecurity risk assessment using this Framework, which consists of 5 elements to 1) identify, 2) protect, 3) detect, 4) respond and 5) recover in cases they fall victim to cyberattacks.
How to Handle a Breach
- If companies fall victim to a breach, they need to stop the bleeding and find out where the points of entry occurred.
- In addition, companies need to investigate what was accessed and compromised over how great a period of time.