How to Prepare for your Annual IT Audit

An IT audit is the review and evaluation of your company’s IT infrastructure, policies, management, and any related processes. Sometimes IT audits coincide with the annual financial audit. IT audits are very important because it will let you know if your company is being adequately protected by your systems in place. It can also help reduce any risks or threats that your company’s network might be facing. Some of these might be risks you never even expected; hence why audits are crucial to the health of a company. Besides IT audits being very complex, they can also be very overwhelming if your company is not prepared.

There are three parts to an IT audit:

1. The preparationof the audit
2. The audit
3. The results of the audit

The results are the most important aspect of the audit. This will show where your company is in regards to standards. How your company uses these results and corrects measures that were lacking are the most beneficial things you can do for your company.

For network security, one of the most important safety measures is a secure authentication method. In fact, many compliance regulations have specific audit requirements for passwords. Here are a few compliance standards related to passwords:

NERC CIP Compliance – NERC CIP-007-1 minimum requirements:

R5.3.1. Each password shall be a minimum of six characters.
R5.3.2. Each password shall consist of a combination of alpha, numeric, and special characters.
R5.3.3. Each password shall be changed at least annually, or more frequently based on risk.

PCI Compliance Password Related Requirements:

8.5.3 Set first-time passwords to a unique value for each user and change immediately after the first use.
8.5.8 Do not use group, shared, or generic accounts and passwords.
8.5.9 Change user passwords at least every 90 days.
8.5.10 Require a minimum password length of at least seven characters.
8.5.11 Use passwords containing both numeric and alphabetic characters.
8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used.

Public Services Network (PSN Compliance) Password Tips:

Tip 1: Change all default passwords
Tip 2: Help users cope with password overload
Tip 3: Understand the limitations of user generated passwords
Tip 4: Understand the limitations of machine generated passwords
Tip 5: Prioritize administrator and remote user accounts
Tip 6: Use account lockout and protective monitoring
Tip 7: Don’t store passwords as plain text

National Institute of Standards and Technology (NIST Compliance) Password Advice:

1. Create a password policy that specifies all of the organizations password management-related requirements.
2. Protect passwords from attacks that capture passwords.
3. Configure password mechanisms to reduce the likelihood of successful password guessing and cracking.
4. Determine requirements for password expiration based on balancing security needs and usability.

SOX (Sarbanes Oxley) Compliance – SOX 404 and IT:

1. Risk Assessment. Before the necessary controls are implemented, IT management must assess and understand the areas of risk affecting the completeness and validity of the financial reports.
2. Control Activities. Design, implementation and quality assurance testing teams should be independent. ERP and CRM systems that collect data, but feed into manual spreadsheets are prone to human error. The organization will need to document usage rules and create an audit trail for each system that contributes financial information.
3. Monitoring. Auditing processes and schedules should be developed to address the high-risk areas within the IT organization. IT personnel should perform frequent internal audits.

HIPAA Compliance Password Related Requirements:

Title II. Title II requires national standards for electronic healthcare transactions.
The Security Rule. The Final Rule on Security Standards was issued in Feburary 2003. It lays out three types of security safeguards required for compliance: administrative, physical, and technical
Technical Safegards. Technical Safegards describe the access control to computer systems and protection of patient health information from interception over electronic networks. Authentication consists of corroborating that an entity is who it claims to be. Examples of corroboration include: password systems, two or three-way handshakes, telephone callback, and token systems.

Granted, each company will not have all of these compliance standards to follow. However, all audits include sections about authentication processes. The Windows Password Policy is not enough to keep your network secure anymore (read why here). Passwords like “Password1” and “Summer2017” are being allowed and used on your network if you do not have a password filter in place. Simply telling your employees not to use these weak passwords is not enough to ensure that they will not. With the nFront Password Filter, your company will be able to meet all of these audit requirements and you will be able to say goodbye to Password1.

Want to learn about the Password To Survive Any Audit? Click here.

Twitter Digg Delicious Stumbleupon Technorati Facebook Email

Comments are closed.