Although each compliance standard has its own specifications, many of the rules overlap. For instance, PCI-DSS and HIPAA both protect data, but both also have standards for data encryption, the storage of sensitive information, and access control.
The first step in ensuring compliance is to identify the standards that apply to your company, and then examine all of the requirements to find any cybersecurity components that aren’t present in your current architecture.
Every so often, compliance standards are updated, necessitating the review and analysis of any new rules. After all, your company may be subject to heavy fines if it does not integrate the new compliance rules into its current operations.
IT Compliance Audit Checklist
While data security is a huge topic, and thus a comprehensive breakdown of all factors that need to be taken into consideration are clearly beyond the scope of this article, the majority of compliance requirements will fit into the following categories:
1. Access and Identity Control
- Have you published an IAM policy?
- Do you know what access control methods you are using, or are planning to use (e.g. RBAC, ABAC, and/or PBAC)?
- Are you enforcing the Principle of Least Privilege (PoLP)?
- Do you have a system in place to revoke access to sensitive data when access is no longer required?
- Are you enforcing ‘separation of duties’?
- Are you auditing all access to privileged accounts?
- Do you have automated procedures to detect and respond to anomalous account access?
- Do you have a system in place to detect and manage inactive user accounts?
2. Collecting, Storing, and Sharing Personal Data
- Do you really need to collect personal data?
- Have you obtained consent from the data subject before collecting their personal data?
- Are you aware of the data subject’s rights in relation to how their data is accessed and used?
- Are you encrypting sensitive personal data, both at rest and in transit?
- Are you sharing personal data with a third party, and if so, is it really necessary?
- Is there a lawful basis for sharing personal information?
- Do you know how long each piece of personal data you collect should be retained?
- Do you have procedures for removing personal data when it is no longer required?
3. Security Automation
In order to effectively comply with most data protection regulations you will need to automate as many processes as possible, which means leveraging the latest technologies. You should have at least some of the following technologies in place:
- Antivirus and other anti-malware solutions
- A data discovery and classification tool
- A real-time change auditing solution
- A Security Information & Event Management (SIEM) solution
- An Endpoint Detection and Response (EDR) and/or Intrusion prevention system (IPS)
- A next-generation firewall
4. Incident Response
Do you have an incident response plan (IRP) in place? Either way, you will need to familiarize yourself with the 5 stages of incident response, and ensure that you are able to answer the following questions about each stage;
Stage 1- Preparation
- Do you have security policies in place and are your employees aware of them?
- Have you clearly defined a ‘security incident’?
- Do you know who is responsible for each phase of the incident response process?
Stage 2- Detection and analysis
- Who discovered or reported the incident?
- When was the incident discovered or reported?
- Where was the location of the reported incident?
- What impact does the incident have on business operations?
Stage 3- Containment
- Can the incident be contained, and if so, how? If the incident cannot be contained, you will need to explain why, and figure out what can be done to resolve the issue.
- Have you isolated the affected systems from the non-affected systems?
- Have you removed all malware and other threats from the infected systems?
Stage 4- Eradication and recovery
- Have you checked for and applied all relevant software updates/patches?
- Have you checked for any configuration errors?
- Have you reviewed and closed up all possible entry points?
- Has all malicious activity been eradicated from the affected systems?
- Do you know where your backups are located and do you need to restore them?
- How and when will the infected systems be put back into production?
Stage 5- Post-incident activity
- Do you have comprehensive documentation of each IRP phase?
- Have you planned a meeting to discuss the lessons learned, and if so, have you created a detailed report to present in the meeting?
5. Physical security
Are you controlling physical access to the servers and computers that store sensitive information? This might include the use of server rooms with locks, alarms, ID badges, CCTV cameras, and so on.
How Lepide Can Help Achieve Compliance
As mentioned above, this checklist is not intended to provide a detailed breakdown of all areas of data security, but is instead designed to serve as a broad summary of the requirements associated with most data protection regulations.
Many compliance standards are intensely rigorous and require in-depth visibility over your regulated data and user activity. Lepide makes this possible through pre-defined compliance audit reports, real-time alerts, and risk analysis dashboards that we have designed in order to specifically meet the most common compliance mandates in all industries.