Today’s business environment has become more regulated – with different mandates and requirements spanning multiple industries and regions. Some regulations require multiple audits per year and depending on your industry, you may have to comply with multiple regulations. Even if you don’t have to comply with the bevy of standards or requirements such as PCI-DSS, SOX, NERC CIP, HIPAA, and so on, you most likely still have (or you SHOULD have) internal reviews and checks of security policies.
While regulations and ensuing IT audits go beyond firewalls and firewall policies, these devices are often a good place to start when it comes to becoming “audit-ready” and gaining continuous visibility of what’s going on in your network.
In this blog series, we’ll examine what you need in order to successfully go through an audit of your firewall estate and most importantly how to ensure continuous compliance (this is where automation plays a big role). This blog will focus on step 1. This relates closely to what my colleague Josh Karp has blogged about in his series When PCI Compliance meets real world security, specifically the first step he has examined.
Step 1: Gathering Pertinent Information Before You Undergo an Audit
An audit has little chance of success if you do not have proper visibility of your network, including software, hardware, policies and risks. This sounds like an obvious statement, but many organizations do not have the necessary visibility of their IT environment.
Some examples of “quick wins” in the pre-audit phase would be to collect the following information:
Even though this is just the preparation for the audit, you’re not quite done. Once you have gathered this information, you must have a plan to aggregate and store this information in a way that will make analysis and reporting easier – and no spreadsheets don’t really count. Spreadsheet compliance is a surefire way to make the audit process painful. Document, store and consolidate this important information in a way that enables collaboration with your IT counterparts. Remember, you’re most likely going to have multiple audits per year.
Then and only then can you start reviewing policies and procedures and begin to track their effectiveness…
Receive notifications of new posts by email.