Constant changes in the regulatory environment are putting more pressure on organizations to get data security and privacy right. Some regulations require audits to show compliance, but outside of that, any company that collects, processes or stores sensitive data could benefit from conducting regular security audits. An audit can help to identify gaps in processes and overall security posture as well as uncover any privacy compliance issues that will need to be addressed in order to avoid penalties.
What Is a Compliance Audit?
A security audit evaluates the organization’s information system against a predefined set of criteria. The audit may assess everything from the physical environment and controls to business processes and procedures, IT environment, hardware configurations and user practices.
An audit is typically less comprehensive than a vulnerability assessment, whose purpose is to find potential weaknesses in the IT system. It’s also different from penetration tests, which are sanctioned attacks on the organization by ethical hackers, known as penetration testers, to exploit the organization’s defenses the same way hackers would.
A compliance audit may be narrower in scope than a security audit, because it’s intended to examine policies and procedures as they relate to the laws and regulations that are relevant to the organization. These audits are conducted for different reasons, which may include:
- Mandate by specific regulations, such as the Gramm-Leach-Bliley Act for financial institutions
- Third-party certification for specific framework, such as PCI or CIPL, often to satisfy a customer requirement
- Client’s assessment of a vendor’s or business associate’s security posture, whether as general policy or as required by regulations such as the Health Insurance Portability and Accountability Act (HIPAA)
- Internal assessment of readiness for compliance with regulations such as European Union’s General Data Protection Regulation (GDPR), or in preparation for a formal external audit
- (Read more...)
*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Rodika Tollefson. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/HwpsjY1wYtU/