Posted by: SarahCortes
Access control, COBIT, compliance, compliance audit, Firewall, policy, Security
This post is the second in a two-part series. The first post, “review policies and standards,” addressed the first step in preparing for the auditors. -Ed.
When we last left our hero and heroine, the lone IT operations manager, he or she was about to get a visit from the compliance auditors. Sound familiar? Only, unlike in that big upcoming squash or tennis match, you’re not sure which rule book they will be using to score the games. Unsure against what standard your IT operation would be judged, I advised:
Step 1: Get ahold of your company’s IT policies and standards.
Step 2: Reality check. Do they represent TODAY’s state of your IT operation?
For example, I pointed to your access control policy. Does it say, I asked, “Terminate access rights for all users within 24 hours of employment termination?” Is that really happening, 365 days a year, I queried? And pointed out seven common ways the operation can miss that 24-hour window.
But here’s the good news: If your IT policy said, “Terminate access rights for all users within one week (instead of 24 hours) of employment termination,” you’d get an A on the audit.
So, take Step 3: Revise your IT policies and standards to reflect TODAY’s reality. Don’t let staff companywide get in the habit of tolerating noncompliance with your policies because they are too ambitious in relation to your current compliance level. While you may be trying to set a higher standard to aspire to, there are better ways to do that. Instead, you are just setting yourself up for a BAD AUDIT.
“Sarah, how can you recommend a one-week standard for access termination?” I can just hear you say. The point is, of course I recommend you tighten up your operation and get that one week down to 24 to 48 hours. Just, don’t put it in your policies and standards until it is THERE. If you insist on doing this, it will only get you an “F” on your audit. And there’s nothing in COBIT dictating the time frame. You can determine your own time frame based on a series of factors. I’ll go over those another time, but they give you more leeway than you’d think. If you’ve followed these steps, take Step 4: Sleep easier at night.
If you have any questions about this strategy, let me know in the comments.