2020 Audit Items and Remediation
Patching – A patch is a set of changes to a computer program, or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs. A good practice to avoid common issues is to keep the baseline of applications you install on your system low. The more third-party applications (Adobe Reader, Google Chrome, etc.) you install on your system, the more likely you are to have vulnerabilities in your environment. Auditors look to make sure all patches are being applied to the system – not just the critical ones. They also look at the timeline of when the patch is available compared to when it was applied so don’t wait to apply them right before the audit, make sure you’re doing them throughout the year and producing reports.
Passwords – Passwords are tedious and required for practically everything. It’s easy to want to use the same passwords across the board but that opens up your devices and environments to breaches. If your organization hasn’t already, it’s time to modernize your password policy and utilize a password manager like LastPass. Passwords are trending more towards pass phrases that are a lot easier to remember and a lot harder to break.
Login Credentials – Use entire first and last name when creating the account. This makes it easier in the long-term to not duplicate the account going forward in the organization’s active directory.
Login Restrictions – An easy way to reduce the window that hackers have access to the system is to set up login hour restrictions within your organization. There are pros and cons to this remediation tactic because it restricts employees from getting into the system and completing work outside of the normal business hours. Multifactor authentication is a secondary layer of protection when proving who you are to log in.
Disaster Recovery/Business Continuity – The last two years have been affected by critical events that may have put your Disaster Recovery/Business Continuity plans to the test or shown the vulnerability of not having these plans in place. Typically in banking, organizations need to be up and running within 24-48 hours of an incident to remain in compliance. Documenting and testing a plan before the stress of an incident largely increases the chances of getting back to operational in a shorter time frame.
2021 Audit Preparation and Assumptions
Remote Access and Virtual Private Networks – a quick workaround that many organizations did at the beginning of the pandemic, was allowing employees to connect their home PCs and devices to the company’s network. By allowing this, many organizations were opening themselves up to vulnerabilities.
Endpoint Protection, Detection, and Response –
Employee Security Training – Make sure there’s a policy in place that outlines how often training is happening, who within your organization is receiving the training, and documentation of the training. A detailed and properly implemented policy will put your organization in a good spot to catch a phishing attempt.
Vendor Management Policy – Ensure your organization is doing due diligence when it comes to the vendors they hire. Look through their documentation to make sure they have a Disaster Recovery Plan in place, etc. Full transparency between both organizations is key in this step.
Ransomware / Disaster Recovery Planning and Tests – Document. Execute the plans annually. When ransomware hits, it is typically chaotic. The more prepared your organization is, the better you’ll do when a disaster strikes.
Exchange and SolarWinds Vulnerabilities + Remediation – These are the two big breaches that took place in the last year and auditors are already asking questions. Verify you were not impacted by either of the breaches. If you were, make sure you are documenting when you were notified, the steps of remediation your organization took, and the tools implemented.
As a best practice, Five Nines recommends all partners operate at an “audit-ready” status at all times. These are the types of items you want to prioritize 2-3 months out from the audit.
- Ensure any local data is stored in an encrypted form
- Enable multifactor authentication on all services possible
- Leverage anti-virus/malware tools with in-depth reporting
- Remove all personal systems from VPN access
- Document and test Disaster Recovery Plan
- Refer back to action items from prior year audits and ensure complete remediation
- Utilize end-user security awareness training
- Document everything
Download our full Pre-Audit Checklist for more information and statistics HERE.