When we first started out, we like to think that in retrospect the world was an easier place - if not far more expensive to get started. The earliest internet pioneers had it easier we thought. Sites like eBay and Craigslist could start out of a room in someones house with inexpensive broadband. By the early 2000s, we had to rent rackspace from a colocation facility, often at a minimum price of $10,000 a month. Then we had to fill it with between $20,000 and $100,000 worth of servers, firewalls, and load balancers. We had to learn to cluster databases and configure an F5. That’s before we deployed a monolithic web app that, if pounded, would pound back.
Now it’s far simpler and in many ways better. We can stand up a microservice or 50 in the instance of a cloud provider, use their database, maybe even use a little low-code or no-code tooling so not even have to know how to write code. Or use a tool like Google Bard to write some of the code. Then we buy ads on Facebook instead of paying Yahoo! another $50,000 a month to host a banner that most people hated because it loaded so slowly. And thus the modern internet is born.
But along the way, those tens of thousands of dollars here and there got replaced with the need to hire expensive compliance auditors, often coming in at $100,000 or more on top of software that costs $5,000 to $10,000 a month to audit that our engineering teams are practicing the policies we made. It’s been a fun ride and it’s all evolved into a much nicer rubric. Those security audits never seem to get easier, no matter how many we’ve been through.
All that’s to say that security audits have become a fact of life for any organization that handles sensitive data. They can be a stressful and time-consuming experience, but they're also an important part of staying secure. And not just secure in our own eyes, but secure in a manner that’s compliant with the expectations of our constituents. Along the way, we feel like we’ve learned what to expect, so let’s share a little of that.
The first step in any security audit is preparation. The auditors will need to gather information about your organization's security posture, so it's important to have all of your documentation in order. This includes things like your security policies, procedures, and incident response plan. If you haven’t been through this, there are a number of compliance platforms. Some are more about policies and others can actually be plugged into your infrastructure and report back on policies you might want to write and infractions against those policies (after all, compliance isn’t just about writing some pretty documents).
Compliance software is a type of software that helps organizations to comply with laws, regulations, and industry standards. There are a number of different compliance software solutions available, each with its own strengths and weaknesses. In general, we recommend starting with one that’s pretty and easy to use - but that also grow as you need to. So it helps if it covers various compliance frameworks. Some other factors to consider when choosing compliance software include:
The size and complexity of the organization.
The budget for compliance software (factor in agents, so number of devices - as well as the number of administrators, and whether they charge for users who get access to their portal.
The level of support that the organization needs.
If the audit can be bundled with the software or if the vendor has auditors they refer business to.
Our experience has mostly been with SOC Type 2 and ISO complaince. Some organizations also have to deal with regulatory compliance software, which is designed to help organizations comply with specific regulations, such as the Sarbanes-Oxley Act (SOX) or the Health Insurance Portability and Accountability Act (HIPAA). There’s also industry-specific compliance software is designed to help organizations comply with the regulations and standards of a particular industry, such as the financial services industry or the healthcare industry. Enterprise compliance software is designed to help organizations comply with a wide range of regulations and standards, across multiple departments and functions.
When choosing compliance software, it is important to consider the specific needs of the organization. For example, if an organization needs to comply with SOC2 to win customers, it will need a software solution that can help build policies around how to handle user data that’s hosted, as well as monitor that those rules are being followed. If the software needs to be SOX compliant, it will need to track and manage financial transactions as well. If an organization needs to comply with HIPAA, it will need a software solution that can help it to protect patient data. We’ll mostly focus on SOC2 compliance.
We do know some people that try and go this compliance route without special software. A few reasons not to do that (or things compliance software will get ya’):
Reduced risk of non-compliance. Compliance software can help organizations to identify and mitigate risks of non-compliance.
Improved efficiency. Compliance software can help organizations to automate compliance tasks, which can save time and money.
Improved visibility. Compliance software can help organizations to gain visibility into their compliance status, which can help them to make better decisions.
Improved reporting. Compliance software can help organizations to generate reports on their compliance status, which can be used to demonstrate compliance to regulators and auditors.
Now, let’s say you finally get to the point where you’ve got a solid few months of auditable data to prove that you are meeting the requirements to get certified that you are following all the rules in all the fancy documents you’ve written. Now hire an auditor. Again, if you’ve been using a piece of software to get to that auditable state, check with them for some good people to call, or if you have colleagues that have had good experiences, call whoever did their audit. And expect accountants on the other side of the phone. Because that’s what an auditor is. They are effectively performing a forensic accounting analysis of all the logs. It’s wild and honestly, can only make us all better.
Once the auditors have gathered all of the necessary information, they'll begin the audit itself. This will involve a series of interviews with your staff, as well as a review of your systems and networks. The auditors will be looking for any security vulnerabilities or gaps in your security controls.
Once the audit is complete, the auditors will issue a report that outlines their findings and recommendations. This report will be a valuable tool for you to identify and address any security weaknesses in your organization. There will always be recommendations and things that weren’t done right. No one is perfect, and if you are, honestly, they’ll probably find something anyway. Don’t get annoyed, just fix whatever they find.
It's important to follow up on the findings and recommendations from the security audit. This means implementing any necessary corrective actions and tracking your progress over time. By following up on the audit, you can help to ensure that your organization stays secure. Here are some tips for making the most of your security audit:
Be prepared. The more prepared you are for the audit, the smoother the process will go. Make sure you have all of your documentation in order and that your staff is aware of the audit and their roles and responsibilities.
Cooperate with the auditors. The auditors are there to help you improve your security posture. Cooperate with them by providing them with the necessary information and documentation, and by answering their questions honestly and completely.
Take the findings and recommendations seriously. The findings and recommendations from the audit are a valuable tool for you to identify and address any security weaknesses in your organization. Make sure you take them seriously and implement any necessary corrective actions.
Track your progress over time. Once you've implemented the corrective actions from the audit, it's important to track your progress over time. This will help you to ensure that your security posture is continuously improving.
Security audits are an essential part of any organization's risk management program. They help to identify and mitigate security risks, and to ensure that the organization is in compliance with applicable laws and regulations. However, security audits can also be a stressful and time-consuming experience. This is especially true for organizations that are not well-prepared for an audit.
To help you survive your next security audit, here are a few tips:
Get organized. The first step to surviving a security audit is to get organized. This means having a clear understanding of your organization's security posture, and having all of the necessary documentation in place.
Create a security audit plan. Once you are organized, you need to create a security audit plan. This plan should include the following:
The scope of the audit
The timeline for the audit
The resources that will be needed for the audit
The communication plan for the audit
Prepare your team. It is important to prepare your team for the security audit. This means making sure that they are aware of the audit, and that they understand their roles and responsibilities.
Cooperate with the auditors. During the audit, it is important to cooperate with the auditors. This means providing them with the necessary information and documentation, and answering their questions honestly and completely.
Follow up after the audit. Once the audit is complete, it is important to follow up with the auditors. This means addressing any findings from the audit, and implementing any necessary corrective actions.
Secret Chest is currently working towards our first compliance framework, SOC2, so that’s freshest in our mind. And we’ve actually built the tool in such a way that we can produce auditable results that fill gaps for customers, mostly in the devops and devsecops space. To learn more about how we can help you get compliant, we’d be lucky to have you sign up to join our private beta!
Comments