How to Pass a Cybersecurity Audit in 10 Steps

Sept. 17, 2015, 5:11 PM

Editor’s Note: The author of this post assists with complex litigation and regulatory environments.

By Sheila Mackay, Vice President at Xerox Legal Services

With data breaches becoming an unfortunate everyday occurrence, cybersecurity is no longer just an IT issue. Legal departments, which have a need to protect sensitive information, such as employees’ and clients’ personally identifiable information and nonpublic corporate information, are increasingly becoming involved in data security issues as the universe of risk exposure expands.

Moreover, with cybersecurity featuring prominently on the federal government’s agenda over the last two years, the legal department should anticipate the potential for regulatory audits. Earlier this year, the White House held a Summit on Cybersecurity and Consumer Protection and issued an Executive Order Promoting Private Sector Cybersecurity Information Security Sharing . Meanwhile, federal agencies, including the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) and the Financial Industry Regulatory Authority, have announced examination priorities that include shoring up private-sector cybersecurity.

Thus, there is no time like the present to work with your Chief Security Officer, Chief Information Office, IT staff and compliance and risk personnel to review and bolster your cybersecurity policies and practices in anticipation of future regulatory action. With that in mind, here is a checklist of 10 critical items that can help your organization prepare for — and pass — its next cybersecurity audit.

1. Review policies and procedures.Evaluate your existing information security policies and procedures; if they are lacking, draft or update them immediately. Once in place, test them frequently to audit your organization’s compliance.

2. Inventory digital assets.Regularly review your organization’s stockpiles of hardware, software, databases, and servers. Don’t forget to account for all systems connecting to your networks, including third-party data storage such as cloud providers. Create a data map that identifies your organization’s data storage and enforce data-retention limits on aging records.

3. Conduct a risk assessment.Schedule a regular assessment of risks. Once identified, prioritize the risks, take steps to remediate them, and document your actions.

4. Assign responsibility.At least one employee, if not a team, should be held responsible for maintaining the organization’s cybersecurity posture. Detail the duties of the position or team in writing, and use metrics to hold them accountable.

5. Invest in cyber insurance.Take out a policy that addresses the potential losses from cyberbreaches, including damage to digital assets, business interruption, and reputational harm.

6. Raise awareness.Many breaches are preventable, but policies alone are not enough to prevent inadvertent human errors. Your organization must take proactive steps to educate employees of the evolving threats associated with mobile devices, malware, phishing, and other cyber attacks. Conduct training at least annually and for all new employees, and retain all training attendance records and materials.

7. Create an incident response plan.The plan should consist of an incident response protocol and a business continuity plan that addresses post-breach recovery. A cross-departmental team should oversee and carry out the plan. The plan should be a living document, so test and update it regularly.

8. Protect consumers and customers.Devise a plan for notifying affected people in the event of a cyber attack. If your employees are client-facing, train them on how to detect anomalous or fraudulent customer requests.

9. Assess third-party risk.Where possible, restrict third-party access to the company’s networks and sensitive data. All contracts with third parties should include terms that address information security and data breaches.

10. Secure the perimeter.Develop and follow written procedures for monitoring and detecting unauthorized access on networks and devices. Limit users’ access to only the network resources and data they need to perform their duties.

By taking these steps now — before an audit occurs — organizations can improve their ability to avoid the harm that cyberbreaches can cause and demonstrate a proactive posture to agencies that expect organizations to have these safeguards in place.

To read more articles log in.

Learn more about a Bloomberg Law subscription.