{"id":195005,"date":"2021-03-05T14:00:07","date_gmt":"2021-03-05T11:00:07","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-stop-being-overwhelmed-by-security-audits-cloudsavvy-it\/"},"modified":"2021-03-05T14:00:07","modified_gmt":"2021-03-05T11:00:07","slug":"how-to-stop-being-overwhelmed-by-security-audits-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-stop-being-overwhelmed-by-security-audits-cloudsavvy-it\/","title":{"rendered":"#How To Stop Being Overwhelmed by Security Audits \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a3060b2253be\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a3060b2253be\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-stop-being-overwhelmed-by-security-audits-cloudsavvy-it\/#The_Web_of_Compliance_Requirements\" >The Web of Compliance Requirements<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-stop-being-overwhelmed-by-security-audits-cloudsavvy-it\/#The_Hamster_Wheel_of_Maintenance\" >The Hamster Wheel of Maintenance<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-stop-being-overwhelmed-by-security-audits-cloudsavvy-it\/#Establish_a_Master_Control_Register\" >Establish a Master Control Register<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-stop-being-overwhelmed-by-security-audits-cloudsavvy-it\/#Resourcing_for_Internal_Audits\" >Resourcing for Internal Audits<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-stop-being-overwhelmed-by-security-audits-cloudsavvy-it\/#A_Necessary_Evil\" >A Necessary Evil<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How To Stop Being Overwhelmed by Security Audits \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 700px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-9986 size-full\" src=\"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/96ce69072f68251dd7ad423f89ddcda0\/p\/uploads\/2021\/03\/ced4f36f.png\" alt=\"\" width=\"700\" height=\"346\" data-crediturl=\"https:\/\/www.shutterstock.com\/image-photo\/macro-photo-tooth-wheel-mechanism-audit-741348823\" data-credittext=\"Shutterstock\/EtiAmmos\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/macro-photo-tooth-wheel-mechanism-audit-741348823\">Shutterstock\/EtiAmmos<\/a><\/span><\/figcaption><\/figure>\n<p>Getting certified against a standard or compliant with data protection legislation is always tough. Maintaining standards can feel like you\u2019re on a treadmill of internal audits. Here\u2019s how to avoid internal audit burn-out.<\/p>\n<h2 id=\"the-web-of-compliance-requirements\"><span class=\"ez-toc-section\" id=\"The_Web_of_Compliance_Requirements\"><\/span>The Web of Compliance Requirements<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If your organization gathers, processes, or transmits personal data you have to comply with data privacy legislation. That might be legislation put in place by your own government or it might be legislation from overseas, depending on where the data subjects\u2014the people whose data you\u2019re processing\u2014have citizenship. It\u2019s the citizenship of the data subjects that dictates which external data protection rules and regulations come into play, not where your business is located.<\/p>\n<p>This legislation can soon pile up. For example, the\u00a0European data protection legislation is the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/HTML\/?uri=CELEX:32016R0679&amp;qid=1600605964569&amp;from=EN\">General Data Protection Regulation<\/a>. If you process any personal data relating to European citizens you need to comply with the GDPR. The United Kingdom left the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/europa.eu\/european-union\/index_en\">European Economic Union<\/a> on Jan.\u00a031, 2021. The data protection legislation in the United Kingdom is now the UK\u2019s\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.legislation.gov.uk\/ukpga\/2018\/12\/contents\/enacted\">Data Protection Act (2018)<\/a>\u00a0(DPA2018). Chapter Two of the DPA2018 contains a slightly modified version of the EU GDPR. So if you process the personal data of British citizens, you need to comply with that legislation too.<\/p>\n<p>In the U.S. the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/leginfo.legislature.ca.gov\/faces\/billVersionsCompareClient.xhtml?bill_id=201720180SB1121\">California Consumer Privacy Act<\/a>\u00a0(CCPA) safeguards the personal data and rights of the data subjects of Californian residents.\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/legiscan.com\/NV\/bill\/SB220\/2019\">Nevada<\/a>\u00a0and\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.maine.gov\/doe\/data-reporting\/privacy\/laws\">Maine<\/a>\u00a0have their own legislation in place, and many other states\u2014New York, Maryland, Massachusetts, Hawaii, and North Dakota amongst them\u2014 are implementing or considering their own data protection and privacy laws.<\/p>\n<p>Remember, it\u2019s not where you are located that counts, it\u2019s where the data subjects reside that dictates whether you need to consider their local data protection laws. There are exclusions for some of these depending on, for example, the number of personal records you process and the turnover of your organization. But you still need to review the legislation to see whether you are compelled to comply or not.<\/p>\n<p>You may need to comply with other professional or industry-specific legislation such as the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.hhs.gov\/hipaa\/index.html\">Health Insurance Portability and Accountability Act<\/a>\u00a0(HIPAA), the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.ftc.gov\/enforcement\/rules\/rulemaking-regulatory-reform-proceedings\/childrens-online-privacy-protection-rule\">Children\u2019s Online Privacy Protection Rule<\/a>\u00a0(COPPA), or the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.ftc.gov\/tips-advice\/business-center\/privacy-and-security\/gramm-leach-bliley-act\">Gramm-Leach-Bliley Act<\/a>\u00a0(GLBA).<\/p>\n<p>Want to process credit card payments? You need to satisfy the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.pcisecuritystandards.org\/\">Payment Card Industry Data Security Standard<\/a>.<\/p>\n<p>Then there are optional standards that you may <em>choose<\/em> to adopt and follow such as the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.iso.org\/isoiec-27001-information-security.html\">European ISO 27001<\/a>\u00a0standard, the UK\u2019s\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/iasme.co.uk\/cyber-essentials\/about-cyber-essentials\/\">Cyber Essentials<\/a>\u00a0standard, or the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.nist.gov\/\">National Institute of Standards and Technology<\/a>\u00a0(NIST)\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.nist.gov\/video\/cybersecurity-framework-0\">Cybersecurity Framework<\/a>\u00a0in the U.S. You may be compelled to obtain one of these if your professional body requires it, or a sufficiently large customer requires their suppliers to be certified against a recognized cybersecurity standard.<\/p>\n<p>Many organizations voluntarily adopt and run in accordance with standards like these so that they:<\/p>\n<ul>\n<li>Benefit from the structure and governance that the framework will provide.<\/li>\n<li>To demonstrate that they take cybersecurity seriously and that clients\u2019 personal data will be properly safeguarded.<\/li>\n<li>As a business differentiator, or as a \u201cme too\u201d. If all your competitors have a certification you\u2019ll need to follow suit.<\/li>\n<li>Allow them to tender for government, military, or other contracts that require the bidding organizations to meet specific standards.<\/li>\n<\/ul>\n<p><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.telos.com\/reserved\/audit-fatigue-report\/\">According to research conducted<\/a>\u00a0by cloud security company\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.telos.com\/\">Telos<\/a>, the average organization has 13 different security and data privacy-related standards or regulations to comply with. It costs USD 3.5 million each year and consumes 58 man-days per quarter.<\/p>\n<h2 id=\"the-hamster-wheel-of-maintenance\"><span class=\"ez-toc-section\" id=\"The_Hamster_Wheel_of_Maintenance\"><\/span>The Hamster Wheel of Maintenance<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Developing a set of policies and procedures is the first part of achieving compliance or certification to legislation or a quality standard. The second is training and introducing staff to the procedures and processes. The final step is operating in accordance with those policies and procedures and maintaining the system.<\/p>\n<p>The development and implementation eventually comes to an end, as does the bulk of the staff awareness training. New starters will receive training as part of their induction, but the training for existing staff will eventually be completed. The maintenance of the system never ends, however.<\/p>\n<p>You must:<\/p>\n<ul>\n<li>Monitor noncompliances and act to rectify the processes or re-train staff so that the noncompliance cannot recur.<\/li>\n<li>Check that your employees are following the procedures and that a suitable audit trail is being maintained.<\/li>\n<li>Monitor the legislation and standards for changes and amendments, and update your policies and procedures accordingly.<\/li>\n<li>Be aware of new legislation as it is enacted, often in other jurisdictions, that might affect your lawful basis for gathering, processing, or transmitting personal data.<\/li>\n<\/ul>\n<p>With multiple standards or sets of legislation to comply with, that generates quite a workload. The cycle of internal audits and re<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">media<\/a>l action can be a full-time background task. And inevitably there\u2019s going to be a lot of overlap between the different frameworks and a lot of repetition in the type of activities needed to maintain what are effectively quality management systems for privacy and data protection.<\/p>\n<p>That can lead to audits being paid lip service, and conducted as an annoyance that needs to be done as quickly as possible instead of as thoroughly as they warrant. What can you do to avoid compliance audit burn-out?<\/p>\n<h2 id=\"establish-a-master-control-register\"><span class=\"ez-toc-section\" id=\"Establish_a_Master_Control_Register\"><\/span>Establish a Master Control Register<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The different legislation and standards may require <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/technology\/\" data-internallinksmanager029f6b8e52c=\"4\" title=\"Technology\" target=\"_blank\" rel=\"noopener\">technology<\/a> solutions for some issues\u2014such as firewalls and endpoint protection\u2014but the majority of their requirements are controls achieved through\u00a0<em>governance<\/em>. These are the operational controls and safeguards that need to be enacted through policies and procedures to ensure every clause or section of the legislation is addressed.<\/p>\n<p>Create a list of all the controls from each of the frameworks that you have to maintain. Establish what each control is trying to achieve. They will have names that vary from framework to framework but you can identify the duplicates by looking at what they are controlling. In each case, pick the most stringent version of that control, and add it to a new list.<\/p>\n<p>That new list will form a baseline that you can audit against. If your internal audit passes and you\u2019re auditing against the controls in your master list, an audit of each individual framework will also pass. A framework such as the NIST\u2019s\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-53\/rev-5\/final\">Security and Privacy Controls for Information Systems and organizations<\/a>\u00a0can help in creating your master list in a formal, auditable fashion.<\/p>\n<p>Your audit frequency should be set by the framework that requires the most frequent audits. You\u2019ll be able to spend less time auditing, knowing that all frameworks are covered in a single audit.<\/p>\n<h2 id=\"resourcing-for-internal-audits\"><span class=\"ez-toc-section\" id=\"Resourcing_for_Internal_Audits\"><\/span>Resourcing for Internal Audits<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Internal audits don\u2019t just tie up those performing the audits and wading through the results. Department heads, team leaders, or their designated deputies become embroiled in finding and providing evidence to prove to the auditors that all mandatory procedures are being followed. A suitably empowered, dedicated audit team removes that burden from others.<\/p>\n<p>You don\u2019t want them to be viewed as the audit secret police. It\u2019ll be much more productive if they are seen as a collaborative unit that is here to remove the auditing pain points. If a piece of evidence cannot be located or is insufficient the audit team needs to log the incident but also to help correct the issue. Over time you\u2019ll find that they are ideally positioned to become audit advocates and to champion security standards and compliance legislation within your organization.<\/p>\n<p>Many organizations are unable to justify a dedicated team, of course. Often the responsibility can be shared amongst a suitable selection of staff, as an adjunct to their main job role.<\/p>\n<p>Another option is to out-source your internal audits. That might sound like a contradiction in terms, but it can be a simple solution. You must locate auditors that are familiar with each of the frameworks you need to comply with, and who understand that they\u2019ll be performing internal audits against your master control list.<\/p>\n<p>Because they are an external entity they won\u2019t have the network access and other privileges that an internal team would have. They are unlikely to be able to help correct issues or to assist with improving low-grade evidence, however. However, precisely because they are an external entity they may be taken more seriously by other staff.<\/p>\n<h2 id=\"a-necessary-evil\"><span class=\"ez-toc-section\" id=\"A_Necessary_Evil\"><\/span>A Necessary Evil<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Auditing burn-out affects the auditors and the audited alike. Using a master control list to audit against allows you to audit to the most stringent requirements of all of your frameworks, and yet reduce the auditing overhead. It also ensures you are always ready for annual audits and spot-check inspections.\n<\/p><\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/9703\/how-to-stop-being-overwhelmed-by-security-audits\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How To Stop Being Overwhelmed by Security Audits \u2013 CloudSavvy IT&#8221; Shutterstock\/EtiAmmos Getting certified against a standard or compliant with data protection legislation is always tough. Maintaining standards can feel like you\u2019re on a treadmill of internal audits. Here\u2019s how to avoid internal audit burn-out. The Web of Compliance Requirements If your organization gathers, processes,&#8230;<\/p>\n","protected":false},"author":1,"featured_media":195006,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/thumbcache\/0\/0\/96ce69072f68251dd7ad423f89ddcda0\/p\/uploads\/2021\/03\/ced4f36f.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-195005","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/195005","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=195005"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/195005\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/195006"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=195005"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=195005"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=195005"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}