Small businesses, whether public companies gearing up for Sarbanes Oxley (SOX) compliance, or privately held companies responding to customers’ demands for secure storage of personal data, are hiring internal Information Technology (IT) auditors in record numbers, according to networkworld.com. Also, internal and external auditors and IT personnel focused on security are working together to meet their goals.
Alex Bakman, CEO of Ecora Software Corp. in Portsmouth N.H., suggests five steps that information technology personnel should follow when preparing for a SOX audit, according to SearchWinIT.com:
- Select a set of controls – and test repeatedly.
- Develop a sound password policy. This involves password duration and password aging policies.
- Review permissions.
- Validate access control lists.
- Plug database holes.
Some IT security professionals have complained that audit compliance complicates their jobs, SearchSecurity.com reports, and security teams and audit teams often have an adversarial relationship. Trent Henry, senior analyst at Burton Group, Midvale, Utah, told attendees at their Catalyst Conference earlier this month that security professionals need to spend time with internal and external auditors and get to know their needs.
An auditor may ask if passwords are eight characters long, for example, Henry said, which sounds simplistic if the company uses strong authentication. But IT security teams may be using audit compliance as an excuse to justify pet projects like encryption, he said, SearchSecurity.com reports.
Auditors will be looking at fundamentals like segregation of duties, change control, access and records retention, Henry said, but they will also want to know if a security policy is kept up-to-date.
At the same time, auditors need to meet IT professionals halfway on the subject of security. “It’s not just about their methodology,” Henry said, according to SearchSecurty.com.
Small companies called upon to meet the Payment Card Industry (PCI) Data Security Standard may also need help from information technology auditors. To obtain a compliance certificate, companies processing fewer than 6,000,000 transactions a year may perform a self-assessment annually, and “can employ the services of an internal auditor or information security team,” Jason Chan, security manager with Symantec Advisory Services told ITAudit.com. The merchant submits the completed self-assessment to the financial institution that enables companies to accept payment cards and certifies the company as PCI compliant.