Experts share tips on how to avoid the most common pitfalls in an audit
Nobody passes a security audit on the first try.
You might have your access control process fixed, but you probably haven't adequately trained your administrators on how to manage it. You might have your configuration and change control systems in place, but you probably haven't sufficiently documented the process for using them. If you've adopted strict security policies, your users likely have found a way of avoiding or bypassing them altogether.
Make no mistake -- auditors will find fault with your systems, your processes, and the people who operate them. They're auditors. It's their job.
If you only knew the most common reasons for audit failure in advance, so that you could double-check your environment and fix those potential deal-busters before the auditor comes in. If you only had some tips from experts who have "been there" on how to shore up your environment to beat an audit.
Hey, wait a minute, that's what's in this article!
The following are eight tips offered by auditors, consultants, and others who have been through the IT security audit mill on what to look for in a compliance audit and how to beat those problems before an auditor fails you on them. It's not a comprehensive "cheat sheet," but it might give you some ideas on why companies fail their audits, and what you can do to avoid the same pitfalls.
If you have any ideas or tips that we've overlooked here, please post them to the message board attached to this article. We'd love to hear about your experiences with compliance audits -- and what you'd do differently if you had them to do all over again.
Next Page: Establish a consistent set of practices for change management
