Audit Preparation: Four Top Mistakes to Avoid
As a Futurex Solutions Architect, I’ve traveled around the globe performing on-site assessments for organizations preparing for compliance audits. While the environments and processes may be completely different depending on industry, purpose, and implementation, there are several key issues that often crop up at each assessment that could likely result in audit findings. My role is to identify those issues and teach these organizations how to fix them as well as avoid repeating the mistakes in the future. For any business attempting to maintain a compliant and secure environment, here are, in my opinion, the top four pitfalls that can keep you from passing an audit:
MISTAKE: Lack of Chain of Custody
When the SCD is in transit after purchase, businesses often will not have appropriate controls in place to track the delivery and receipt of the unit. This process is vital for ensuring that the SCD is not tampered with or swapped out with a different SCD during shipping.
SOLUTION: Know where your SCD is at all times by implementing the following measures to ensure custody of the unit throughout the shipping process:
- Use package tracking during shipping and proper record keeping at the organization facility
- On arrival or delivery, immediately check for signs of tampering
- Record the unit’s serial number and then verify with the device manufacturer that the serial number matches what they have on file to ensure the unit was not switched during travel
- Store the unit in a secure location with restricted access
MISTAKE: Lack of Detailed Procedures for Key Management
Regulatory standards such as PCI and TR-39 require that businesses must follow procedures when handling encryption keys. Beyond breaking compliance simply by lacking procedures, compromise is more likely to happen without these guidelines in place, which can result in even more significant compliance issues.
SOLUTION: Ensure your business has clearly defined procedures for handling encryption keys at every step, and then follow those procedures at all times. To maintain compliance, these procedures must be signed by all individuals handling the keys, then submitted to the security team.
MISTAKE: Lack of Audit Trail
Businesses who do not enforce methods for tracking access to the unit and any actions that are performed are likely to miss both unintended mistakes and intentional harm. Auditors need clear logs for the device in order to assess whether the business is in compliance.
SOLUTION: Implement logs of every instance of access to the device and every action performed on the device. Beyond simply logging everything, businesses should verify these logs are untampered. Futurex SCDs have the default ability to track device activity and ensure the logs are valid using MAC authentication.
MISTAKE: Lack of Internal Audits
Businesses go for two years between external TR-39 audits and one year between external PCI audits. That’s a lot of time for things to go wrong, such as key compromise or improper following of procedures. By the time the audit comes around, it can be very difficult to track and correct problems that arose months or years ago.
SOLUTION: Businesses should implement internal audits on a habitual basis. By having your security team do internal reviews often, you’ll be able to catch any issue quickly and thus respond to it in a timely manner. This will allow you to fix problems when they’re small instead of having them escalate over time, as well as make it easier to track issues to their source. When performing an internal audit, your security team should check for any anomalies that show that the logs aren’t matching up with the procedures in place.
Every audit is different. While these mistakes are fairly common, your business may have unique needs and concerns that require an expert eye to make sure you’re on the right track to pass your audit. Have questions? Let’s talk.