How to plan security audits in compliance with industry standards and legal requirements?

All generally known standards of information and data security (e.g. ISO-27001), including industry standards (such as PCI DSS), prescribe regular audits to achieve and maintain compliance. Recently, the requirements for regular tests of information security have been imposed by Community legislation such the GDPR (General Data Protection Regulation) or the NIS Directive (Network and Information Systems), which has been transposed into the Polish legal system under the label of the Polish Cybersecurity Act.

The GDPR requires regular personal data security audits but the frequency and scope of such audits are up to the data controller. However, we should assume that in planning the audits the data controller should follow good data protection practices meaning that he should conduct an internal audit at least every year and validate the results at least every two years by having a third party audit it. Interestingly, the GDPR also prescribes regular tests of the efficiency of the technical and organisational measures taken to ensure data processing security. This was not required by some other standards before and may require the scope of a standard security audit to be extended.

The Polish Cybersecurity Act applies to certain entities only – providers of services crucial for the state functioning – but it directly imposes mandatory audits within 12 months after an enterprise is officially and conclusively recognised as a key service provider. In that period the enterprise should carry out internal audits, complete the actions prescribed by those audits, and send the report on external audits carried out in accordance with the statutory requirements to the competent authority. Moreover, every key service provider has to conduct IT security audits at least once every two years.

Regardless of whether you want to conduct an audit to confirm compliance with a certain data security standard or legislation, the first step will always be to assess the facts and circumstances, that is, to carry out the GAP Analysis. Such an analysis reveals all gaps and deviations from requirements in order to identify and prepare measures and methods to get your business ready in due time for the proper audit confirming compliance with a statute or standard. A thorough GAP Analysis and right conclusions from its findings will make further audits much easier and will help your enterprise meet other data security standards in the future.

Depending on your line of business, and especially the type and method of processing your data and information, there is a whole array of security audits and tests to choose from. Whenever you plan audit activities, you should consider all of them.

This audit assesses legal aspects (e.g. consent clauses or personal data processing agreements) and technical procedures (e.g. back-up creation and storage) involving data processing, and checks if and how your company security policy is followed.

The audit checks the physical security of your company’s premises, buildings and limited access zones, particularly the special protection zones such as server rooms and archives. Such an audit should also cover monitoring and alarm systems.

The tests are conducted from outside as well as inside your company’s IT infrastructure to expose areas vulnerable to hacking or malware attacks and to detect any configuration errors or missing updates of IT systems and network devices.

The tests are conducted on designated applications used for data exchange or processing and aim at identifying programming or configuration errors that allow e.g. unauthorised access to data, user’s privilege escalation or storing valuable information in an open way. Such tests are trustworthy not only on applications used by your employees on their workstations but also in respect of your company’s website or mobile apps.

The tests check the external network traffic (e.g. online applications) or internal traffic (e.g. internal network segmentation within your company) in order to detect sensitive data exchanged without encoding and thus exposed to capture by e.g. viruses or other malware.
Penetration tests
These are more thorough application and IT infrastructure tests that help to optimally assess the risks for data stored in your systems by simulating real-life attack to obtain as much access to data and IT systems as possible.

Those tests are gaining popularity following the growing worldwide volume of reports of successful phishing attacks, that is, extortion of information or spreading of malware via fake e-mails with dangerous attachments or links to fake applications. They may take the form of remote interaction (e.g. special e-mails) and be more direct (e.g. attempts to trespass the company premises and gain physical access to data). Such tests perfectly complement education on the importance of data security.

Due to the diversity of available security tests and audits you are better off prioritising them according to the assumed risk level and scheduling them properly. Depending on your company’s needs and size the plan may cover even several years and involve various data security areas. If a single audit cannot cover all aspects (e.g. due to the number of locations where data are processed), we need to select audit samples and pick some other samples in future audits of the same kind. Please remember that internal audit results should be validated by third party audits and you should plan your resources to be able to conduct regular audits required by standards, laws and regulations. By planning a broad range of tests, even if they are diversified and spread over time, your company will show the correct approach to the due care for data and thus ensure compliance with the standards and legislation.