Acing You Next IT Audit

As institutions grow, examiners expect that their cybersecurity maturity will also grow. Unfortunately, many institutions learn this the hard way when they receive high-risk findings during an IT exam. The security practices that were acceptable before are suddenly not enough.

The key to acing an IT exam is for the institution to demonstrate that they are proactively pushing their cybersecurity program to the next maturity level. Each institution should have a strategic roadmap that ensures that this level keeps up with business growth. This week, we look at some of the things you can focus on to make sure you look good during your next exam.

1. Complete or update your CAT: The Cybersecurity Assessment Toolkit (CAT) is designed to match the current state of the institution with the controls that are expected at that state. Every institution should start by trying to achieve the “Baseline” maturity level and to then move on to “Evolving” and higher maturity levels. Demonstrating to examiners that the institution is continuing this progression shows them that management is focused on improving.
   
   
2. Improve your Information Security Program: While a simple set of procedures may work for a smaller institution, a larger institution should have an Information Security Program that starts with clear policies. The policies should logically follow through to procedures and standards that clearly support the policies. Not demonstrating this cohesiveness may lead examiners to believe that IT and Senior Management are not on the same page.
   
   
3. Focus on Vulnerabilities: Larger institutions will be expected to have a better handle on their vulnerabilities. While quarterly vulnerability scans and simple reporting may be acceptable when small, a medium-sized institution may need to increase this frequency to monthly and better explain any exceptions. By the time an institution becomes large, the frequency will likely become weekly or even daily and Senior Management will be expected to have visibility into any vulnerabilities which represent significant risk. As scanning frequency increases, staffing levels need to take into account the additional burden that comes with interpreting, prioritizing, remediating, and reporting the vulnerabilities. Examiners will often come down hard on institutions that grow without showing increased vulnerability management maturity.
   
   
4. Know Where Your Data Is: The larger the institution, the better documented the network should be. This includes network diagrams as well as knowing where data is located and how it moves during critical processes. It also includes better controls to ensure sensitive data does not leave the institution unknowingly.  With the ever-increasing number of data breaches occurring, examiners will expect institutions to step up their data loss prevention programs.