Anyone who has been faced with an audit, either internal or external, can attest to the resource demands that are placed on the IT organization. This can be especially challenging when an organization is present in different geographical locations. The effectiveness of the controls and reporting tools within the IT security departments are critical both to achieving a successful audit, and limiting the amount of resource that is required to deliver the necessary information. Ultimately, you are answering the questions, do you have the important controls in place, have you implemented effective change management and if your access controls are effective – and of course can you prove it.

A major challenge facing organizations today is that regulations do not make allowances for unintentional errors, and human error is one of the biggest risks faced by companies, especially as pressure to reduce costs means that more and more tasks are being carried out by less staff. Today almost all risk results from internal threats and because many organizations focus their investment in protecting against the external threat, they are often not adequately prepared to protect the internal risks. Today any organization that has an IT infrastructure relies heavily on databases, and database security practices, including everyone and every process that accesses the database, will always be scrutinized very closely by auditors.


What should you do?

Whether or not you are compelled to apply policies to comply with the various standards, you should familiarize yourself with what is required. My recommendation would be to start by taking the time to study the ISO 27001 standard to gain an overall view of what is required to have an effective information security policy and in conjunction look at the requirements of the Payment Card Industry (PCI) standard. Although the PCI standard is intended for organisations that deal with credit card transactions it offers a very practical guide to what should be done on a practical level in many areas, and will ensure that you have taken adequate precautions to protect yourself and your business.