A strong IT partner takes pride in driving infrastructure change and development. However, anyone who has worked on the compliance side of the house knows that changes to the IT set-up can make for pretty tricky security audits, and making sure upgrades or migration to a new system don’t result in sacrificing security can lead to headaches..
The good news is you don’t need to choose between upgrades and security. You just need to be smart about how you manage and document those upgrades, so you can sail through the audits when they come around (and they will).
Compliance auditors tend to come with lots of questions and they’ll want more than a good memory when it comes to explaining who changed what, when and why – making paper trails very important.
In fact, we reckon the best way to stay on top of audits is to think like an auditor, so our top tip is to ask yourself the questions they’re most likely to ask you and create a compliance file around them.
Here are seven questions that will get you off to a great start.
- Do you have a single point of contact for project compliance?
Some people are better than others at collating paperwork, maintaining logs and organising approvals, so it makes sense to put compliance documentation in a capable pair of hands from the outset. If you don’t have somebody in-house who can manage this, it might be worth looking into outsourcing your IT support.
With a central point of contact, you’ll be more organised and methodical, reducing the risk of any part of the compliance process falling through the cracks.
- Who’s making IT changes?
Documentation that keeps track of everyone who’s involved in any IT change is key, because they’ll have access to your systems and anything they hold, such as information that’s regulated by data protection, confidential or highly sensitive.
If you decide to outsource your IT support for major projects instead of staying in-house, your IT consultant might also have temporary rights to alter security access for other people in the organisation and that’s something auditors will want to see you have a tight rein on.
You’ll need to know exactly who has had administrative access at any given time, and for how long.
- How is system access being used?
It’s not enough to know who has access, you need to know why they have it and what they’re doing with it.
Auditors will want to see sound reasoning behind any access approval and that appropriate timeframes have been built in, so the window of opportunity to make changes closes when they complete the task they’re working on.
- What changed?
Detailed records of any changes made and why they were required might be the most important of all.
Auditors will look for an in-depth account of what changed and how the system looked before and after any change, so they understand the transition, and can pinpoint where a technological change may have led to vulnerability to malware or other inbox threats.
This is particularly important if the change is customer-facing, as it could have a knock-on effect to related legal warnings or compliance wording.
- Were changes tested?
Testing is the only sure-fire way to know whether the change will impact any other system or business function, so it makes sense that it’s part of any change process.
It’s not only a good way of assessing the work of your IT support team, it’s also of interest to compliance auditors too, so make sure you add it to your log and document who managed the test, when it was performed and what the outcome was.
Any issues flagged as a result or retests scheduled should be logged too, so you can show the full end-to-end process that led to approval and go-live.
- When were changes made?
The order in which things happen is important too, so a record that tracks tasks and actions, in chronological order, will prove invaluable when a review comes around and you’re asked to walk through the steps, as they happened.
- Who approved the changes?
Any IT change should be approved by the IT manager of the business before it goes live. Regardless of how big or small the change is, auditors will want to see that a formal approval process has been followed and sign-off documents with dates and signatures exist.
IT audits have been likened to root canal treatments, but any good IT support should come with a process that keeps the auditor’s needs front of mind, making them much less painful, improving your chances of passing first time and enhancing your security.
Find out how we can help your business or agency meet the demands of evolving IT and realise your business goals by downloading our eBook on the Role of IT in Your Growing Agency.
