This article is co-authored by Natasha Barnes.
Vulnerable to IT risks? Often companies wait until an attack or incident happens to make important changes to their IT environment. After months in the field during audit season, Aronson has compiled tips to help companies proactively manage IT risks.
Develop risk management policies and procedures. A risk management policy sets an organization’s risk management approach and identifies the roles involved with executing activities. The policy is typically supported by procedures for setting a risk appetite, identifying areas of risk, and mitigating or managing the risks. The procedures are vital to ensuring relevant risk identification mediums are in use to comprehensively evaluate threats.
Conduct periodic risk assessments. These assessments can include enterprise risk assessments with IT components, vulnerability scans, penetration tests, compliance assessments, and related evaluation tools. Organizations should determine the ideal combination of assessment mediums and frequencies. Insufficient identification and management of risks could impact the ability of the IT environment to meet business needs. Continuous security monitoring activities can be factored into these assessments.
Develop a third-party management program. Hiring of third-party vendors for IT products and services has become a standard way of conducting business. However, it also creates additional potential opportunities for risks, an unacceptable potential for business disruption, or a negative impact on business performance. During the vetting stage of third-parties, reliance and trust can be supported with System and Organization Controls (SOC) audit reports. These SOC audits are conducted to evaluate a service provider’s services in accordance with the American Institute of Certified Public Accountants (AICPA) standards.
SOC reports should be obtained as available and reviewed to determine if the third-party has an acceptable control environment, and whether any controls need to be implemented in the organization’s environment. As these reports are voluntary, organizations should still determine ways of monitoring and providing oversight, which can include periodic calls, questionnaires, or site visits to determine control effectiveness. The point is to verify that a provider can be trusted initially and on an on-going basis with critical business operational activities and data.
Tip: Interested in learning more about SOC reports and how they can be valuable to your organization? Check out our SOC Compliance Guide.
Tip: Determine the minimum security requirements needed by third-parties to facilitate business activities. Incorporate validation of these requirements into third-party oversight of service performance evaluation. and Part III: Access, Passwords, Configuration, and Change Management
For more information and questions, please contact Payal Vadhani at firstname.lastname@example.org.