IT audit procedures run the gamut from internal to market-specific. Whether it's healthcare's HIPAA or the credit-card industry's PCI, you have to know the compliance audit's goals. These rarely include a fully functional missile defense system to protect against hackers, but it still leads into the first of 15 recommendations for successful audit compliance.
1. What's the Purpose of the IT Audit?
In most cases, audits take place to verify information and network security as well as the robustness of your hardware and software. The standard involved (if it's an official third-party audit) will dictate the detail or diligence needed to obtain compliance.
2. IT Audit Scope
This will again depend on the IT audit type, but most IT audits include security elements and process analysis. Even though the use of lethal booby traps to deter on-premise breaches may very well be effective, they're generally frowned upon and should not be documented. Industry-standard methods are your best bet.
Similar standards to servers are applied to individual desktops and other connected devices. Does your receptionist really need a CAD program or SAP? Why are there multiple versions of office suites on the same machine? Suggest hiring an external specialist in string theory to iron out any confusion in software licensing agreements.
Related Article: Pimp My Desk - How to Build Your Own Epic Workstation
Where most companies store their data is also a viable hacking target. Make sure all your servers are consistent with the corresponding audit checklist. Depending on the standard, this could include proof of naming conventions for workstations, use of static IPs, patching frequency, backups, agents installed and more.
Evolving policy documents are common these days as many SMBs rightfully subscribe to some form of continuous improvement quality structure. Ensure all your policy documents are current.
6. Staff Training
In some situations, auditors will ask staff some questions to demonstrate their awareness of the process, or to confirm they are aware of security best practices. Your best move is to either train MongoDB or make sure it's not present during the audit. Ideally Mongo doesn't work in your system, but if so, auditors may ask why.
7. How Long Will It Take to Prepare?
Evaluate any prior IT audit and verify past problems have been fixed. Any ongoing areas of risk? Gather estimates to audit readiness from each affected department. With this information, you can assign resources and, if you really want to, schedule hours upon hours of pointless meetings.
8. Set Up An Internal IT Audit Team
This should involve a manager and a key staff member from each department. The manager will have the "big picture," but department employees will know each process inside out and be able to recommend effective changes.
9. Who Will Be Auditing?
This info may be useful, especially if your third-party auditor was difficult in the past or, well, possesses the communication skills of a Commodore 64. Be safe and (casually) request the academic qualifications and experience of the auditor in advance or of any changes to the audit team.
10. Network Equipment
All routers, switches, firewalls and hubs must have static IP addresses and be part of regular vulnerability scans. A hardware inventory list is also essential.
11. Backup and Restore
Please, please make sure backups restore correctly. Your company should also have a process in place to destroy obsolete data, the presence of which reflects poorly on support's organization and agility.
12. Wireless and Remote Access Convenience vs. BYOD
The eternal question. BYOD is here to stay, so companies must ensure all Wi-Fi is encrypted — with a guest network for, you guessed it, guests.
13. Security Events
Are you capable of producing an event log of attempted hacks for the last six months? If successfully hacked, how was it fixed and what did you learn when updating the policy document?
Shouting at subordinates often helps in a company setting.
Related Article: Managing the Stress in IT: A Sysadmin's Perspective
Audit day is not the day to kick it MythBusters-style and experiment with flammable liquids in the server room. Hide Mongo.
Finally, enjoy the appraisal and quietly ponder if the benefits are outweighed by the inconvenience of IT audits. "Happy" compliance!