Due Diligence control through security audit
Good information security includes knowing who has access to your system and being able to log that access. You also need to have in place a system to make sure that your security procedures are actually followed. The ability to audit and evaluate information security compliance is essential – you can’t manage what you don’t measure!
o You should audit important aspects of your security, for example, who has access to your systems and who has used what information.
o You should have a record for each one of your security procedures. For example, if your procedure says that you test your back-up generator once a week, someone should sign a record to show that this has been done. Keeping good records is essential to audit control.
o Some audit controls may be necessary for legal or regulatory purposes. Good record keeping will clearly demonstrate that you are complying with your obligations.
o An audit should ensure that the procedures you have in place are effective and relevant. It is a trigger to re-assess and re-evaluate the effectiveness of your information security standards and procedures. o Audits are only effective if you follow through on their findings and identify and implement the steps that need to be taken. A good audit trail is not just a paper exercise. If something goes wrong, the trail should let you to see what happened and why. This will help you to keep improving the security of your business.