When needing to show you meet a given standard, such as PCI-DSS, SOX, HIPPA, FISMA, HIPAA, BASEl II, COBIT or any other that your organisation cares about, even your own internal standards, you need to conduct a Compliance Audit. Most often an audit consists of demonstrating compliance to a combination of internal and external standards.
A Compliance Audit is conducted to ensure a network and all of the assets deployed on it (servers, firewalls, switches, etc.) are in an agreed ‘good’ state of configuration. Good being defined by whatever standard you need to comply with.
Performing a Compliance Audit
Compliance auditing is usually conducted against a live system, by an auditor with full access to the network so they can acquire correct results. The audit is performed mainly with the use of automated tools, however some manual assessment of compliance is always required, to ensure complete and efficient auditing.
A comprehensive Audit Report will be provided that shows whether compliance has been achieved. If not, then guidance is given on what needs to be corrected and a follow-up audit performed.
When the audit shows compliance is achieved, the auditor will provide a clear notification and detail the supporting evidence. This can then be used by you to inform the external party who require you to demonstrate compliance.
Liked this post?