Security audits with our organizations are seen as a team building exercise. Building out of one of our core principles, which is team atmosphere from the Rockefeller Habits, any opportunity or occasion that involves more than five individuals is seen as a team building opportunity. When security audits are done, all department heads, IT department employees, and other essential personnel are brought in to contribute to the conversation. In the audit, there are four clear steps.
The first step is to identify existing threats or concerns, be they new threats or new ones determined through education on information security. Secondly, concerns surrounding new problems are discussed. This step offers an avenue for discovery. Each department has unique circumstances and my have unique information assets with unique threats that the IT staff has to take into account.
As a third step, the IT staff discusses the current policies, both for security and for privacy along with any updates or changes. In this step, our organization stays current with competitors, evaluating their processes and determining gaps in the way we do business. Also, our on staff legal council will let the members of the audit of the latest, if any, changes to Bar requirements that impact our clients.
In the last step, a plan is established for implementing and handling all the changes and items the audit discovered. This step is where accountability comes in as each department is given amendments and new information policies and told when they should be completed. On a side note, the organization has a third-party consulting agency that comes in and audits this process along with the systems in place. Essentially, it is an audit of the audit process.