Information Security Audits: Precautions and Considerations
Saturday, August 1, 2015

Various forms of information security audits are used by organizations seeking to identify and remediate security vulnerabilities before, or as part of the recovery from, a cyber-attack. Penetration testing (or ethical hacking) is an important element of security audits. Below are important precautions and considerations for your organization before you start with a security audit:

  • Consider whether to have the consultant engaged by legal counsel to maximize your ability to protect the audit and its results with the attorney-client privilege and under the attorney work product doctrine. Ask to review the report in draft form to make any changes before it is placed in final.

  • Treat the audit agreement as any other professional services engagement. Ensure the work is clearly detailed in a well drafted statement of work and that all costs and fees are identified and appropriate cost controls are used. Beware of “scope creep” as the project progresses as new services may be added that significantly increase overall cost.

  • Think carefully before permitting unannounced penetration tests. At least some coordination should be done to ensure the operation of critical systems is not disrupted during key operating hours or during month end processing.

  • Don’t permit the audit agreement to create more risk than it is intended to resolve. This means ensuring the auditor assumes an appropriate level of responsibility for confidentiality and information security. All too often, audit agreements include little to no language regarding obligations of the vendor with regard to information security and only trivial language regarding confidentiality. The vendor will have access to very sensitive business data and the exact details of how the business secures its systems. That information must be protected. That means strong security and confidentiality obligations, plus a level of liability that ensures the vendor will comply with those obligations. Beware of vendors that are unwilling to provide reasonable protection for this highly sensitive information.

  • Review very carefully language in the agreement that permits the vendor to remove data from the customer’s systems for offsite review. If such activity is permitted, the agreement should make clear the data cannot be made available outside the country (unless specific controls are employed), that the vendor cannot remove personally identifiable data that may be subject to specific laws or regulations without first committing to be bound by those laws and regulations (it is far better, however, to prohibit the vendor from removing such data in the first place, given its sensitivity), be wary of vendors that request possession of credit cardholder information (unless there is an express need for possession and the vendor is fully compliant with the Payment Card Industry Data Security Standard (PCI DSS).

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins