HIPPA is a requirement that deals with medical records and security. The scope and content of each audit requirement can be applied to almost all of the mandated requirements of GDPR to California Privacy. We have modified that program to create a framework for an overall compliance audit program. Below listed are the scope elements of enterprise compliance, security, data, and systems audit process.
Annual Audit Scope
Active Directory Terms vs. Systems Terms - Conduct an annual audit/comparison of terminations in Active Directory vs. terminations in all systems
Verify Accounts with Administrative Privileges Audits - Core Systems Run audits listing all users who have administrative privileges to core systems. Administrative privileges will be validated via an enterprise's role-based access matrix.
Semi-Annual Audit Scope
Disaster Recovery Plan Test / Audit - Local the enterprise's data center Conduct a tabletop test of the local enterprise's disaster recovery/business continuity plan and update as required for change management.
Quarterly Audit Scope
Change of Status Workforce Audits - Create reports of workforce members to confirm the user’s access based on job code. Make changes when necessary based on the feedback from the workforce, and coordinate any access termination with the covered entity facilities department.
Cybersecurity Tactical Simulations - Conduct cybersecurity tactical simulations (tabletop) to cover the latest known cyber threats against the enterprise's policies and plans and make updates accordingly.
Day of Week / Time of Day Audit - Create a detailed report of random user access to core based on the user's normal work hours. For example, if a user normally works on the weekend, the audit should check to see if the user id and password were used during the week, and visa versa. If a user normally works during the day, the audit should check to see if the user id and password were used during the night, and visa versa. Exceptions could indicate that a user-id is being shared or used in an unauthorized manner.
Departmental Downtime Procedures - Mock Test Audits - Conduct periodic mock tests of departmental downtime procedures. The enterprises should randomly pick departments to meet with to review their downtime procedures in a tabletop test and document the meetings and audit findings.
Disabled AD Accounts Deletion Audits - Conduct audits of all disabled Active Directory accounts and delete all accounts that have been disabled for over 30 days.
Random Audits - Randomly pick a procedural requirement from a mandated requirement, policy, and audit operational compliance.
Intrusion Vulnerability Audit - Create a quarterly report that contains exceptions when comparing current server OS security patches vs. the patch list. The report should be reviewed by operational staff and mitigation action items will be assigned accordingly.
PCI Data in Transit Audit - Conduct an audit of the enterprise's PCI data in transit on to confirm that it is encrypted and conforms with all the enterprise's standards.
Random Facility Walk Through Audits - Randomly audit work areas throughout the organization. The intent of the audit is to protect the enterprise’s information and improve staff awareness. Immediate feedback of exceptions should be provided to staff on-site, documented, and reported to the Compliance / Privacy Officer. The Compliance / Privacy Officer can take part in any random audits upon request. Audits can be conducted during or after normal business hours.
Terminated Workforce Audits - Create reports of workforce members to confirm that users are still active. Make deletions when necessary based on the feedback from the workforce, and coordinate any facility access termination with the covered entity facilities department.
Verify Accounts with Administrative Privileges Audits - Active Directory Run audits listing all users who have administrative privileges to the active directory. Administrative privileges will be validated via the enterprise's role-based access matrix.
Virus Detection Alerts - Conduct a random review of the email alerts along with a random check of PC workstations and remote access devices to confirm the integrity of the virus protection software.
Monthly Audit Scope
Audit physical access logs to the enterprise's secure locations - including the enterprise's data center and network closets.
Keep reading with a 7-day free trial
Subscribe to CIO and IT Management Newsletter to keep reading this post and get 7 days of free access to the full post archives.