We’ll be straight with you. It’s not hard to find a dozen other IT companies aka Managed Service Providers (MSP) that will manage your hardware, network and email. That’s the core of what a MSP will do for a client. What makes Unicom unique is our experience in the financial sector for over 30 years. It’s given us the expertise to be on the cutting edge of cybersecurity (banks not only care about security more than other businesses, they are highly regulated to do so). It’s also given us the expertise in preparing our clients for regular IT audits from government auditors.
It would be great if we could clearly provide you with a step-by-step checklist to make you look great in any IT audit or examination you might face. However, it’s not that simple. Here’s a not-so-brief background lesson:
Background of Industry Regulations
In reality, all regulated industries (and as far as cybersecurity is concerned, this is becoming true to all businesses) share very similar rules. Whether the business is a bank, a hospital, a manufacturer, a government contractor or a technology company, government regulations across industries are almost identical in the technology space. Regulators don’t want to reinvent the wheel, so they just use regulations for one industry and carbon copy it for their industry. And these regulations and governances are written the same for a company with $20 billion in revenue as one with $2 million in revenue.
As with everything with the government, it’s quite ambiguous. The laws are written regardless of organization size so all organizations are technically bound to do everything they say. But if they did, they would need a team of IT people to get it all done. Can you see Bank of My Neighborhood in Nowhere, NM with more IT employees than bank employees? Bank of My Neighborhood is nothing like Bank of America, and has a tiny fraction of resources to comply. There is no way Bank of My Neighborhood can afford to do that.
A prime example of a grey rule – logging for security analytics. All banks are required to do log retention and to have those stored for forensic analysis. And that is basically how general the regulation is. The rest is up to interpretation. So Bank of My Neighborhood may only be told they need to turn logging on. A little bit bigger one will be told the need to make sure those logs are being kept 90 days on the devices themselves. An even bigger or more complex one may be made to centralize all those logs. The next break…they need to have someone reviewing them quarterly, then next, monthly. Even bigger…store the centralized logs for a year. Next step is to make sure they are backed up. Next step, make sure they are stored offsite. Next tier, need to have a SIEM (Security Information and Event Management) in place to real-time correlate and examine for anomalies. Much bigger banks…require them to have MDR (Managed Detection & Response)/TDR (Threat Detection & Response) analysis and final step for the really big banks…have their own SOC (Security Operations Center) with certified analysts watching everything that goes on.
All that from one ambiguous regulation. Multiply that approach to all regulations…and you can see that the issue isn’t complying. It’s knowing what and when to comply with.
Thankfully the auditors and examiners understand this. So while the regulations are the same, the ENFORCEMENT of the regulations are different between industries and size of organization. Examiners understand Bank of My Neighborhood cannot afford to comply 100%. Does a guide exist to tell you what regulations you need to follow, based on your industry and size? Unfortunately, no. There are no specific tiers or cutoffs. It is based entirely on each examination and by each examiner. One may tell you that you have to do something and the next year, a different one will tell you that you aren’t complex or big enough to need to be doing that.
Factors determining the enforcement you’ll receive can be:
- IT complexity
- Size of organization
- Previous compliance efforts
- How tough your auditor is
The only way to navigate it, to be honest, is to have decades of experience with multiple organizations, dealing with many regulators, auditors and examiners to get a feel for when an organization is close to a threshold. And then of course, to know when the goalposts from the auditors are moving again.
Top 5 Reasons for Excessive Findings On An IT Audit
So because of the grey areas, while we can’t give you all the details as to why every organization may face excessive findings in an IT audit, we can give you some common areas we’ve seen over the years:
- Unprepared for the audit – do you have a pre-audit checklist?
- Didn’t anticipate trends in industry requirements – usually these can be found in trade journals, keeping in touch with other businesses like yours, or working with us.
- Human error – having proper procedures dealing with various security issues (MFA across applications, password policies, , update policies, access control policy, etc) in place (and enforced) is usually the fix for this. Without it, human error absolutely will rule the day.
- No plan for new industry regulations – if you’re not keeping abreast of trends in the industry, you’ll be in the dark about requirements coming down the pipeline. not planning for changes coming will leave you surprised and short on time about technology updates you need to have in place for an audit.
- No technology roadmap – being proactive with your technology planning avoids the situation where you look up one day and realize many of your systems are out of date and it will take a gargantuan effort to get back into compliance.
A Very Short Checklist
As per the explanation at the beginning of this post, we can’t tell you everything you need to do to avoid excessive audit findings. But there are some things every organization should do regardless of size.
- Review previous audits
- Systems up to date and documented
- Technology policies are created, updated and accessible
- Having a technology roadmap
- Security and permissions work correctly
- Security systems work on every device
- The organization is up to date (as best as possible) on what regulations are applicable to their business
So while every situation is different, having these items in place and being followed will help avoid some of the worst marks an organization can receive.
Are you needing help navigating the foggy world of IT compliance at your organization? Please do get in touch. We’ve spent years negotiating the waters of governance and compliance. We’d love to consult with you from our vast expertise in this area so you can get back to work doing what you do best.
Unicom Technologies is a Managed IT Service Provider based in Texas assisting banks, credit unions, financial service companies, law firms, healthcare, manufacturers and distributors with all of their technology needs. Call 281-496-3606 or visit us at www.unicom-tech.com.
Houston: 1011 S Texas 6 # 200, Houston, TX 77077
Waco: 5211 Lake Shore Dr, Waco, TX 76710