1. Restricting
Authenticating
Tracking
User Access?
12100 Sunrise Valley Dr. Suite 290-1 Reston, VA 20191
This paper is your guide to more efficient and effective audits and risk assess-
ments. Consistency in managing your cyber security controls not only reduces
the time required to prepare for audits and risks assessments, it also makes any
organization more secure—especially in the event of security breaches.
Any regulatory agency that governs an organization provides it with guidance
and a checklist of expectations for audits and risk management. HIPAA, for
example, has the Audit Protocol ; GLBA uses the FFIEC IT Examination
Hand Book ; PCI provides the Report on Compliance template ; and many of
the regulations and standards use the NIST Cyber Security Framework . All of
these are very similar in terms of what they expect you to have in place to
demonstrate that your practices match what you have documented.
VIMRO helps clients prepare for these audits, and also conducts audits/as-
sessments for HIPAA, GLBA, and PCI (VIMRO is a PCI-QSA ), etc. Based
on the commonly requested items for these regulations, we include below two
lists describing what we request for cybersecurity documentation and controls
evidence.
One of the biggest challenges for our clients is gathering and maintaining
both cybersecurity documentation and controls evidence. This is why a Gov-
ernance, Risk, and Compliance (GRC) application is a must-have control in
which successful organizations invest, and why the GRC is item #1 on List B.
“A guide to
efficient and
effective audits
and risk
assessments.”
Cyber Security Audits and Risk Management
Two interdependent lists everyone should have!