Everything You Need to Pass Your Next Compliance Audit

Print

A compliance audit can be a daunting experience. And why wouldn’t it be? Most businesses are non-compliant. In fact, in its latest Congressional Budget Justification, the SEC estimates that in 2018, 90% of firms will receive compliance deficiency letters. This number is astounding from a customer perspective: You, as a consumer, can trust almost no organization with your data. But from a company perspective, you are lost in a sea of non-compliant organizations. You’re a needle in a haystack, just hoping the regulators don’t find you.

But they will find you, eventually. So, until regulations change, you must do your due diligence to avoid hefty fines, loss in customer trust, and potential shutdown by the regulatory bodies. To do this, we’ve compiled a list of questions to help you focus on everything you need to pass your next compliance audit.

Related: Everything You Need to Know about Compliance

Regulated Financial Companies – Compliance Checklist

General

1. Based on your business operations, have you confirmed which regulatory bodies may govern your firm (SEC, FINRA, NYSDFS, etc.)?
2. Have you hired, or appointed, a designated Chief Information Security Officer (CISO) as someone who is responsible to oversee your cybersecurity program?
3. Have you established a program or a process to review your current security status while developing reporting and accountability measures?
4. What is your method to identify and evaluate business and cyber-related risks?
5. If there is an Incident Response Plan (IRP), once a risk is evaluated and determined to require action, is there a method to identify risks and create a response plan?
   1. At what intervals is the response plan reviewed and amended?
6. Do you have a protocol in place to disclose a potential cyber-breach to the relevant parties (governing bodies, investors, system users, etc.)?
7. Do you have a method to test and confirm that your documented processes and procedures are currently working?
   1. At what intervals is this tested, and are the test results documented?
8. Are your findings and documentation reviewed on a regular basis with your firm’s governing bodies (Chief Compliance Officer, Board of Directors, etc.)?
   1. Has such a review been conducted within the past calendar year?

Read our blog: What Does It Mean to Have a vCIO? Peace of Mind.

Non-Public and Private Information Storage and Handling

1. Does your firm have a clear understanding of the legal definitions of non-public information as it relates to your business activities?
2. Do you have a written process to classify such information?
3. Do you have a written process to guide your employees regarding the handling and storage of such Information?
   1. At what intervals is this process reviewed to ensure it remains relevant?
   2. When was the last time you reviewed your process?
4. How often do you audit the secured information to ensure that proper access levels are in fact maintained?
5. When was the last time you reviewed the security structure of the prior question to ensure that it is still applicable and accurate?

Inventory Information

1. What is your method for inventory tracking of information technology-related devices and software?
2. When was the last time this inventory was reviewed to ensure that it is comprehensive, complete and accurate?
   1. At what intervals is it reviewed/updated?

Business Continuity and Disaster Recovery

1. Have you defined your operational and availability requirements and concerns?
2. Have you developed business continuity plans to address those concerns? Is it properly documented and reviewed?
3. What is your disaster recovery plan?
4. Does the network have the appropriate levels of redundancy (internet, core equipment, etc.)?

Read our whitepaper: A Simple BDR Plan

Third-Party Vendors

1. Have you defined a quality assurance process for new software and vendors?
   1. At what intervals is it reviewed?

End User Security Details

1. What is the credential policy for accessing the network and data?
2. What is the credential policy for accessing email?
3. What is the credential policy for accessing third-party applications, cloud or local?
4. Which of the above systems is using multi-factor authentication?
5. Is there antivirus in place?
6. Is there anti-malware in place?
7. Is there DNS-based security in place?
8. Are local computer administrative passwords random/secure?
9. Do computer systems automatically lock after a period of idle time?
10. How often are security patches applied to the computers?
11. When was the last time security patches were applied to the computers?
12. Are all systems using the currently supported version by the vendor (Microsoft Windows, Apple OS, Linux, etc.)?
13. Are computer hard drives encrypted (especially laptops that leave the office and data storage)?
14. What other technical security measures are considered that are not asked here?
15. Are the above policies still appropriate for your current environment?

Network/Server Security Details

1. What is the credential policy for accessing network equipment?
2. Are the network and equipment monitored for availability?
3. Is there network monitoring for unauthorized access? Is there Intrusion Detection (IDS)/Intrusion Prevention (IPS) in place?
4. Do you monitor the network and/or server logs for unauthorized access?
5. At what intervals are security patches applied to the servers?
6. When was the last time security patches were applied to the servers?
7. Are all servers and devices using the currently supported version by the vendor (Microsoft Windows Server Edition, latest firmware, etc.)?
8. Is there a business-grade firewall in place?
9. Is the internal network segmented for security?
10. Is the current wireless network security protocol using an industry secured method?
11. Have the wireless passwords been changed in the last year?
    1. At what intervals are the wireless passwords changed?
12. Are the wireless passwords secure?
13. What other technical security measures are considered that are not asked here?
14. Are the above policies still appropriate for your current environment?

Learn More: Everything You Need to Know About Cybersecurity

Miscellaneous

1. What is your site’s physical security?
2. Have users received cybersecurity training in the last year?
3. Have users attested to said cybersecurity training in writing?
4. Have users undergone cybersecurity testing and passed?
5. If there are financial transactions, is there a method/backup to recreate these?
6. Are all handheld devices using current, security-patched versions?
7. Are all systems and configurations documented?
8. Is there a PIN code on the corporate cellular account and on individual’s cellular accounts to prevent unauthorized porting?
9. Is remote access secure with VPNs, SSL and/or other necessary measures?
10. What is the method for receiving and sending non-public information in a secure fashion? Is this method still appropriate?

How to Pass a Compliance Audit

As you can tell, compliance audits require a thorough understanding of the regulations as well as your network. For many organizations, this level of knowledge is hard, if not impossible, to maintain. That’s why IT outsourcing is often the best method of aligning your network with compliance requirements.

Contact KJ Technology to ensure you are staying current with your industry’s regulatory bodies.