* Sillas Martins
The search for conformity increases every day, it is notable that external and internal audits are contemplating the Information Security controls, an area that has been gaining strength in the market and the positive perception of organizations regarding its importance, especially when it is necessary the implementation of privacy controls (GPDR / LGPD), requirements that a short time ago were exclusive to large corporations, currently affect almost all organizations, being medium and small.
Although company members often have a negative view regarding audit work, for pointing out and identifying non-conformities in the environment in which they operate, we must understand that this activity serves to propose continuous improvements and increase the level of maturity of the organization, the audit has a much more important role than can be noted.
In general, they have the objective of informing which points the company needs to adapt, so that risks are minimized and processes are optimized, being able to reduce operating costs by mitigating errors and consequently open paths for adequacy and compliance in the environment, with a productive team that knows its business processes better.
When we think about Information Security auditing we are not far from the concept, its fundamental proposal is technological development based on good market practices and concern for the safety of all assets. Thus, the corporation will have an overview of all the positives, negatives and opportunities for improvement that should act so that the impacts are less.
Do you know what auditing is?
Auditing means evaluating. The audit is a methodology, which through a check list based on standards, it has as a principle to evaluate internal controls if they are being executed in an adequate way, according to the requirements of the corporation. In the case of Information Security, the audit works to verify that essential points used to protect the corporate environment meet the Information Security requirements based on frameworks specifics.
Auditor's role within the audit process
The auditor has the role of assessing whether the routines adopted by the corporation are being executed correctly, there are several points that are evaluated so that a truly effective analysis can be made, we can highlight some critical control points below:
- Policy development: Keep the policies periodically updated and that these are disclosed to employees, so that everyone is aware of the company's rules and restrictions;
- Access controls: Monitor and control the company's physical and logical accesses, as well as logs generated and store them for future analysis;
- Control and software updates: Maintain all solutions such as antivirus and software used by the corporation, duly documented, approved and updated;
- Adherence to certifications: Adapt the company based on good practices and, if possible, obtain a certification that best attends the environment and the company, so that the processes followed by the organization are carried out in a safer way and meet the established controls.
Recalling the main concepts of Information Security
The definition of Information Security is based on the concept of protecting the organization's main assets from catastrophic damage and preserving the three pillars: confidentiality, integrity and availability.
- Confidentiality:Ensures that access to information is carried out only by parties or persons who have the appropriate authorizations;
- Integrity:Ensures that information is not unduly deleted or altered;
- Availability:Ensures that information is accessed when the need arises.
By absorbing this information, it is possible to identify the need for a good implementation of Information Security controls, based on frameworks recognized in the market and standards such as ISO / IEC 27001: 2013, it is important to highlight that constant maintenance and periodic audits in the corporate environment are essential to maintain the quality of the processes and services offered.
Conduct an assessment through a effective audit, it provides to previously identify the weak and negative points of an environment, as well as to correct the root cause of the known problems, bringing the benefit of maturity, the increase of confidence and consecutively raises the competitive level of the organization within the market in which it operates.
* Sillas Martins is Consultant in GRC & Information Security at Safeway
SAFEWAY is an Information Security company, recognized by its customers for offering high value added solutions through Information Security projects that fully meet business needs.
During these years of experience, we have proudly accumulated several successful projects that have earned us credibility and prominence in our clients, which constitute in large part the 100 largest companies in Brazil.
Today, through more than 20 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology solutions, processes and people.
Let's make the world a safer place to live and do business!