One thing I have learned from being subjected to too many security audits is the importance of documenting everything you do regardless if it paints your company in a good light or not.
If a user asks you to restore a file then record this as a Restore test. if a user loses their phone record this as a security incident. If you have raised a risk with management then record this along with all correspondence relating to this risk. The more of this detailed information you can provide an auditor the better.
If you are struggling to track your work on your security program and have ended up with a myriad of spreadsheets and want a good software solution then give eramba a go starting with the community edition.
Eramba touts itself as a Governance, Risk and Compliance solution and not only does it achieve this more importantly it covers your key security program requirements.
- It has some great canned reports and allows for a reasonable level of customization. It also supports LDAP authentication for authentication of both the main application as well as the user awareness module. Some of the more important modules I have found include:
- Security Controls
- Awareness Training
- Compliance
- Risk Management (both Asset and 3rd Party)
- Project management
- Security Incidents
- Business Impact Analysis
- Business Continuity Planning
Again you will breath easy when an auditor or manager requests a security program or risk related report and within minutes you provide a professional looking report rather than spending the better part of a day scratching together a rather rough looking word document with a couple of average excel charts embedded.
