How to Pass Remote Audits
Note: This isn't a post from one of our auditor partners, but I figured this post from the Tugboat blog is relevant for this section of the community given that it was published earlier today:
There's little difference between the on-site security audits auditors would traditionally conduct with customers and the remote audits conducted in response to the 'rona. You'd follow the same best practices outlined for on-site audits as you would for remote audits, albeit with a few more things to keep in mind:
Tip #1: Keep all auditor requests in one place
At risk of stating the obvious and coming across as pedantic, you really have to keep all of your auditor and evidence requests in one place so that everyone involved can access them. It doesn't matter what the repo is (Excel spreadsheets, Jira, or a continuous compliance platform like Tugboat) so long as you keep everything there. Now of course, a platform like Tugboat that has a native end-to-end workflow to assign controls to the relevant people, track control implementation and progress, and AutoCollect evidence makes all of this easy as pie 😉
But if you wanted to the DIY route, you could manage and track everything through whatever tools are easy and the most effective from a time and money standpoint for you and your team. Heck, you could even manage everything through someone's notebook so long as that point person meticulously records and tracks everything.
Tip #2: Over-communicate with everyone (yes, really)
Hey, I'm not trying to hit you with another "no duh" tip. But when you think about it, security audits are serious business dealing with risky business (but without Tom Cruise).
And given all the communication apps that exist, you have no excuses internally to make sure your colleagues are implementing the security controls they've been assigned. And externally, you have no excuses for letting your auditor know about the latest and greatest progress (fun fact: Jose Costa, CISO at Tugboat Logic, and his team of former auditors can attest to the fact that auditors are not "out to get you" and are not looking to fail you – they want you to pass with flying colors!).
TL;DR: it's better to over-communicate with everyone involved in the audit process and make sure everyone is on the same page than it is to make assumptions. To quote the legendary thespian Samuel L. Jackson, "...when you make assumptions, you make an a** out of you and umption."
Tip #3: Make sure your video conf tool works and is secure
If you're looking to switch, you can take a look at the thorough video conferencing vendor comparison and risk assessment Jose and the Tugboat Labs team conducted when we decided to switch from Zoom to Google Meet.
And that's all we got on the tips side for passing remote audits. It's all common sense knowledge that you already knew!