Key Concepts and Terminologies
The scope of an audit is the focal point of the audit. The range of activities would be the subject of the audit examination. Each compliance standard, framework, and regulation has a specific point of focus. The scope is determining that point of focus before engaging in the audit. The scope is usually determined through a series of discussions with the auditors.
A control is something you follow as a company to mitigate potential risks. A control is a part of a process designed to accomplish a goal. For example, a goal might be to train your employees in the matter of security because it is important to safeguard data. A control might be: Every year, security training is provided to all employees.
To design is to decide on the functioning of a particular process. An effective design plan requires a series of steps or action plans to achieve a specific goal. This is usually documented in a policy or in a procedure. To implement a control, you first need to design it. If a control is a process to accomplish a goal, a design is the “how” to do the goal. For a security training control, the design would be to identify the step by steps to make it happen, such as,
- The month during which the training must happen
- Who is included in the training (i.e., full-time personnel, contractor)
- The tools that are used to administer the training
- The designated personnel involved in administrating the training
Auditors and sometimes customers require a company to provide evidence so that they can validate that the company is actually meeting the compliance obligations it claims. Evidence can take the form of:
- Screenshots from a system
- Or a test report from an API-based query
- Population or list of events
For a security training control, the evidence is the complete report that shows your employee’s name, training date, training completion date, and any related score.
Implementation is putting into effect the steps documented in the design plan. This is the piece your auditors care about! It is easy to create and document a design plan, the real question is – are you executing against this plan consistently? For a security training control, the implementation is to administer the training consistently every year to all your employees.
Personal data is information that can help identify an individual. What can identify an individual can be simple as their name, phone number, or e-mail address. The definition can also extend to an IP address or cookie identifier. Some examples of personal data include, but are not limited to:
- First or Last name
- Date of Birth
A policy is a high-level statement document that defines “what” must happen. Policies are the rules and laws to be followed and serve as the foundation of any process. Policies must be formally reviewed and approved at least once a year.
For example, a policy can say: We must conduct a risk assessment every year to effectively prevent and mitigate risks.
As part of your compliance audit, it is common for auditors to ask for evidence to prove that a certain control activity occurred. This evidence can be a population of events from which the auditor will pick a random sample. A population of events means a pool or list of specific events.
For example, a population of new hires means a list of new hires. A population of incidents means a list of incidents. As an organization, it is good practice to have a method to pull out these lists of events in a way that is automated and not manual. This is because an auditor will put a lot more trust in a computer system that can generate a list of events rather than a manually maintained list.
A process is a series of actions or steps taken in order to achieve a particular goal. In compliance, the term ‘process’ gets used often. For example, your auditor might ask: What is your process for granting access to a new hire? Or, what is your hiring process? The process referred to here is the steps and actions taken to provide access or hire a new employee in your company. A process can be any goal or phenomenon in your organization requiring some particular action.
Sensitive / Critical data or Personally Identifiable Information (PII)
Sensitive data differs from personal data in the sense that some types of information are considered more sensitive than others. Information that is considered sensitive is information that can be misused and cause potential harm to a person. Think about the potential impact if a set of data were lost or stolen.
For example, though a first and last name can be sensitive, is it as sensitive as a credit card number? Some examples of PII include, but are not limited to:
- First or Last name
- Passport /Driver’s License number
- Social Security Number
- Credit Card Number
- Account username
- Financial records
- Medical records
After reading through these concepts, proceed to the next article to deepen your compliance understanding!
Join the conversation