Posted by mikeb on June 5, 2007
NASD – National Association of Securities Dealers
Recently I was asked about audit requirements of the NASD and if I’d had any experience with writing corporate governance policies as they regard to NASD. I specifically stated that I did not, however with SEC, SOX, GLB, PCI, HIPAA, COBIT, and DoD auditing experience I told them that I could definitely step up to the challenge. In the process of my reading it came to my attention that many firms are offering various guidance for these services in helping companies figure out what they mean.
Sorry, I’ve broken my train of thought. Went to answer the door and the neighbor had brought over dinner. Heh…being single is nice sometimes!
Anyhow, on with the saga of audits!
So as you can see, there are many acronyms out there and many many more I did not list. However, in my experience if you understand the basics of why these different things were put into place everything else simply falls into line for your audit. Here are some top 8 points to get you started:
1. Ensure your passwords are “strong” passwords.
2. Storing passwords need to be encrypted, password protected and access/modifications to the file tracked in some manner.
3. Identify any and all IT equipment used to store/or that may contain SSN, account numbers, credit card numbers or other “covered” data. Ensure they are encrypt files/databases with access/modification tracking.
Note: This includes CDs, DVDs, tapes, memory sticks, handheld devices and any other transportable media that may contain data covered by the specific audit you are going through. Delete the data, destroy the media or secure the media in a locked location.
4. Review all servers to which you have access for covered data. Delete or encrypt any files with covered data.
5. Ensure that Antivirus software is installed and up to date.
6. Ensure systems have latest security patches.
7. Lock up any paper documents with covered data. If they are no longer needed, destroy them in an approved manner (for instance, hire a document management company to shred CDs, Disks, and paper).
8. Last, however by far least, document, Document, DOCUMENT EVERYTHING! How does your network communicate, what happens with traffic (such as customer data on the network, credit card data, financial data, account data, health records, etc etc…), who has what access, DR planning, SIR planning for breached data, and so on and so on.
Then I encourage you to look up specifics. Please keep in mind I am approaching this from an IT perspective an none other at this moment in time. There are plenty of resources on the web for you to lookup.
heh. :p I’m always available on a contract basis to help you more in depth …
Note: This is an as is document with no warranty implied or otherwise. It by no means is meant to specifically state what will help you complete a specific audit. As stated either contact a consultant or experienced IT audit firm for more specific help in preparing your organization for compliance with these laws/acts/guidelines.