View document in PDF format
Dr. Suzanne Miller is a principal of The Compliance and Audit Group, an Orlando-Fla.-based consulting firm that provides internal auditing and security solutions to the healthcare, legal, education and credit card industries. For the last four years, Miller has been using SekChek’s IT auditing and security assessment tools to help her clients prepare for external audits.
The Compliance and Audit Group works with companies and government organizations to provide internal auditing and assist in implementing effective information security. This involves assessing companies for compliance with various regulations, including Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and Payment Card Industry Data Security Standard (PCI DSS).
Prior to an external audit, Miller says, a firm needs to verify that their security – access controls, in particular – is sufficient to meet regulatory requirements. “Using SekChek, we help firms understand whether their controls are truly meeting their needs. Using this system, there is no room for error or tampering. Company executives can be confident that their internal audit process is robust enough to identify gaps in security that can lead to liabilities associated with regulatory problems.”
A lot of external auditing that’s done today is based on security information collected in Excel spreadsheets, says Miller. “However, when an external auditor requests supporting documentation and receives a spreadsheet from the client, there is no real way to validate the accuracy of the information. The auditor must accept the word of the person or group presenting it.”
“This is why we use SekChek in our consulting practice. SekChek is a non-invasive program that provides us with accurate information to assess the security controls, directly from the computer system. SekChek, for instance, details the configuration of the active directory, including the user accounts and information about those users. When SekChek extracts the information it is encrypted so it can’t be edited or changed. By contrast, a spreadsheet that is provided by a client can be falsified or edited.”
Miller says her firm uses SekChek to service all types of organizations – large public companies, private firms, and local, state and federal government entities.
“As a value-add from our SekChek review, we leave our clients with SekChek’s easy-to-understand data that the client can use to rectify any problems we identified using the SekChek tool. For most organizations, paying specialists to manually do this work is prohibitively expensive,” says Miller. “SekChek is a cost-effective solution for organizations of all sizes: In just a single scan, it can automatically analyze a system that would take four days to assess manually.”