Why effective preparation is the key to acing client data protection audits

A century ago, the oil industry was so lucrative and fast growing that those controlling its flow were widely seen to be controlling the entire world economy. Fast forward to today’s digital economy and the same can now be said about data. In fact, The Economist claimed data overtook oil as the world’s most valuable commodity as far back as 2017.

It’s easy to see why – data has become the lifeblood of modern business. Companies of all sizes are waking up to the potential of good data management and analytics when it comes to improving business operations and boosting overall future prospects.

This then begs the question: why are so many companies still failing to sufficiently protect their most valuable asset? Third-party data breaches, in particular, continue to proliferate. Such cyber events can be disastrous for organisations, damaging customer confidence and leading to hefty regulatory penalties. Furthermore, according to a recent Gartner report, a data breach is roughly $700,000 more expensive when a third party is involved. 

Unfortunately, it’s a problem that’s only going to get bigger. Sophisticated cybercriminals have identified third-party suppliers as a lucrative back door to steal sensitive information from larger businesses, so are channelling more time and resources into it. Consequently, midsize companies are facing increasing pressure to button up their cybersecurity presence from corporate clients as well as regulators.

In many countries, authorities are now recommending (or even requiring) that major corporations do complete security audits of their third-party vendors. Midsize companies that have trouble with the audits and/or can’t demonstrate they’re adequately monitoring and protecting sensitive customer data run the risk of losing those customers.

However, like so many things in life, preparation is the key to success. Below are eight of the most commonly asked audit questions, helping to understand “audit readiness” and enabling you to make any changes or improvements to your data protection programs before it’s too late:

  1. Where is sensitive data located?

The first and most obvious question relates to the exact location of data within your organisation. Clients will want to be certain that you understand where data resides and what controls are in place to track its movement. Data is not static; it may be stored on local servers, moved to individual desktops, and integrated with other data types. Expect clients to ask whether controls are in place to prevent sensitive information from all possible egress channels, including email, cloud services, and removable drives.

2. Who in your organisation will use client data?

Clients will want to know how widely their sensitive data is distributed and what controls are in place to limit access to it. Questions about data distribution can include how data is accessed, transmitted, and shared, what  screening processes are used in hiring, and if any contractors or other non-employees will require access. This can extend to not only people, but also systems that use the data.

3. What do users do with the data?

The core question in many audits is “how will my data be handled?” While access control measures may limit information availability, users with legitimate access can copy data, incorporate it in other files, and move it to storage devices. Audit questions will focus on your ability to track data continuously, in any format, and use cases where files are compressed, or embedding spreadsheet tables or images of sensitive data into documents.

4. Which applications will access and use the data?

Once a client’s information is within your systems, you need to demonstrate how that data will be protected while in use, including its interaction with other applications that use the data to deliver information or products. For example, a design document may be entered into an inventory control system to ensure the necessary parts are available.

Questions about application control will probe your ability to block unauthorised applications and processes from accessing, manipulating, and using data. This can include unknown applications which may be malicious, as well as legitimate applications which may put data at risk (e.g., peer-to-peer networking, file sharing).

5. When is the data at risk?

While static data can be encrypted, clients recognise that their sensitive information must also be used to deliver goods and services back to the client. Data is typically at most risk when it is used on endpoints. Here, users may take actions such as opening decrypted copies, copy data, send documents to others, or move sensitive data to additional drives. Clients will ask for information about how you control your endpoints from external threats, such as malicious software and advanced threats, as well as internal threats, whether purposeful or inadvertent.

6. What controls can you provide to mitigate risks?

Knowledge workers have many demands on their time, and relying on a policy document to protect sensitive client information is not enough. Clients will require evidence that controls are in place to prevent the loss of the data for each use case and risk identified by you or the client.

Controls should be automated and enforce policies in real time, allowing legitimate business processes to be conducted securely. Clients will need information on how you address insider and outsider threats, without requiring human judgment or intervention.

7. Can you ensure that data is only accessed on a need-to-know basis?

Clients want assurances that access to their sensitive information is limited to those who require it, and that it can’t be shared without permission.

Questions about access control are typically simple to answer. However, be prepared to demonstrate controls for privileged users, such as system administrators. These employees possess elevated device privileges (root access). Clients will ask how you manage privileged users’ ability to manage devices, while preventing access to the client’s data on those devices.

8. What happens when one of your systems is compromised?

Sadly, attacks are inevitable, and clients will want to understand what controls you have in place to contain a compromise. Audit questions will focus on how you recognize indicators of compromise (IoCs), redundancy in IoC signatures and threat intelligence used. If you have security solutions to detect external network attacks, be prepared to demonstrate how that information is used to protect endpoints.

As the volume and variety of cyberattacks continues to grow at an exponential rate, large

businesses and corporations are quite rightly becoming more wary of who/what they are allowing to access their sensitive data and how it’s being used. As a result, client data protection audits are becoming increasingly commonplace. Such audits can quickly prove the undoing of businesses that aren’t prepared for them. However, by taking the time to study the questions and properly align your security strategy, not only will you be able to prove your data protection credentials, you will stand in great stead compared to other, more lackadaisical competitors.

Print Friendly, PDF & Email
CISO and VP at

Tim Bandos, CISSP, CISA, CEH is CISO and VP Managed Security Services at Digital Guardian and an expert in incident response and threat hunting. He has over 15 years of experience in the cybersecurity world and has a wealth of practical knowledge gained from tracking and hunting advanced threats that target stealing highly sensitive data. A majority of his career was spent working at a Fortune 100 company where he built an Incident Response organization and he now runs Digital Guardian’s global Security Operation Center for Managed Detection & Response.

Leave a Reply

Your email address will not be published. Required fields are marked *