Audits, and more audits



  • I thought I could go one single year without an audit. Last year was a very lengthy HIPAA audit (done alone), and to end February I'm now starting a PCI audit for a hospital that now accepts payments online... Which means they have changed categories.

    Kill me.



  • We specifically proposed "audit reductions" in some system changes that we proposed for a client just last week.



  • @scottalanmiller said in Audits, and more audits:

    We specifically proposed "audit reductions" in some system changes that we proposed for a client just last week.

    Can you clarify on how you plan on reducing audits? PCI and HIPAA both require audits at very specific times of the year (semi-annually preferred, annual at minimum). CIPA is a bit different.

    When I've proposed reductions, I've done strictly annual. If systems absolutely don't change, I suppose you might be able to do every other year. Every 3 years would be too much.

    I've moved to having templates available for clients with various tiers. They have the option of "purchasing" the template, which is updated annually. Purchasing the template cuts down significantly vs. writing one from scratch. Essentially if we do a dozen audits, and I write one template that can cover every single one of our clients, it's worth it because I only have to write a few pages every year with modifications, rather than writing many.

    Dealing with hosting providers is a mix. Some of them have material available, others are painfully lacking and takes months to obtain, in pieces that have to be compiled.

    One of the things I hate most in this life, are audits.



  • @bbigford said in Audits, and more audits:

    @scottalanmiller said in Audits, and more audits:

    We specifically proposed "audit reductions" in some system changes that we proposed for a client just last week.

    Can you clarify on how you plan on reducing audits?

    In our case, removing all Windows products so that MS can't call for an audit.



  • @scottalanmiller said in Audits, and more audits:

    @bbigford said in Audits, and more audits:

    @scottalanmiller said in Audits, and more audits:

    We specifically proposed "audit reductions" in some system changes that we proposed for a client just last week.

    Can you clarify on how you plan on reducing audits?

    In our case, removing all Windows products so that MS can't call for an audit.

    Do you not have to do any other audits with clients such as CIPA/HIPAA/PCI/SOC2? If not, that'd make it super easy if you just annually updated documentation or on-the-fly with new infrastructure changes (if standards changed so much that documented needed updating).



  • @scottalanmiller said in Audits, and more audits:

    @bbigford said in Audits, and more audits:

    @scottalanmiller said in Audits, and more audits:

    We specifically proposed "audit reductions" in some system changes that we proposed for a client just last week.

    Can you clarify on how you plan on reducing audits?

    In our case, removing all Windows products so that MS can't call for an audit.

    How many random Microsoft audits have you had so far in your career? Random as in not triggered by a disgruntled employee calling something in (heard of that happening many times), or anything else that forces a trigger.



  • @bbigford said in Audits, and more audits:

    @scottalanmiller said in Audits, and more audits:

    @bbigford said in Audits, and more audits:

    @scottalanmiller said in Audits, and more audits:

    We specifically proposed "audit reductions" in some system changes that we proposed for a client just last week.

    Can you clarify on how you plan on reducing audits?

    In our case, removing all Windows products so that MS can't call for an audit.

    Do you not have to do any other audits with clients such as CIPA/HIPAA/PCI? If not, that'd make is super easy if you just annually updated documentation or on-the-fly with new infrastructure changes (if standards changed so much that documented needed updating).

    No, no other audit types.



  • @bbigford said in Audits, and more audits:

    @scottalanmiller said in Audits, and more audits:

    @bbigford said in Audits, and more audits:

    @scottalanmiller said in Audits, and more audits:

    We specifically proposed "audit reductions" in some system changes that we proposed for a client just last week.

    Can you clarify on how you plan on reducing audits?

    In our case, removing all Windows products so that MS can't call for an audit.

    How many random Microsoft audits have you had so far in your career? Random as in not triggered by a disgruntled employee calling something in (heard of that happening many times), or anything else that forces a trigger.

    My personally, believe it or not, zero. But I have so little Windows in my environments and/or are in environments with licenses that keep audits from happening.



  • @scottalanmiller said in Audits, and more audits:

    @bbigford said in Audits, and more audits:

    @scottalanmiller said in Audits, and more audits:

    @bbigford said in Audits, and more audits:

    @scottalanmiller said in Audits, and more audits:

    We specifically proposed "audit reductions" in some system changes that we proposed for a client just last week.

    Can you clarify on how you plan on reducing audits?

    In our case, removing all Windows products so that MS can't call for an audit.

    How many random Microsoft audits have you had so far in your career? Random as in not triggered by a disgruntled employee calling something in (heard of that happening many times), or anything else that forces a trigger.

    My personally, believe it or not, zero. But I have so little Windows in my environments and/or are in environments with licenses that keep audits from happening.

    Sorry, I don't mean you personally (as in your personal assets, businesses you directly own or co-own, etc). I mean you as in the consultant for businesses you have no investment in beyond what they are paying you as a consultant. Basically, Company X doesn't have internal IT or development, and they hire you or the company you're employed by and consulting/designing/implementing for. Do any of those clients require PCI/SOC2/HIPAA/CIPA compliance? If so, I'd definitely like to fork this thread and cover some of that because those compliance standards are not really up to me (PCI, HIPAA, and SOC2 auditors reach out annually), so I'd be interested in how you're handling beyond annual (legally). I prefer SOC2 because SOX is a joke. Not sure if you are currently supporting SOC2 since I'm not entirely sure how NTG is handling certain client data as either a fully managed provider, strictly hosting solution, or anything else specifically. Very interested in more aspects though.


Log in to reply