The supplier audit: never fun, but one of those unavoidable features of running a business. As organisations strive to improve standards and minimise risk through their supply chains, audits of suppliers’ processes, infrastructure and policies become more and more common. Rather than seeing audits as a chore to be borne, audits can be a good way of prompting us to improve systems and processes, and think about risks inherent in the way we work.
As an outsourced IT provider, we’re often asked to help when our customers are audited, by giving the auditing organisation the relevant insight into our customer’s technology infrastructure. There are some key aspects that almost all supplier audits are interested in examining, so it’s worth spending a bit of time making sure (or asking your IT provider to make sure) that they’re in order.
This is the big one: with ransomware, data hacking and breaches constantly in the news, audits tend to focus first and foremost on security. It’s about demonstrating a culture of security as well as specific measures, showing that you take security seriously. It’s worth noting that the measures auditors are interested in are not just digital: the physical security is just as important. Is your server room locked? Who has access to it and is their access recorded anywhere? Server rooms with code locks should have the codes changed regularly, while keys should be carefully accounted for and retrieved from anyone who no longer needs access.
Similarly in your offices, are laptops secured or locked away when not in use, do you have a clear desk policy for paperwork and documents, and how are guests welcomed: can anyone just walk in unaccompanied? As MPs and their aides have learned, sometimes information breaches result simply from documents being visible to the wrong people.
On the technology side, auditors will often run a vulnerability scan of your network to highlight any flaws in your security. These will check that your systems have all the relevant firewalls, anti-virus/anti-malware software and spam filters in place to prevent malicious access, and that all software is up to date, with security patches being applied in a timely fashion. They’ll also look at whether you segregate mobile devices and guest wireless from the corporate network, have sensible password policies, and organise and limit access to data by role.
Bring Your Own Device (BYOD) and encryption
We all carry enormous amounts of data around with us – laptops, mobile phones and tablets provide direct access to vital business systems and information, but are also extremely easy to lose or have stolen. It’s vital to have clear policies and controls to limit remote access and what corporate data exists on corporate devices, and to manage the transfer of data from place to place.
Data should ideally never be stored locally on a device, but all devices should be properly encrypted so that if they fall into the wrong hands, there is no problem with security. A thorough audit will check your encryption processes to make sure that this is the case.
Backup, business continuity and disaster recovery
A disaster for a supplier can have a knock on effect on the whole supply chain, so auditors will examine your backup, business continuity and disaster recovery processes to be sure that you can recover quickly and without data loss. Have a read of our other posts on these topics (Essential facts every business should know for backup and business continuity; Not thought about business resilience yet? Start here) for more complete information, but it’s worth remembering that just backing up your data is not enough: it’s about resilience and the ability to keep working, so you need to have a clear process for recovering that data and getting crucial systems and key people up and running again quickly in the case of a major disaster.
Policies, processes and documentation
Auditors don’t just want to know that you have policies and processes around all of your key IT systems – they’re going to want to see them. Make sure that each and every policy, from security to server room maintenance, is written up clearly and kept up to date.
Similarly, your infrastructure should be properly documented, with clear network diagrams demonstrating that the whole system was thought through carefully and strategically.
Finally, don’t underestimate the importance of appearance. If your server room is clean and tidy, with organised cables and proper air-conditioning to keep the hardware cool, this will reflect well on your business as a whole. In fact, if you are proud of your server room, why not show it to clients and prospects the first time they visit your office?
Want to talk about any aspect of this post, or about your IT infrastructure generally? Give us a call on 0117 974 5179 or 020 7043 7044, or email firstname.lastname@example.org.