Security audit in the automotive industry – why you should pay attention to.
Our IT team recently led the company through an information security audit. Patryk Kozłowski (IT Manager) and Krzysztof Jaworecki (IT Specialist) told us what such an audit is about and what to pay attention to during the preparations.
M.M.: Hello. In the beginning, I will ask you to explain what a security audit is basically.
Patryk Kozłowski: First, an information security audit is often understood as an IT audit. It is not quite like that. Information security is taking care of all information, not only the data on computers or servers. These are also all kinds of documents, marketing materials, employee files, financial data, construction projects – in a word, all data processed in each department of the company.
This corporate knowledge must be accurately protected so that no one can use it, e.g. for the production of products based on information developed at Aircom.
It is also not an IT audit. The purpose of this audit is to show whether our company’s information is adequately protected.
An auditor can check each department and even ask a question to a random employee met in the hallway.
M.M.: From what you say, the very concept of an information security audit is often misunderstood. Is there any common belief about security auditing that is not correct?
P.K .: Yes, it is a mistake to believe that the standard imposes something on us, that we must meet specific guidelines. And the only truth is that the ISO / IEC 27001 standard says that we must protect the information, but to what extent and how we protect this information is up to us. Each company individually determines the so-called level of acceptable risk.
However, as I mentioned, the standard lists points that indicate areas to be secured, but do not indicate how to do so.
M.M.: The standard leaves us so much freedom, so how to choose an appropriate method of data protection?
P.K .: First, we conduct a risk analysis. We identify threats and try to minimize them or protect ourselves so that the probability of their occurrence is low.
Before the audit, I sent out an information security awareness survey among employees. The vast majority of answers were correct, but such a survey also shows us what users do not think about, what they do not know, and what we should pay more attention to during initial and periodic training.
M.M.: So we can say that the IT department, develops a security strategy for the company?
Krzysztof Jaworecki: We prepare a declaration of compliance with the requirements of the security standard, in which we specify the specific actions we take to protect information.
The audit itself is based on the fact that the person who carries it out, looks for evidence of what we have declared. It is also worth adding that in many companies ISO standards are introduced only to present the certificate to customers.
P.K.: For example, an auditor comes to us and says, for example, “In the declaration, you wrote that you destroy the carriers, so you have a register of these carriers. Then I would like to see this register. ” We then provide him with such a document, and the auditor indicates that what we have declared is applied.
K.J.: Yes, the lack of proof of what we reported would mean non-compliance with the requirement, i.e. non-compliance. The occurrence of non-compliance is not conducive to quality. We classify non-conformities as small and large (critical).
M.M.: Do you want to share any more interesting facts about the audit itself?
K.J.: This year’s audit was different from the previous ones because the person who carried it out had previously worked as a programmer. Due to the fact that he had extensive experience in the IT industry, the audit was intense. We spent about 7 hours with the auditor on the first day, 3-4 hours on the second.
P.K.: For comparison, I would like to say that usually, such a meeting between our department and the auditor lasts about 3 hours. This time, compliance with each point and sub-point of the aforementioned declaration was thoroughly checked.
M.M.: So the audit itself turned out to be quite time-consuming. The preparation for it certainly also required a lot of work. Please share more what was the biggest challenge during the preparations.
P.K.: Of course, as every year, we had to complete the data and train the employees, but this time, for the first time, ourselves we dealt with the entire formal side of the audit. The declaration of use and the security measures themselves are not a problem for us, because we work in IT and we know it, but ensuring the correct preparation of documents and revisions was a novelty and a challenge.
K.J.: We had a broader image of the audit and thus gained valuable experience related to the independent assessment of our organization.
P.K.: We and Krzysiek were responsible for the audit, but Marek Żak (Junior IT Specialist) was a great help for us. Marek is responsible for Help Desk and we did not introduce him directly to audit matters. However, when we were busy with documentation and preparation for the audit, Marek relieved us of many daily tasks, giving us the opportunity to focus on good preparation.
K.J.: In addition, he helped us implement many solutions, e.g. disk encryption, VPN. We try to harmoniously cooperate with each other, share knowledge and experience.
M.M.: You’ve already mentioned that the auditor himself, his insight, and his dedicated time, were new to this situation. What about the pandemic issues – has it made an impact to information security audit different?
K.J.: First of all, the audit took place remotely, which had never happened before. We used the software operating in the company to securely share documentation, showing of implemented IT applications was made live by sharing server desktops. This form of audit turned out to be very effective
M.M.: Well, now all possible work is transferred to remote conditions. Do you observe any changes in the company after the audit?
K.J.: Awareness of information security among employees grows every year. Such a system has been functioning in our company for many years and employees notice that some mechanisms are not just an invention of the IT department that hinder functioning, but are made with concern to prevent data loss.
P.K.: Aircom company wants to be a reliable business partner and employer, therefore everything we declare is meticulously implemented in the company. One of our assumptions is continuous development, so every year, after the audit, we do not rest on our laurels. We are starting to work on even more effective security measures.
M.M.: Have you introduced new solutions at Aircom since last year’s information security audit?
P.K.: Yes. A year ago, we did not really have laptop encryption. Now all laptops in the company are encrypted.
K.J.: In practice, this means that if a laptop is lost or stolen, another person will not obtain data from it. Even if I remove the disk and connect it to another computer, it won’t read any information.
M.M.: Can we say that the audit has once again confirmed the very good quality of our security?
P.K.: Yes, I met companies that had much lower data protection standards, so Aircom is doing really well in this field compared to others. K.J.: We should remember that stolen or damaged equipment can be bought back, but lost company data are, in most cases, irrecoverable. In Aircom company, thanks to the implemented modern tools, we can, with a high probability, recover lost data, deleted by accident, or by deliberate action.
M.M.: Thank you very much for the interview and for the fact that thanks to you we can be confident about the security of our information at Aircom.
P.K.: Thank you!