Helping your clients with insurance and security audits

Karl Palachuk

Several years ago, our largest client was a company that works with extremely secure information for Fortune 100 companies. The kind of information that makes the news when it gets leaked. So, obviously, the information must be secured.

From the beginning, these folks needed very high standards on email security, website security, database security, and all the network security stuff we were used to dealing with. Please note that Manuel (president of my company at the time) had worked in IT at Bonneville Power Administration. Think nuclear power. I was once the Site Manager for PC Software Support at HP's Roseville plant. We were not strangers to security or audits.

But this client brought us some serious challenges.

This client was constantly responding to security audit requests. As a result, they turned to us. Very often, they would forward to us a 200-page questionnaire about network security. Most of it was pretty mundane (eg, encryption level of SSL certs and when they expire). But some stuff was pretty interesting.

Here’s some examples:

Dual Firewalls
One insurance company wanted two firewalls configured (see illustration below) in order to limit access to their data from outside the company LAN. They did not trust using a VLAN on the same firewall that touched the Internet. Luckily for us, these were nice, high-end, expensive firewalls.

Diag1

VPN to MSP
One company (our client's client) required a hardware VPN between the client and us so that all traffic, including RMM agent, moved between us on a secure line.

Roof Access
One company required that access from the roof of the commercial building be padlocked and monitored. This is so someone cannot be lowered to the roof via helicopter and gain access to the building.

Building-Wide Facilities
One company required that facilities (electrical closet, Internet access panels, etc. be monitored.

Encryption
One company asked that data be encrypted while at rest on the client folders or database. So, data arrived encrypted, needed to be decrypted to import to database, then re-encrypted. Once client data had been imported into the database, the source data must be encrypted.

Programmer Access
One insurance company required that the programmer have access to the code only and should be restricted from viewing any of the client data. The client lead programmer had access to all software databases. This cannot be changed without a significant change in processes. The programmer was made a full-time member of the client’s staff, passed a security check, and signed all non-disclosure agreements.

Independent Audits
One company required that an independent third party (other than us) perform a network security audit of the processes and documentation implemented by us.

Starting Out with the Insurance and Security Audits

The first time we went through one of these audits, I think it took about four hours to cover the basics and two hours to take care of some of the esoteric stuff. Then we had some documentation and remediation to do. Followed by meetings and meetings. All billable. It was easily 25 hours total at full price.

The second time we went through an audit, we had most of the answers already in some form. We mostly copied and pasted from the earlier audit. I don't recall exactly, but maybe a couple hours for the audit and report, plus a few hours for remediation, and a few hours for meetings.

After that, we rarely had remediation and we could pump out the audit and report in two hours flat (plus any meetings that we requested).

Who Requests Insurance and Security Audits?

Every industry is different. But secure data has some common characteristics across industries. See the diagram on "Who Requests an Audit?" Most audits are requested directly by our client's client. Sometimes it's that end-client's insurance company that needs the audit.

audit

Second, in our experience, is our client's insurance company. This is normally their Liability company, but it might also be Errors & Omissions. Knowing that the client is subject to a variety of regulations and has liabilities regarding the protection of end-client data, the insurance companies want to minimize their risk.

Third, there are government agencies. This is more of a threat than an ongoing activity. While our client was subject to certain government regulations (and feared an audit), they were never actually audited by a government agency.

With some industries, government audits or reports are much more regular.

More and more, financial and medical businesses are under increased government regulation. It's actually a pretty good idea to consider creating a niche in one of these industries.

What Do The Forms Look Like

I wish I could give you a form, or list of questions. But the only examples I have are from HUGE companies with massive legal departments willing to enforce their non-disclosure agreements very strongly. (Having said that, I have a project on the back burner to find a way to obtain and release this information without tying it to a specific company.)

However, one great place to start looking at the kinds of questions you'll find in a big-company audit is on ITSecurity.com’s web site (see

http://www.itsecurity.com/features/it-security-audit-010407/). When you look at their list of items to be aware of, just turn every tiny thing into a question. Then consider how you would answer it.

As a general rule, there are a LOT more regulations and security audits for companies with 50 or more employees. And, again, there are a lot more audits for companies that are working with or sub-contracting for major corporations.

Fortune 100 and Fortune 500 companies are not all alike. Technology audits are most common for companies that are exchanging data or processing sensitive data for these big companies. For example, if you have a client that works with medical transcriptions, credit card applications, or personnel data, they may have a few "big fish" clients.

Once you have either acquired a big 200-page form or figured out what you think a number of the questions are, you can begin offering an auditing service to your largest clients. OR you can pay some money for the exam prep and get certified in CISSP, CAP, SSCP, or CSSLP by starting at https://www.isc2.org.

That training includes 98% of what you need to provide all the audits your clients could ever want.

The Insurance and Security Audits Business Model

A few notes about going into the "auditing" business.

First, it is really easy. I'm sorry for all the folks selling certs, but it's not difficult. It's just tedious and you have to be extremely precise. But most of the questions are along the lines of "Is there a backup plan? Describe it in detail." So if you're addicted to documentation, you're good to go.

Second, the key clients for this are 50+ employees serving at least a few Fortune 500 companies. This is just a great combo of needs and resources. These folks see the audit as "time off task" and a pain in the neck. The result: They are willing to simply pay money to make the problem go away.

Third, once you do one super-monster audit, you'll have almost all the verbiage to complete the next one. If you've been doing your job, then there is a documented process for passwords, backups, remote access, encryption, file storage, etc. Writing all that out in detail will help you to create even better documentation for all of your clients!

Fourth, if you decide to add professional security audits to your portfolio, you'll need to do a lot more than "get by" with an audit or two. This world changes fast, so you'll need to commit to perpetual education. But if you do that, you will have very little competition. Unless you live in one of the top 10 metropolitan areas of the US, you might find that only one or two people in your area have the training to perform such audits. That makes it a great niche.

Fifth, this business really is perpetual. Most clients who need a high-level audit also need one or two additional audits. And they need these repeated on some schedule (annual, biennial, etc.). Not only that, but clients talk to other people in their field. So if you're "the" place to get a great audit, then you get a referral. And an audit within the same field is even easier the second time!

SOP – Standard Operating Procedure

Unlike general technology consulting, security auditing is a pretty well defined area. In general consulting, you are likely to stumble on almost any technical issue out there. But with security audits, there really is a limited field. The questionnaire might be 200 pages, but 195 of those pages will be the same from client to client.

The first key to success in this field is to go get your clients. That is, you need to figure out who needs an audit and make sure they know you exist. They might not have a request from Exxon, Walmart, or GE on their desk. But if they expect to see one in the next 12 months, they will keep your information and call you when they need you.

It's All About Your Niche

The second key to success is to continually improve your "verbiage" for answering the questions. The goal for you is to help your client pass the audit. So you need to find the right words that make it look like they are absolutely above reproach. Once you have the golden words, save them for the next audit.

Of course, you need to be brutally honest if the client needs to make improvements. And, with luck, you'll get some work out of that. But even with areas of improvement, you can save the good descriptions for use on the next audit.

The third key to success is that you probably need to do these yourself. Or maybe you have one superstar tech who can do audits. But you CANNOT just hand this off to an entry-level technician. So audits need to be done by the senior techs.

In the end, doing security audits is just another niche. And the better you are at your niche, the fewer competitors you have. And, the better you are, the more you can charge!

If you decide this niche is for you, it might be useful to build a keyword-based database or spreadsheet so you can find and re-use verbiage as needed. Again, you need to customize each response. But there's no point in starting over from scratch.

Three Take-Aways from This Chapter:

  • Security Auditing is a great niche – One in which clients are guaranteed to have the budget needed.
  • Start with one and work hard on the answers. Save those answers for future audits.
  • Most audit questions are the same, but you have to stay on your toes because technology changes all the time.

(Used with permission of Karl W. Palachuk, SmallBizThoughts.com)