When you decide to move forward with a digitization project there are plenty of things you have to think about:
- project specs
- safety of your records
- transportation / logistics
- and so on
And although “safety of your records” is included in that list, you probably weren’t thinking about how that safety is verified.
If a company tells you your records are safe, should you believe them?
Instead of just believing (or not), why not verify it? Ask them for security audits to prove that your records will be protected and secure, and that they’re not just blowing smoke!
In this article we’ll describe our internal security audit, how it compares to a third-party external audit, some of the items we review, and more. When you’re done, you’ll have a solid idea of what to look for when it comes to security verification and choosing a scanning partner.
BMI Audit vs. Third-Party Audit
Our annual security audit is an internal audit, meaning that we create our own tasks and assignments, check the processes, and verify the completion of each task.
Compared to a third-party audit, in which an outside inspector or auditor reviews our company, this might sound odd because it’s like grading your own test at school. But it’s the initial look at our security posture each year and the self-assessment allows us to be the first to review our own work and identify any potential weaknesses or gaps. It also allows us to verify things that would not necessarily be checked during a third-party audit.
Our internal security audit was started in the early 2000s at the request of one of our healthcare clients; initially, the audit was based around medical claims form processing and focused on the particular workflow for this client. As the years progressed, our Security Officer continued to add items to the annual workflow review and eventually developed into a general security audit, rather than a client-specific review.
Security Audit Personnel
We’ve created a team that works together each year to effectively complete our audit.
- Security Officer
Leader of the Security Team and the final word for any security-related matters.
- Compliance Officer
Second-in-command after the Security Officer. When the Security Officer is not available, the Compliance Officer is the go-to for security matters.
- Facilities Manager
The individual who oversees our two facilities – most of the physical audit tasks fall into this person’s sphere.
- Human Resources
- IT Staff
Others may be involved in the audit, such as folks from Software or our Project teams, but they are typically involved only briefly and for one-off tasks or verification steps.
Our CEO receives the final version of the audit results for review and before approving the audit, discusses any questions with our Security Officer.
What’s The Process?
To ensure that our audit is as comprehensive as is practicable for our team, we move through our process systematically each year to get it started properly and efficiently.
1 – Update and define the audit period
Historically our audit period was defined by the calendar year (01Jan – 31Dec). However, as we’ve integrated SOC 2 audits into our security plan we’ve made the decision to synchronize our internal audit period with the third-party SOC 2 audit period so they’re aligned and reviewing the same results.
If there is a change needed in the future, we can adapt the audit period to suit the situation.
2 – Review audit list from previous year
Our team has a kickoff meeting and reviews the items and tasks we executed during the previous audit and any remediation tasks identified during the previous audit.
3 – Add any new items that are needed or identified
Security policies and procedures are never static. To stay abreast of the threat environment, policies and procedures are continuously updated and augmented. These changes often necessitate adding new tasks to the audit list. Each audit task is designed to produce supporting documentation that can be used to verify successful completion of the task.
4 – Remove any stagnant or non-relevant item
Like adding tasks, we often find that some audit items are not relevant anymore, out of date, or just not useful based on previous experiences or new developments. These are removed from the audit to ensure that it only includes relevant and impactful items, and doesn’t become bloated.
5 – Assign the individual responsible for completing the task
Each task is assigned an individual that is responsible for completing the task. This person may or may not be able to actually accomplish the task themselves, but they’re responsible for ensuring that it gets done.
Additionally, even once they complete the task, they’re responsible for ensuring that the completed item is reviewed and verified by another individual.
6 – Assign the individual responsible for verifying the task
Tasks are not complete until they are verified by a second individual. This step is to put a second set of eyes on every task that gets completed to a) ensure the task was completed, and b) that the task completion information makes sense and includes any necessary supporting documentation.
7 – Status meetings every 2-4 weeks while tasks are being completed
Once our audit starts we hold status meetings every 2-4 weeks to keep the team aligned, update other members of our progress, and work through issues that invariably come up during the course of the audit.
What Is Being Audited?
Over 45 distinct items are reviewed and verified during each audit. The individual items are separated into audit categories to delineate which type of security is being completed.
The categories are listed below, with examples of individual audit items within each category.
SOC 2 Type II Verification
But don’t just take our word for it.
We have an independent third-party firm audit our company each year to check that we’re doing what we say we’re doing and to help us identify any gaps in our security posture.
The SOC 2 Type II audit includes “a report on a service organization’s description of its system and on the suitability of the design and operating effectiveness of its controls relevant to security, availability, and confidentiality.”
The audit firm’s examination of our systems and controls includes, but is not limited to, the following:
- Obtaining an understanding of the system and the service organization’s service commitments and system requirements
- Performing procedures to obtain evidence about whether controls stated in the description were suitably designed to provide reasonable assurance that the service organization achieved its service commitments and system requirements based on the applicable trust services criteria
- Testing the operating effectiveness of controls stated in the description to provide reasonable assurance that the service organization achieved its service commitments and system requirements based on the applicable trust services criteria
We enjoy having our own audit procedure, but the confirmation by a third party keeps us sharp and gives our clients an extra layer of confidence that we’re protecting their records and data.
Why Security Audits Are Important To Your Scanning Project
Finding a company that executes security audits (either internal or external) doesn’t mean that your digitization project is guaranteed to be a success.
But it does give you confidence that they’re handling your records properly, they have systems in place to protect the physical copies as well as the digital files, and that they have a reviewed and audited method of capturing, storing, transmitting, and disposing of your data after your project is completed.
When you’re researching and interviewing companies about working with you on your digitization project, make sure to ask about their security procedures and recent audits. If you get a blank stare or moment of silence, it may not be the end of the world.
But it should make you think twice!
Getting ready to start a scanning project but aren’t comfortable with handing your records to a partner? Call us at 800.359.3456 or send an email to firstname.lastname@example.org and we can review your project requirements and discuss the proper security processes to keep your records and data safe.
“Choosing A Partner For Your Secure Scanning Project”
What should you look for when choosing a partner for your secure scanning project? Some key items include physical security setup, digital and network security processes, and security credentials (such as audits). Read some of our recommendations and make an informed choice for your conversion project.
“Material Security Classification Levels & Digital Scanning”
Different projects require different security methods. Learn about our Material Security Classification Levels and how we properly handle your records and run your project.
“Digitization & The Chain Of Custody”
The chain of custody of your records is a critical component during a digital conversion project. Learn what to ask about and how to evaluate a company’s chain of custody methods.