How do you deal with multiple security audits all requiring different security credentialing?

Security, Governance, Risk, and Compliance - Prepare general statement

2 comments

https://www.pulse.qa

Pulse User

Prepare general statement

Pulse User

If you are asking how to efficiently manage overlapping audits for say GDPR, PCI, HIPAA etc then mapping is the key.  I go with a baseline of ISO27001 (I'm up to 118 infosec policies) and then map all applicable frameworks and regulations.  So when The HIPAA auditor asks for password policy you grab policy 9.3.1.  When you need the PW policy for PCI its also 9.3.1.  Ideally you enforce the strictest rule but if not practical the details of the policy will break it out in more detail (8 character 3 of 4 for email....MFA added for Finance...yubikey added for Prod...)   If you have a requirement that doesn't quite fit then you make a new policy.  This makes it very easy to absorb frameworks with decreasing effort.....If your question is more about the different rules for different applications the same example applies.  You start with your minimum standard and then make it tighter.  If making it tighter (48 character PW with yubikey and secret handshake) is too cumbersome, then you document and apply the supersized PW requirements to only those areas/tools/people/facilities that require it to meet you contractual and regulatory obligations.