After sitting in on two of the ISAAC Risk Assessment Reviews over the past two days, I can give you some definitive take-aways.
There is one REAL important point (actually I was going to say 3 but list the same one for number 2 and 3 – its THAT important) and one slightly lessor point.
1. DOCUMENT your processes.
When the time comes that an auditor reviews the IT implementation, they are going to want to have hardcopies of your procedures. If they can’t carry with them some type of DOCUMENTED process of how the resources are managed, as far as they are concerned, it does not exist. ISAAC will also require this have been codified. You will be expected to make sure some successor or alternate be able to carry on these processes if you are not available and the only way to do that is have it documented.
1a. If you say you scan for confidential information, then you should have some documented process that says what the interval is the scans are performed at and you should be able to easily access the results of the scan. If some confidential data was identified you should be able to show how you communicated to the specific data owner where the content should be stored and how it should be protected if it is required to be stored on their workstation or on a departmental server.
1b. If you say you have a backup and restoration process you should be able to provide an auditor with printed copies of that process.
1c. If you say you do account cleanup at certain intervals you better have the results of your previous scans for inactive accounts and be able to show which accounts were changed to de-active status because they had not been used recently.
2. Communicate the process to the customers.
Some method should be established (be it a blog or your IT admin resource page) where customers can view the services you provide and how they can take advantage of these services.
If you say you do management of changes you should be able to provide auditors some tangible results of your notification that changes are done at a consistent time of the month/week. It should also indicate that when the change was completed, customers were informed that the change was performed successfully.
These things come down to how can you SHOW you do what you say you do? If someone can’t verify that you are doing these processes consistently, they are not going to be too likely to believe they will take place in your absence.