Managing your Drata Starter audit

How Drata + AssuranceLab audit works

OVERVIEW

Continuous audit progressively completes your audits over the industry standard 12 month reporting cycle. In contrast to traditional audits conducted at the end of the period:

  • You get feedback when it's relevant;
  • Increased confidence your compliance is on track year-round; and
  • It proves your compliance has been maintained with clear audit progress for your customers peace of mind.

It also reduces the disruption of audits, speeds up reporting when period end rolls around, and has inherent efficiencies where audits are put on autopilot with your continuous monitoring in Drata.

 

AUDIT PLAN

Initial setup: Create your audit package and ensure we have auditor read only access to your environment. Go to Audit Hub, create audit and select the applicable date rate. Here's more on how to do this.

Monthly topical focus: about ~30% of your controls are based on periodic reviews and event-driven sample testing. We've aligned a calendar of topical focus areas to complete these areas so you know exactly what's required, and we can provide feedback as the controls are performed.

Remaining controls: Your remaining controls are on autopilot. They are continuously monitored, or otherwise documented in Drata. We will progressively work through these items during the audit period in the background, and just let you know if there's any issues with them. All you need to do, is maintain oversight of those controls; if tests fail, evidence expires, or other alerts are raised by Drata for the scope of Drata Starter controls, address those accordingly.

 

Control Topic Control Area
Managing Risk and Controls 

Risk Assessments:

  • DCF-15 - Risk Assessment Policy
  • DCF-16 - Annual Risk Assessment
  • DCF-17 - Remediation Plan

Controls Assessments:

  • DCF-33 - Oversight of Security Controls
  • DCF-153 - Conduct Control Self-Assessments
  • DCF-160 - Continuous Control Monitoring

Managing Employees

New Joiners and Current Employees

New joiners:

  • DCF-39 - Background Checks
  • DCF-37 - Acceptable Use Policy
  • DCF-44 - Code of Conduct
  • DCF-69 - System Access Granted
  • DCF-105 - Employee NDA

Current employees:

  • DCF-38 - Annual Performance Evaluations
  • DCF-48 - Session Lock
  • DCF-49 - Password Manager
  • DCF-50 - Malware Detection Software Installed
  • DCF-51 - Security Patches Automatically Applied
  • DCF-52 - Hard-Disk Encryption
  • DCF-67 - MFA on Accounts
  • DCF-47 - Job Descriptions
  • DCF-36 - Security Training
Managing Vulnerabilities and Vendors

Vulnerabilities: 

  • DCF-24 - SLA for Security Bugs
  • DCF-19 - Annual Penetration Tests
  • DCF-18 - Quarterly Vulnerability Scan
  • DCF-23 - Security Issues are Prioritised

Vendors:

  • DCF-168 - Vendor Management Policy
  • DCF-56 - Vendor Agreements Maintained 
  • DCF-57 - Vendor Compliance Reports
Managing Access and Assets

Access Control:

  • DCF-11 - Quarterly Access Control Review
  • DCF-43 - Termination/Offboarding Checklist

Asset Management: 

  • DCF-20 - Maintains Asset Inventory
  • DCF-109 - Disposal of Sensitive Data on Hardware
Managing Incidents and Changes

Incidents:

  • DCF-9 - Employee Disclosure Process
  • DCF-29 - Incident Response Team
  • DCF-28 - Follow-Ups Tracked
  • DCF-30 - Lessons Learned
  • DCF-154 - Annual Incident Response Test
  • DCF-159 - Incident Response Plan

Changes:

  • DCF-31 - Software Development Lifecycle Policy
  • DCF-5 - Code Review Process
  • DCF-155 - Code Changes are Tested
  • DCF-156 - Code Released by Appropriate Personnel
Managing Governance & BCDR Tests

Board/Management:

  • DCF-143 - Board Oversight Briefings Conducted
  • DCF-144 - Board Charter Documented
  • DCF-146 - Board Meetings Conducted

Business Continuity and Disaster Recovery:

  • DCF-25 - Disaster Recovery Plans
  • DCF-26 - BCP/DR Tests Conducted Annually
  • DCF-100 - Backup Integrity and Completeness
  • DCF-166 - Business Continuity Plan