Skip to main content

Responding to a Security Audit

The Context

Olivier is the CIO at HealthData, a company that handles health data. An external auditor is verifying compliance with ISO 27001 and GDPR. He requests proof of: who has access to what, how access is controlled, how departures are managed, and if passwords adhere to best practices.

  • Access rights are scattered across each application
  • No centralized tool to produce a complete inventory
  • Unable to prove that former employees' access has been revoked
  • Password policy is theoretical — no way to verify its implementation
  • Audit takes weeks of manual information collection

Step 1 — Access Inventory (Immediate)

Olivier opens the SmartLink dashboard. The auditor can see:

  • The complete list of users and their status
  • Referenced applications and security folders
  • Who has access to what, organized by folder and team

Step 2 — Security Policies (Verifiable)

Olivier presents the configured access policies:

  • Device Access Policies define access conditions per application
  • Anti-phishing is globally activated
  • VaultysID security levels are enforced for sensitive applications

Step 3 — Event Traceability (Provable)

SmartLink provides an event history:

  • Addition and removal of collaborators
  • Changes in access rights
  • Detection of Shadow IT and corrective actions
  • SCIM notifications (provisioning/deprovisioning)

Step 4 — Password Management (Demonstrable)

Olivier demonstrates that:

  • Passwords are stored in an encrypted vault
  • Users do not know the passwords for critical applications
  • Authentication is done via VaultysID (without a password) or SSO

Impact

Without SmartLinkWith SmartLink
Weeks of information collectionData available immediately
Difficult to provide evidenceComprehensive and exportable history
Theoretical policiesApplied and verifiable policies
Stressful and costly auditSmooth and documented audit

Features Used