The start of an annual financial audit usually generates a collective groan among employees. It interferes with work and can feel like an uncomfortable cross-examination for those involved. IT security compliance audits can easily engender the same reaction if they're not handled correctly.
Seeing it as an opportunity to provide feedback on how security is benefiting or hindering their work will encourage employees to view the exercise in a more positive light.
But these audits should not be seen as a chore or unwelcome interruption to day-to-day network administration. They fulfill an important role in ensuring policies and procedures are being followed and the business is in compliance with relevant standards and legislation. So how do you go about making regulatory IT audits more palatable and successful?
A good approach is to conduct self-assessment audits so you prepare your business for formal inspection by an independent auditor. This type of security system assessment simplifies the process and reduces the resources required to complete more formal audits. To reduce the stress and strain of formal audits, self-assessment audits need to be conducted to similar standards, so scope and findings need to be fully documented and formally reported. These reports play a valuable role in ensuring any shortcomings in the state of security controls and compliance are noticed and rectified more than once a year.
To ensure minimal disruption, the internal security audit needs to be well planned and the benefits promoted to those who will be affected. It should be stressed that, while the auditors will be checking how well security controls are working, they will also be looking to see where and how controls can be improved, not only in terms of security, but in usability and practicality as well.
Seeing it as an opportunity to provide feedback on how security is benefiting or hindering their work will encourage employees to view the exercise in a more positive light. It will also highlight where security controls may be damaging productivity or not fulfilling their intended roles.
The first tasks are to get all parties affected by the audit to agree to the scope of the audit, determine what technology and manpower resources are required, the amount of time required to complete the audit -- both for the audit team and the business unit being audited -- and then agree to a date for the audit when all resources will be available and normal operations will be least affected. The head of internal audit should be the person responsible for planning audit activities and, obviously, will need to work closely with the heads of IT and the key stakeholders in the business unit(s) or system(s) to be audited who will need to sign off on the proposed scope and timetable.
The scope can include business units, locations, systems and even third parties. The security standards against which compliance is audited will be based on the classifications and security requirements of the data being handled. These standards may be your own data security, integrity and availability policies, regulatory requirements or standards, or industry best practices. The auditors will compare the standards in these policies and requirements with data gathered during the audit to check “what is” against “what should be.”
A large enterprise may have its own internal audit team; if not, then employees nominated to perform the audit will need some formal training and must be cleared to have access to any sensitive locations or data covered by the audit. Obviously, for the audit to be impartial, the people involved must be independent from the business unit being audited.
To further minimise disruption and the resources required, self-assessment audits are best conducted in two stages:
- Adequacy audit: a document-based review of the adequacy of policies and procedures for protecting data and managing information risk.
- Compliance audit: an evidence-based assessment of the implementation and effectiveness of the policies and procedures.
By conducting an adequacy audit first, much of the work can be completed off-site and recommendations for corrective actions to address shortcomings can be completed prior to the start of the compliance audit. There is no point checking if a unit or system is compliant if there aren't sufficient documented policies and procedures already in place for it to adhere to.
All documents should be fit for purpose. For example, an incomplete or out-of-date policy shouldn’t be accepted as evidence of compliance. On the other hand, poorly written policies, where scope, responsibilities or requirements aren't crystal clear, can be given the benefit of the doubt as long as they are flagged as a minor non-compliance or observation in the audit report. Once the adequacy audit is completed satisfactorily, then the compliance audit can begin. This mainly involves questioning the key stakeholders identified in the audit plan.
If serious problems are identified during this stage of the audit, a corrective action plan should be drawn up so they can be tackled without having to wait for the full report, where they should appear as non-compliances. Ideally, an audit should assess compliance with every mandatory measure in scope. In many instances, this isn’t going to be realistic, in which case, audits should focus on higher-risk areas: a single location, business unit, system, application or project. If the workload is still too much given your resources, consider sampling, focusing on the key security controls.
Treating these audits as a checkbox exercise is not the goal; protecting network resources and data is. Audits won’t guarantee a network is secure, but the systematic examination and verification of network security acts as a potent control, testing whether it’s doing the right job and doing it as expected. Audits provide important feedback on the state of an organisation's security strategy and an opportunity to demonstrate the importance of information security to senior management, while also giving employees the opportunity to give feedback on how security affects their work, both positively and negatively.
Auditing is an iterative process for assessing compliance and supporting continued improvement. Future audits should obviously cover areas that have not been sampled or have previously been identified as weak, and where hardware, software, policies or procedures have changed. The real benefits come from implementing an audit’s recommendations and dealing with any reported concerns. Use the current level of compliance as a benchmark to be improved upon ahead of formal and third-party reviews. This type of goal setting will help to promote a culture of continuous review and improvement.
About the author:
Michael Cobb, CISSP-ISSAP, CLAS is a renowned security author with more than 15 years of experience in the IT industry. He is the founder and managing director of Cobweb Applications, a consultancy that provides data security services delivering ISO 27001 solutions. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications.Cobb serves as SearchSecurity.com’s contributing expert for application and platform security topics, and has been a featured guest instructor for several of SearchSecurity.com’s Security School lessons.
This was first published in August 2011