How an audit can shore up your security strategy

A review of network security is much like a personal tax audit, but a bit less painful.

Information security audits are on the rise, as organizations look to not only bolster their security postures, but demonstrate their efforts to other parties such as regulators.

Audits, which are measurable technical assessments of systems, applications and other IT components, can involve any number of manual and automated processes. Whether conducted by internal auditors or outside consultants, they are an effective way for companies to evaluate where they stand in terms of protecting data resources.

The high-profile data breaches of recent years have forced many organizations to take a closer look at their security technologies and policies, experts say.

“Public exposure to the steady volume of company breaches have led to increased scrutiny from legislators and compliance organizations,” says David Barton, CISO at security technology provider Websense. “A comprehensive security audit program is one way to satisfy the scrutiny of those compliance organizations.”

Audits can be complex, however. There are many standards in use, including some for regulated industries as well as independent standards developed by active industry control groups, says Sean Pike, program director, eDiscovery and Information Governance, at research firm International Data Corp. (IDC).

“For each standard there are many more attempts at encapsulating the required audit components into control or common-control frameworks meant to guide the security audit,” Pike says. “Each control framework typically has a tremendous amount of controls that are meant to assist [an] audit—anything from user passwords to data storage or physical controls. An audit can be overwhelming for even the most mature organization.”

Trends such as the rise in cloud services and mobile technologies are making audits even more complicated.

Rich Wyckoff, manager of information security at Fletcher Allen Health Care

“One of the immediate ways that an audit is effected is that it’s more difficult to determine where enterprise data is or where it moves throughout the course of a business process,” Pike says.

Here are some suggestions from experts on how to conduct an effective security audit:

Scope out the audit and do the necessary prep work. “The keys to a successful audit start long before the audit is actually conducted,” says Rich Wyckoff, manager of information security at Fletcher Allen Health Care.

Developing the scope for the audit and work with the auditors beforehand to agree on what they will be auditing. “I’m of the mindset that I want an auditor to help me find pieces of the business I don’t know about,” Wyckoff says. “While no one likes to see the dirty laundry of their organization, we can’t address and resolve what we don’t know is a problem.”

By developing the scope up front with the auditors, IT security can ensure that the auditors will spend time reviewing certain parts of business operations and give security an impartial view of those operations.

Along with scoping the audit, IT security needs to work with auditors to understand what else they might have on their agenda.

“Different audits may require different resources, so understanding the audit scope and schedule up front allows you to make sure that the appropriate individuals attend the necessary meetings,” Wyckoff says. “There’s nothing worse than sitting down for an audit meeting to quickly realize you do not have the appropriate resources in the room to answer the questions the auditors were looking to ask.”

Once the scope is identified and agreed upon, you can start working the prep work. “It is a good idea to get a list of requested items from the auditors in advance so you know exactly what documentation they will be looking for,” Wyckoff says. “If any cloud services are within the scope of the audit, you may want to request any service audits such as a SOC 1 or SOC 2 audit from the service organization.”

When preparing for an audit, it’s critical to understand what the auditors are looking at and how it’s relevant to your environment, adds Josh Feinblum, vice president of information security at security technology company Rapid7.

“Your preparation and response are wholly driven by the evaluated controls and purpose of the audit,” Feinblum, says. “Are the auditors using prescriptive benchmarks like ISO 27001, FedRAMP, or PCI DSS? Is the audit being done to help your organization improve its controls?”

Eliminate any disconnect between IT and the compliance/audit function. “This is drastically important,” Pike says. “One of the biggest problems with IT audit is that the results are often meaningless. The reason they are meaningless is because IT controls and audit control tests don't always get to the root of a potential risk.”

For example, a control test might request verification that user passwords are changed every 30 days. “In response, an IT professional might provide the auditor with a screenshot of a domain policy that, sure enough, shows a box that is checked and a setting of 30 days for changing passwords,” Pike says.

“The problem is that this evidence alone doesn't actually tell an auditor enough to actually verify that all users are forced to change their passwords every 30 days,” Pike says. “There could be a number of exceptions or technological problems that allow user passwords to remain unchanged indefinitely.”

Unfortunately, there is often a lack of coordination between IT and the audit function. “The auditor has a task to do and the IT professional probably views it as a burden,” Pike says. The two need to communicate about exactly what’s needed.

Leverage efficiencies. For most organizations, a security audit is hard because there’s too much to do and a knowledge gap between the auditor and the IT group, Pike says.

“Over the last several years we've seen a concentration on narrowing the knowledge gap in two ways,” Pike says. One is by using frameworks that consolidate audit control tests. “Instead of auditing one control over and over to meet different standards, it’s more effective to understand that several standards require auditing a specific control. Audit that one control in a meaningful manner and pass the results through to every standard as opposed to doing a poor audit five times.”

The second, and probably more important way to narrow the gap, is to use analytics. “Especially for the enterprise market there have been significant advancements in injecting audit process into technology,” Pike says. “These solutions can eliminate false positives and create a focused view of where systems might have problems.”

Major auditing firms are leading the charge in developing customized systems in highly regulated industry to tackle well-known audit challenges, Pike says. “Currently some of these solutions can be expensive, but over the next few years should find their way into the mid-market,” he says.

Make sure the audit is comprehensive. The IT infrastructure now extends well beyond the walls of the organization, and the audit needs to reflect that.

“Our audits/assessments involve a cross-functional approach that involves an assessment of tools, processes and response procedures,” says Myrna Soto, corporate senior vice president and global CISO at media company Comcast. “The emergence of mobile technology and cloud services expands the technical capabilities required” to conduct an effective audit.

Traditional protocols can’t be assumed to be applicable for areas such as cloud-based computing capabilities or data storage, Soto says. “Testing containers and portability of data stores in the cloud—for us, a private cloud infrastructure—is important,” she says.

“Network  zoning has evolved as a result of cloud infrastructure capabilities and effective assessments/audits must account for multiple vulnerabilities.”

As an example, network security audits account for one vector, but when you’re assessing something for the Internet of Things, including multiple connected devices performing multiple functions, that requires a comprehensive end-to-end assessment of security protocols for a variety of transactions, Soto says.

“Protocols can include access controls, data masking, authentication and intrusion prevention,” Soto says. “Needless to say, the evolution of technologies has required an evolution of assessment needs and ultimately audit practices.”

Barton agrees that security audits need to be comprehensive and cover areas such as understanding all ingress and egress points for data within the organization and the controls applied to those points; knowing where all sensitive information is stored within the organization; knowing what systems support revenue generation and where they reside related to security controls; and evaluating internal security policies.

Ensure strong audit leadership. Whoever owns the audit function, whether it’s the CFO, CIO or some other executive, must be held responsible for the results and effectiveness of an audit.

“Hopefully, this will create the culture change necessary to perform effective audits,” Pike says. “It doesn't necessarily mean that a breach is his or her fault. What it does mean, however, is that the audit owner should ensure that employees in [the] organization can answer difficult questions about IT capabilities and architecture.”

If an auditor goes out to the field to audit a development workflow in an environment regulated by the Health Insurance Portability and Accountability Act and knows little about HIPAA, development processes or the actual workflow, the audit isn't going to work, Pike says. “Auditors must have the requisite knowledge required to approach [an] audit with skepticism,” he says.

Those in charge need to make sure audits account for the latest technology trends within the organization. The combined influence of mobile, cloud, big data/analytics and social media has brought about new challenges for security auditors.

“It is a steep learning curve for the auditors along with the CIOs, CISOs and risk professionals,” says Khushbu Pratap, principal research analyst at Gartner. “Digital business innovation disrupts risk and security management. Clearly, this also brings about new challenges on providing independent assurance on such risks.”

Join the CSO newsletter!

Error: Please check your email address.

More about CSOGartnerISORapid7Websense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place