Information security audits are on the rise, as organizations look to not only bolster their security postures, but demonstrate their efforts to other parties such as regulators.
Audits, which are measurable technical assessments of systems, applications and other IT components, can involve any number of manual and automated processes. Whether conducted by internal auditors or outside consultants, they are an effective way for companies to evaluate where they stand in terms of protecting data resources.
The high-profile data breaches of recent years have forced many organizations to take a closer look at their security technologies and policies, experts say.
“Public exposure to the steady volume of company breaches have led to increased scrutiny from legislators and compliance organizations,” says David Barton, CISO at security technology provider Websense. “A comprehensive security audit program is one way to satisfy the scrutiny of those compliance organizations.”
Audits can be complex, however. There are many standards in use, including some for regulated industries as well as independent standards developed by active industry control groups, says Sean Pike, program director, eDiscovery and Information Governance, at research firm International Data Corp. (IDC).
“For each standard there are many more attempts at encapsulating the required audit components into control or common-control frameworks meant to guide the security audit,” Pike says. “Each control framework typically has a tremendous amount of controls that are meant to assist [an] audit—anything from user passwords to data storage or physical controls. An audit can be overwhelming for even the most mature organization.”
Trends such as the rise in cloud services and mobile technologies are making audits even more complicated.
Rich Wyckoff, manager of information security at Fletcher Allen Health Care
“One of the immediate ways that an audit is effected is that it’s more difficult to determine where enterprise data is or where it moves throughout the course of a business process,” Pike says.
Here are some suggestions from experts on how to conduct an effective security audit:
Scope out the audit and do the necessary prep work. “The keys to a successful audit start long before the audit is actually conducted,” says Rich Wyckoff, manager of information security at Fletcher Allen Health Care.
Developing the scope for the audit and work with the auditors beforehand to agree on what they will be auditing. “I’m of the mindset that I want an auditor to help me find pieces of the business I don’t know about,” Wyckoff says. “While no one likes to see the dirty laundry of their organization, we can’t address and resolve what we don’t know is a problem.”
By developing the scope up front with the auditors, IT security can ensure that the auditors will spend time reviewing certain parts of business operations and give security an impartial view of those operations.
Along with scoping the audit, IT security needs to work with auditors to understand what else they might have on their agenda.
“Different audits may require different resources, so understanding the audit scope and schedule up front allows you to make sure that the appropriate individuals attend the necessary meetings,” Wyckoff says. “There’s nothing worse than sitting down for an audit meeting to quickly realize you do not have the appropriate resources in the room to answer the questions the auditors were looking to ask.”
Once the scope is identified and agreed upon, you can start working the prep work. “It is a good idea to get a list of requested items from the auditors in advance so you know exactly what documentation they will be looking for,” Wyckoff says. “If any cloud services are within the scope of the audit, you may want to request any service audits such as a SOC 1 or SOC 2 audit from the service organization.”
When preparing for an audit, it’s critical to understand what the auditors are looking at and how it’s relevant to your environment, adds Josh Feinblum, vice president of information security at security technology company Rapid7.
“Your preparation and response are wholly driven by the evaluated controls and purpose of the audit,” Feinblum, says. “Are the auditors using prescriptive benchmarks like ISO 27001, FedRAMP, or PCI DSS? Is the audit being done to help your organization improve its controls?”
Eliminate any disconnect between IT and the compliance/audit function. “This is drastically important,” Pike says. “One of the biggest problems with IT audit is that the results are often meaningless. The reason they are meaningless is because IT controls and audit control tests don't always get to the root of a potential risk.”
For example, a control test might request verification that user passwords are changed every 30 days. “In response, an IT professional might provide the auditor with a screenshot of a domain policy that, sure enough, shows a box that is checked and a setting of 30 days for changing passwords,” Pike says.
“The problem is that this evidence alone doesn't actually tell an auditor enough to actually verify that all users are forced to change their passwords every 30 days,” Pike says. “There could be a number of exceptions or technological problems that allow user passwords to remain unchanged indefinitely.”
Unfortunately, there is often a lack of coordination between IT and the audit function. “The auditor has a task to do and the IT professional probably views it as a burden,” Pike says. The two need to communicate about exactly what’s needed.
Leverage efficiencies. For most organizations, a security audit is hard because there’s too much to do and a knowledge gap between the auditor and the IT group, Pike says.
“Over the last several years we've seen a concentration on narrowing the knowledge gap in two ways,” Pike says. One is by using frameworks that consolidate audit control tests. “Instead of auditing one control over and over to meet different standards, it’s more effective to understand that several standards require auditing a specific control. Audit that one control in a meaningful manner and pass the results through to every standard as opposed to doing a poor audit five times.”
The second, and probably more important way to narrow the gap, is to use analytics. “Especially for the enterprise market there have been significant advancements in injecting audit process into technology,” Pike says. “These solutions can eliminate false positives and create a focused view of where systems might have problems.”
Major auditing firms are leading the charge in developing customized systems in highly regulated industry to tackle well-known audit challenges, Pike says. “Currently some of these solutions can be expensive, but over the next few years should find their way into the mid-market,” he says.
Make sure the audit is comprehensive. The IT infrastructure now extends well beyond the walls of the organization, and the audit needs to reflect that.
“Our audits/assessments involve a cross-functional approach that involves an assessment of tools, processes and response procedures,” says Myrna Soto, corporate senior vice president and global CISO at media company Comcast. “The emergence of mobile technology and cloud services expands the technical capabilities required” to conduct an effective audit.
Traditional protocols can’t be assumed to be applicable for areas such as cloud-based computing capabilities or data storage, Soto says. “Testing containers and portability of data stores in the cloud—for us, a private cloud infrastructure—is important,” she says.
“Network zoning has evolved as a result of cloud infrastructure capabilities and effective assessments/audits must account for multiple vulnerabilities.”
As an example, network security audits account for one vector, but when you’re assessing something for the Internet of Things, including multiple connected devices performing multiple functions, that requires a comprehensive end-to-end assessment of security protocols for a variety of transactions, Soto says.
“Protocols can include access controls, data masking, authentication and intrusion prevention,” Soto says. “Needless to say, the evolution of technologies has required an evolution of assessment needs and ultimately audit practices.”
Barton agrees that security audits need to be comprehensive and cover areas such as understanding all ingress and egress points for data within the organization and the controls applied to those points; knowing where all sensitive information is stored within the organization; knowing what systems support revenue generation and where they reside related to security controls; and evaluating internal security policies.
Ensure strong audit leadership. Whoever owns the audit function, whether it’s the CFO, CIO or some other executive, must be held responsible for the results and effectiveness of an audit.
“Hopefully, this will create the culture change necessary to perform effective audits,” Pike says. “It doesn't necessarily mean that a breach is his or her fault. What it does mean, however, is that the audit owner should ensure that employees in [the] organization can answer difficult questions about IT capabilities and architecture.”
If an auditor goes out to the field to audit a development workflow in an environment regulated by the Health Insurance Portability and Accountability Act and knows little about HIPAA, development processes or the actual workflow, the audit isn't going to work, Pike says. “Auditors must have the requisite knowledge required to approach [an] audit with skepticism,” he says.
Those in charge need to make sure audits account for the latest technology trends within the organization. The combined influence of mobile, cloud, big data/analytics and social media has brought about new challenges for security auditors.
“It is a steep learning curve for the auditors along with the CIOs, CISOs and risk professionals,” says Khushbu Pratap, principal research analyst at Gartner. “Digital business innovation disrupts risk and security management. Clearly, this also brings about new challenges on providing independent assurance on such risks.”