Opinion: Getting the best out of your IT security auditor

Matthew Hackling ~ Ronin Security Consulting ~ Enex TestLab

Many IT managers and their teams treat an audit of their IT function as if it was a trip to the dentist for a root canal.  More informed operators will realise that IT audit, particularly internal audit can assist them in gaining visibility with management of known and often  ignored issues and securing funding and management commitment. 

The following are tips to help you get the most out of an IT audit of your IT security by avoid disruption, piecemeal activities and duplication of effort.

  1. Define the Approach
    1. Define the standards you will be assessed to.  Will this be an assessment against industry standards like ISO 27001/2, regulation like PCI-DSS or your current information security management system (i.e. policy, standards etc.)?  Avoid assessments based on “best practice” or you will end up with findings dreamed up by the inexperienced to fill a report.
    2. Define the finding rating criteria .  Non-compliance with your own standard should be agreed to be a finding of some significance. Non-compliance with an industry standard should be an “opportunity for improvement”
  2. Define the Scope
    1. Define which aspects of the standards will be assessed (e.g. which ISO 27002 domains ?)
    2. Define which business units and business processes will be assessed
    3. Define which systems will be assessed (payroll, general ledger, your key application that makes you money etc.)
  3. Ask for a consolidated request for information from the auditor as a first step, this will avoid constant interruptions of your personnel:
    1. Assign collating of information for submission to one individual
    2. Assign collection of requested information to relevant subject matter experts within the business
  4. Suggest issues for investigation to the auditor that are of concern, along with suggested recommendation. For example “We have issues with restricting privileged access to systems, we could really do with an Identity Management program of works to implement some software to help us with this.”
  5. Check the accuracy of findings in the draft report.  If the auditor has got it wrong, provide some evidence to the contrary and suggested re-wording.
  6. If there is a difference of opinion over an issue, request that they include a “management response” putting forward the IT function’s position on the issue in question
  7. Follow up on the findings and implement the suggested recommendations or work-arounds if the suggested recommendation is not practical.  This will avoid a deja-vu experience in the future.

I hope all these tips help you to get the best out of your IT auditor.

Follow CSO Australia on Twitter: @CSO_Australia

CSO Contributors | About Us:

Matthew Hackling B.Sc. (Security) CISSP

Matthew has over ten years experience operating solely in the area of information security, holds a Bachelors degree in security management from ECU and is also a CISSP. He is a former Account Director in Deloitte’s Security & Privacy Services practice. Matthew has led security testing teams on assessments of large core systems replacement projects for banking institutions.  He operates more in the area of information security governance these days, despite his urges still stay a bit technical.  Hence he plays with backtrack linux, metasploit and new web application security assessment tools in his rare free time.  Currently he runs his own consultancy called Ronin Security Consulting and holds the title of General Manager of Security Testing at Enex TestLab.  He is an active member of the Australian Information Security Association, and held the office of Melbourne Branch Executive for a number of years.  Matt’s security blog is called Infamous Agenda and he is an active twitter user with the handle @mhackling 

[ Recieve the top security news in your inbox - CSO Brieifng newsletters]