Passing an Information Security Audit

Introduction

An audit is defined as a systematic examination against defined criteria to determine whether activities conform to plan and whether these arrangements are implemented effectively to achieve the company’s policies and objectives. And nothing strikes fear into the hearts and minds of IT employees more than the dreaded audit word. People become depressed thinking about an audit, but it doesn’t have to be that way.

Mark Twain said “if you tell the truth, you don't have to remember anything”. Unfortunately, when it comes to IT, some organizations don’t tell the truth when it comes to information security. Decades of not giving information security the priority it deserves lead to the today’s scenario with far too many networks running on an ineffective security infrastructure, unpatched systems, users with no security training, and the list goes on. Such an organization should indeed fear an audit.

An audit should be seen as an opportunity for an objective, skilled and impartial review of the security program that results in significant suggestions for improvement. It’s an occasion which brings out the best in the audit and the security teams

While IT is new to the regulatory scene, other industries have long lived and breathed with regulatory bodies, FDA - pharmaceuticals, FAA - aviation, SEC – financial services, and the list goes on.

Today’s IT environments aren’t the IT shops of old when security was simply keeping the bad guys out. Today, security is about understanding and managing controls to assign accountability. Regulatory non-compliance can result in penalties up to $5 million and prison terms up to 20 years.

Many are intimidated by information security audit. But computer security is simply attention to detail and good design, combined with good project management. If you follow those three disciplines for all of your information security needs, your chances of passing an audit are greatly increased.

Audit, risk and audit frameworks

Pragmatic organizations address audit and compliance from a risk-driven model. That approach allows resources to be prioritized around business risks. This ensures that resources allocated are directly in line with those that contribute to the achievement of corporate objectives.

A risk management approach to information security is gaining favor in corporate America. But the challenge is that risk management isn’t the straightforward or plug-and-play issue that many organizations want.

If you took all of the myriad domestic and international security and privacy regulations and combined them, you would find significant commonality, with roughly 80% commonality between all of them. Be it SOX, HIPAA, FISMA, PCI, or the countless other new regulations coming down the pike, they are all dealing with fundamental issues of computer security and privacy.

With such a percentage, an audit is much easier if you base your security program on a security framework. There are many different frameworks in use, from ISO-17799, CoBIT, etc. If you attempt to tackle every regulatory mandate individually, you’ll be quickly overwhelmed. By developing a security program based on a comprehensive framework, you’ll be at least 80% compliant of the regulation from the start.

Once the framework and associated controls are established, you then map them to the regulations, making adjustments where necessary. The problem that’s frustrating for many security professionals is that their organizations are basing their security program on individual compliance mandates, and such programs have to be updated with every new regulation.

Building on an audit framework is the cornerstone for a compliance program management system. This is a formal system of risk management which can show that the audit requirements and resulting work has been adequately planned and supervised. The beauty of a compliance program management system is that it clearly demonstrates that your internal controls have been appropriately studied and evaluated.

Notice that the operative word here is formal. A few IDS sensors rolled-out over the previous weekend doesn’t display that. Nor does security hardware and software systems deployed without proper policies, documentation, administrator training, etc. Such an approach is the antithesis of a formal approach, namely cramming for risk compliance.

Management

The ultimate success or audit failure depends on how committed management is. If management cares, you’ll likely pass the audit. If management doesn’t care or is clueless, you’ll fail the audit. Unfortunately, far too much of corporate management doesn’t get security.

Information security isn’t something you buy, it’s something you get. The challenge is having management get it. But getting management to proactively think about information security is like getting a child to eat their vegetables.

There are instances where management upon notice of the audit failure, responded by firing various people in the security group. If you find yourself in an organization where management doesn’t give security and audit the staff and budget it requires, make sure you have your resume updated and be in touch with recruiters.

In the event that management asks you to lie, or gives hints that your job may be at risk if they fail the audit, immediately seek legal counsel. According to Louis Brilleman, counsel at Sichenzia Ross Friedman Ference in New York City, a law firm specializing in securities and regulatory matters “if management asks you or pressures you to sign off on something that is false, they may expose themselves to a charge of intimidation, a criminal offense in most jurisdictions, when coupled with a threat of termination. In such a case, you should seek legal counsel since complying with management's request will make the person an accomplice that could potentially result in fines and jail sentences.”

No surprises

You shouldn’t be surprised by your audit results. With that, take this one minute pre-audit quiz:

1. Does your organization have a CISO?
2. Is there a formal business security program in place designed to protect corporate information assets?
3. Have short-term and long-term strategies toward mitigating risks and exposures relative your security program requirements been developed?
4. Does your organization focus on information security as a process, not a set of products or regulatory items to be checked-off?
5. Has your organization identified all regulatory requirements you fall under?

Answered yes to 4 or more, you should easily pass the audit. Answered yes to 1 or less - your management is derelict in their duties. Such management needs to start getting serious about security. This is imperative as customers and clients expect management to run the business in a manner that manages risk.

The Audit

Passing an audit requires knowing its processes, which comes down to preparation. Preparation is crucial and you shouldn’t wait until the last minute to prepare. Don’t be lackadaisical as audit preparations require weeks or months. As stated earlier, good computer security, and hence good audit practice is attention to detail and good design, combined with good project management. If you apply these principles, you are ahead of the pack.

The following seven steps will help you pass an audit:

1. Think like a wedding planner – Wedding guides have checklists for planning 2 years, 1 year, etc., all the way down to the wedding day. That attention to detail is what separates a memorable wedding from a forgettable one. Use the same diligence a wedding planner has for your audit.
2. Know the depth of the audit – Not all audits are created equal. Some are like marathons, other like a sprint. Determine whether it’s limited in applicability to a single application running in a remote office, or all the way up to an enterprise-wide audit.
3. Ensure appropriate staff members are available – Audit preparation works takes time. Ensure staff is formally assigned to getting it done.
4. Ensure staff members have adequate seniority and security levels – Sending a junior person to request audit items from senior management is a poor strategy. Don’t insult the auditors by assigning an inexperienced person to this task. Also, the people you assign to the audit must have the necessary access levels to gain required materials on the network.
5. Know the regulation – It’s surprising how many people will execute the requirements of an audit without having read the text of the regulation. Have you read SoX, GLBA, HIPAA, etc.? While they aren’t The DaVinci Code, reading them, and understanding the vernacular will help you understand how you are in compliance with each regulatory point.
6. Communicating with the auditors – Keep your relationship with the auditors on a formal business basis; keep it amicable but cordial. The following are essential:

· Respond honestly and in a timely fashion

· Don’t lie

· Always follow through

· Communicate openly and directly

· Don’t point the finger at others

· Don’t send auditors on a wild goose chase

1. Dealing with the auditors – Don’t fall into a subordinate relationship with the auditor. You are assisting them, but you don’t work for them. You can ask the auditor questions, but don’t depend on them for guidance. While they will likely know the regulations better than you, don’t depend on them for answers to regulatory questions.

Polices, Documentation and Controls

One of the first things auditors do is request to see your set of information system policies. Policies are the written document that specifies how an organization will manage, protect, and distribute information. You need to know which policies exist, what they do and don’t cover. Auditors will likely want them at the beginning of the audit, so make sure that you have copies available, in both soft and hard copies.

Documentation is an auditor’s best friend. Good documentation is evidence that you have done your due diligence. Auditors use documentation in part to determine if your information security design and controls are adequate. They view documentation as an essential element of audit quality. Documentation requests will fall into different areas, but generally include the following requests:

• Policies
• Procedures
• Previous audit reports
• Risk assessments
• Network diagrams
  • Accurate network map listing all network elements down to the wiring closet level
  • Servers, switches, hubs, firewalls, routers, etc.
  • A good auditor won’t simply trust the diagrams to be the absolute truth: they will verify.

Documentation should be written in a style auditors can easily understand. Write your documentation like a For Dummies book; avoid technical jargon and use diagrams and illustrations whenever possible. Most auditors aren’t as technical as they think they are, so dumbing down the documentation makes them happy.

Documentation takes a significant amount of time and effort and can’t be rushed. Auditors can tell when documentation is rushed and that’s a sure way to infuriate them.

Understanding Your Risk Profile – Phase 1 - Vulnerability Assessment

Step one in identifying IT risks and deficiencies is via a comprehensive vulnerability assessment (VA). The VA software reviews a devices configuration to identify known vulnerabilities. Upon review, the auditor working with internal staff can recommend changes wherever a vulnerability is discovered. The auditor can perform an assessment of Internet facing hosts from a remote site. But for internal systems, this generally requires some sort of internal presence; either in person or via a dedicated internal appliance.

It’s more important than ever to run VA tools, since the time window to remediate vulnerabilities is decreasing. In years past, companies often waited months to remediate a system. In time, that decreased to weeks and days. But with the increase in zero-day attacks, which take advantage of security holes for which no solution is currently available; VA tools can identify the risk, and let the organization determine what to do next.

Making the VA process valuable and sustainable, organizations must ensure internal processes in place that can provide an ongoing, systematic scanning, with immediate notification and tracking of security vulnerabilities, fully supported by a detailed audit trail.

Anything less than this is a vulnerability management system that isn’t fully effective.

Understanding Your Risk Profile – Phase 2 - Remediation

The VA scan is what often interests management as they often ask the question “how many vulnerabilities were discovered and how long will they take to fix?”. Not all vulnerabilities are created equal and focusing on the number of vulnerabilities is short sided. The main criteria in the remediation phase is to remediate based on the findings in the assessment to bring non-compliant systems to an acceptable level of compliance.

Understanding Your Risk Profile – Phase 3 - Validation

The validation phase of the audit is the process where the systems are checked against policies and verified that they are patched and remediated. From a regulatory perspective, VA tools have customized plug-ins available that can assess compliance against SoX, PCI, HIPAA, FISMA and more. Report templates are used to ensure compliance with a variety of different types of regulator compliance, security policy compliance, or compliance with a data privacy policy.

Many companies have taken a three-prong approach to using VA software for regulatory compliance. First, they use the tools to map regulations to frameworks, policies and standards. They then integrate the security standards to support their operational requirements and apply the IT technical controls to achieve required compliance. Finally, they establish internal standards of due care to sustain long-term compliance. The VA tools help demonstrate that the IT controls are indeed implemented and functional through this audit process.

The entire process of vulnerability management is only as good as the underlying policies and processes that support it. The audit trail of processes (including scanning, tracking, repair, verification and reporting) is required to demonstrate proactive and prudent attention to security vulnerabilities. The good news is that organizations that can support such a vulnerability management infrastructure are certainly on their way to passing an audit.

Understanding Your Risk Profile – Phase 4 - Reporting

Management often wants to see high level reports and most VA tools have robust and comprehensive reporting functionality. The point is to be able to deliver a large selection of reports that facilitate quick and easy information sharing across various levels within an organization. Most VA packages come with pre-canned report that can be customized to show details such as:

• Executive reports
• Technician reports
• Line management reports
• Operating system reports
• Trend reports

Defending yourself

Don’t fall into a subordinate relationship with the auditors, who are human and far from being infallible. If auditors didn’t make mistakes, we wouldn’t have Sarbanes-Oxley.

An audit starts with the presumption that the auditors know about the company being audited and its business activities. Of course, there are good auditors and then there are bean counters. If you are the victim of an incompetent audit team, it will put you on the hot seat and require you to defend your position.

The best way to defend yourself is to understand both your infrastructure, and the regulation and audit requirements. At the infrastructure level, know who does what and where they execute it. The better you understand the requirements, the better you can defend yourself.

When the time comes to reply to the auditor’s erroneous findings, stick with the facts. Make sure there is no name calling or insulting. Stay rational, not emotional and don’t let an incompetent auditor ruin your day.

The audit report

After all of the interviews, documentation reviews and endless meetings, comes the often dreaded audit report. Most auditors will create an audit report in a scorecard approach. This format generally contains:

• description of the audit scope
• audit objectives and methodology
• statement that audit was conducted in accordance with accepted auditing standards
• description of the findings
• corrective action recommendations

A well-written audit report can contain much valuable information. Since you’ll be audited again, use the report for the next audit. Since future audits will heavily reference it, you should also.

Most auditors will give you a draft version of the report, in which you’ll generally be given 7-10 days to review it. Start your review of the audit report as soon as possible, and if you find errors, request revisions. If you don’t like the wording or tone, ask the auditor to change it. Assuming this is an objective request, it’s reasonable to ask.

Given that an external auditor may not understand every aspect of your organization, you can negotiate with them if you feel that a finding is erroneous. You need to be reasonable though. The best way to negotiate agreement with the auditor is by stating the following points:

• Condition – factually describe the audit evidence and makes no judgment.
• Criteria - objective standard as to why the audit point is invalid
• Cause - root cause is identified rather than some proximate cause
• Effect - risk that the condition present to the business, not only to the computing environment.

Remember the one minute pre-audit quiz mentioned earlier? If you’re scored low, odds are that your organization will fail the audit. Failure is inevitability since deficiencies are inevitable. Even if your organization scored well, there is no such thing as a perfect network.

In such a scenario, you should let the audit process be a learning experience. But more than that, you must show the audit committee how you’ll plan for improvement and commit to act on the findings and recommendations.

Conclusion

An audit is a reflection of the entity and it can take one of two courses of action. It will either be golden opportunity upon which to build an effective information systems security program. Or it will be an excuse for management to deny responsibility and terminating some information security staff.

At its best, the audit can showcase the operational excellence of the information security staff, and be used as a guide book in which to navigate the dynamic world of risk management and information security.