How to Clear a Security Audit with Flying Colors

Updated: April 30, 2009

No one looks forward to an audit, and the security variety inspires a certain amount of dread.

The process, after all, consumes time and resources, and it disrupts the flow of normal business operations. IT managers may find their strategic projects taking a backseat to the review. And, of course, no business wants to fail the audit. But a few steps can help organizations take at least some of the edge off a security audit .

Dick Mackey, vice president at SystemExperts Corp., a Sudbury, Mass.-based security and compliance-services firm, said that the company being audited should first dissect the requirements of a given audit. An audit may be driven by a regulation such as SOX (Sarbanes-Oxley Act of 2002) or a contractual requirement such as PCI DSS (Payment Card Industry Data Security Standard). Either way, the business must understand the directive's intent.

"Make sure you have a take on [requirements] from the technical side and the business side," Mackey advised.

With that understanding in place, the business turns to the task of establishing control objectives. With SOX, for example, the key requirements surround the accuracy and reliability of financial records and statements. So the control objectives will target the processes and systems associated with financial data.

Control frameworks such as COBIT (Control Objectives for Information and related Technology) can help at this stage.

A framework provides an enterprisewide standard that prepares an organization to deal with multiple types of compliance models, noted Tom Large, information security and privacy officer at Alliance Data Systems Inc., a provider of marketing, loyalty and transactions services based in Dallas. The company deals with SOX, ISO/IEC 27001, Statement on Accounting Standards No. 70 Type II and PCI DSS, among other compliance initiatives.

"Invest in a framework," Large recommended. "COBIT is fantastic. Auditing firms love it."

Readying IT Systems

In preparing for an audit, businesses can also do themselves a favor by controlling the scope of systems to be audited.

Even systems that don't handle sensitive data may be subject to audit if they operate within the same network as those that do. Mackey noted that PCI DSS applies to any system that is not segregated — through a technical mechanism — from the systems that process, store or transmit credit card information.

The same principle holds true for other compliance models — patient data in the case of HIPAA (Health Insurance Portability and Accountability Act), for instance.

"Anything in the same network is in scope for all general controls," Large said.

Segregation is critical for keeping the audit to a manageable scale. The more systems an auditor needs to review, the longer and more expensive the audit becomes.

Large said that organizations typically use firewalls to create a segregated network. That segment may also include an IDS (Intrusion Detection System), an IPS (Intrusion Prevention System), anti-virus and anti-spyware protection, automated alerting, and configuration management.

Scope control enables an auditor and auditee to settle on pricing.

"We discuss what we think would be a reasonable scope, and we totally leave it up to the customer to define the scope they are interested in," said Ron Lepofsky, president of Toronto-based ERE Information Security Auditors. "So once we understand the scope, we provide them with a fixed-price quotation and itemize each item within the scope."

Within the segmented environment, organizations should aim to maintain as many identically configured systems as possible, Mackey explained. The IT shop should be able to demonstrate that it synchronizes and monitors systems to maintain the same configuration.

Mackey said that businesses should also take care to configure systems as simply as possible.

"As a qualified security assessor for PCI, the last thing we want to see is a set of unique systems," Mackey said. "It means we have to go through each of those systems with a fine-tooth comb."

"Uniformity is easier to audit," Lepofsky added. "It saves the customer time and money."

Configuration-management processes and tools can help achieve that uniformity.

"Standardization is probably the biggest area where configuration management, deployed well in your environment, can have a huge impact," Large said.

He noted that five of the six major sections of PCI DSS can be mitigated to a considerable degree through good configuration management.

Alliance Data Systems uses software from Lexington, Mass.-based BladeLogic Inc. for configuration management, auditing and remediation.

Anticipating Questions

With controls in place, systems bounded and configurations locked down, an organization can continue audit preparations with a dry run.

Mackey suggested that businesses can walk through the audit process with an internal auditor or external consultant. He advised undertaking this self-assessment with a critical eye.

"You don't want the first time you hear questions to be in a formal audit," he said.

Large said that a pre-assessment can be scheduled a couple of months before the real audit. This approach provides time to address issues that can be fixed fairly rapidly.

Lepofsky said that he often sends customers a list of questions prior to the audit.

"We don't want anybody to be unprepared or surprised," he said.

Related Categories
Featured Research
  • Securing Enterprise Information Technology

    In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

  • Office365 Adoption eGuide

    Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

  • Okta Directory Integration

    For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

  • Top 8 Identity and Access Management Challenges with Your SaaS Applications

    With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

  • Better BYOD with Pulse Secure and MDM Partners

    Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more