How to Clear a Security Audit with Flying Colors
No one looks forward to an audit, and the security variety inspires a certain amount of dread.
The process, after all, consumes time and resources, and it disrupts the flow of normal business operations. IT managers may find their strategic projects taking a backseat to the review. And, of course, no business wants to fail the audit. But a few steps can help organizations take at least some of the edge off a security audit .
Dick Mackey, vice president at SystemExperts Corp., a Sudbury, Mass.-based security and compliance-services firm, said that the company being audited should first dissect the requirements of a given audit. An audit may be driven by a regulation such as SOX (Sarbanes-Oxley Act of 2002) or a contractual requirement such as PCI DSS (Payment Card Industry Data Security Standard). Either way, the business must understand the directive's intent.
"Make sure you have a take on [requirements] from the technical side and the business side," Mackey advised.
With that understanding in place, the business turns to the task of establishing control objectives. With SOX, for example, the key requirements surround the accuracy and reliability of financial records and statements. So the control objectives will target the processes and systems associated with financial data.
Control frameworks such as COBIT (Control Objectives for Information and related Technology) can help at this stage.
A framework provides an enterprisewide standard that prepares an organization to deal with multiple types of compliance models, noted Tom Large, information security and privacy officer at Alliance Data Systems Inc., a provider of marketing, loyalty and transactions services based in Dallas. The company deals with SOX, ISO/IEC 27001, Statement on Accounting Standards No. 70 Type II and PCI DSS, among other compliance initiatives.
"Invest in a framework," Large recommended. "COBIT is fantastic. Auditing firms love it."
Readying IT Systems
In preparing for an audit, businesses can also do themselves a favor by controlling the scope of systems to be audited.
Even systems that don't handle sensitive data may be subject to audit if they operate within the same network as those that do. Mackey noted that PCI DSS applies to any system that is not segregated — through a technical mechanism — from the systems that process, store or transmit credit card information.
The same principle holds true for other compliance models — patient data in the case of HIPAA (Health Insurance Portability and Accountability Act), for instance.
"Anything in the same network is in scope for all general controls," Large said.
Segregation is critical for keeping the audit to a manageable scale. The more systems an auditor needs to review, the longer and more expensive the audit becomes.
Large said that organizations typically use firewalls to create a segregated network. That segment may also include an IDS (Intrusion Detection System), an IPS (Intrusion Prevention System), anti-virus and anti-spyware protection, automated alerting, and configuration management.
Scope control enables an auditor and auditee to settle on pricing.
"We discuss what we think would be a reasonable scope, and we totally leave it up to the customer to define the scope they are interested in," said Ron Lepofsky, president of Toronto-based ERE Information Security Auditors. "So once we understand the scope, we provide them with a fixed-price quotation and itemize each item within the scope."
Within the segmented environment, organizations should aim to maintain as many identically configured systems as possible, Mackey explained. The IT shop should be able to demonstrate that it synchronizes and monitors systems to maintain the same configuration.
Mackey said that businesses should also take care to configure systems as simply as possible.
"As a qualified security assessor for PCI, the last thing we want to see is a set of unique systems," Mackey said. "It means we have to go through each of those systems with a fine-tooth comb."
"Uniformity is easier to audit," Lepofsky added. "It saves the customer time and money."
Configuration-management processes and tools can help achieve that uniformity.
"Standardization is probably the biggest area where configuration management, deployed well in your environment, can have a huge impact," Large said.
He noted that five of the six major sections of PCI DSS can be mitigated to a considerable degree through good configuration management.
Alliance Data Systems uses software from Lexington, Mass.-based BladeLogic Inc. for configuration management, auditing and remediation.
Anticipating Questions
With controls in place, systems bounded and configurations locked down, an organization can continue audit preparations with a dry run.
Mackey suggested that businesses can walk through the audit process with an internal auditor or external consultant. He advised undertaking this self-assessment with a critical eye.
"You don't want the first time you hear questions to be in a formal audit," he said.
Large said that a pre-assessment can be scheduled a couple of months before the real audit. This approach provides time to address issues that can be fixed fairly rapidly.
Lepofsky said that he often sends customers a list of questions prior to the audit.
"We don't want anybody to be unprepared or surprised," he said.
Any operational business model relies heavily on IT support and the help desk to achieve maximum uptime for all IT systems. This white paper addresses ways for help desk analysts and IT support staff to easily and efficiently handle their workload by simplifying and automating processes to increase time and operational cost savings, enhance productivity, and boost customer satisfaction. more
