How Not to Fail Your Next Security Audit
Ah yes...the stress-inducing, often-feared security audit. Failing an audit can be a “career limiting experience." Some organizations bring in consultants, extra staff, and even focused leadership to ensure they pass an audit. Most audits are scored on a linear scale and very few audits are scored 100% with no findings. As long as there are not too many findings that trigger a failure, there is opportunity to better secure the organization.
What is the Difference Between a Security Audit and a Security Assessment?
There is often confusion in terminology: security audit, security assessment, and security risk assessment. Before we dive into the secret behind not failing your next security audit, let’s make sure you understand the difference between a security audit and a security assessment/security risk assessment. These terms are often used interchangeably (wrongfully), so let’s set the record straight.
Security Audit
There are many different types of security audits. These fall under either "Security" or something else (SOC, SOC type II, HIPAA, etc.). No matter the industry, they all have something in common: a certifying body/firm assesses you in certain areas and you will either pass or fail. Period. This is a big one for any company that processes credit cards, for example.
Security Assessment/ Security Risk Assessment
This is a preventative measure that you should perform yearly as a best practice. While the frequency of your assessments may vary depending on the perceived capability of your organization, or on the prescribed need (some may not have as strict regulatory compliance standards as others). This should still be the most prominent part of your overall risk management strategy.
How to Pass Your next Security Audit
Adopt a Risk Management Strategy
Ultimately, a yearly risk assessment should be part of an ongoing risk management strategy. Your organization should engage in continual efforts to mitigate any foreseeable risks. Take vulnerability management as an example: if your team fails to patch common vulnerabilities and exposures as they arise month over month, you are leaving your organization wide open to risk.
1. Establish a Culture of Risk Management
The best way to set up your organization for success and limit the chances of a security breach is to establish a proactive culture of risk management.
Focus on the RISK.
Most compliance requirements are risk driven. The goal is to identify the risk and mitigate that risk. From an audit perspective, that risk identification and mitigation process MUST be repeatable. We call this repeatable process “risk management". You should be able to answer the following questions,
- What is the risk of doing or not doing XYZ?
- Would you be introducing additional cyber risk by delaying a workstation fleet upgrade by 12 months?
- What risk would you add or remove by migrating workloads from an on-premises data center to an orchestrated cloud?
Make sure that your security controls match the cyber risk.
We see situations all the time where an organization has overspent their budget on a solution that is not the right fit for both the organization and the actual risk.
To put this in practical terms, if you and your spouse had four kids, but could only afford one vehicle, would you buy a minivan or a Corvette? Sure, the Corvette looks great and is very fast, but where do you put the groceries and kids? Auditors look for situations like this, often referred to as “program effectiveness.”
Adopt the practice of pre-audit testing.
How will you test and validate the effectiveness of the cyber control? Pre-audit testing is a good practice to adopt. It not only helps you prepare for the audit, but your IT staff will be better prepared as well.
Try this as one of your pre-audit tests: Submit a service ticket (or ask IT directly) and provide a screen shot of an example of a failed login attempt from three months ago on a Wednesday from 13:00 – 17:00. This example can come from directory services, a SEIM, or a logging repository.
If you’d like more test scripts to practice with your team, let us know.
Vulnerability Management:
The fastest way to fail an audit is to neglect patching where necessary and leave your organization open to risk. At a minimum, your organization should:
- Patch high and critical vulnerabilities monthly.
- Scan for vulnerabilities, at least quarterly. Weekly is optimal and the cost difference is minimal.
- Define patching, testing, scanning, and validation processes in policies and procedures.
Penetration Testing:
You should note that this is a prescriptive measure. It should only validate that any substantial risk areas have been properly mitigated with available security controls, or in a controlled environment (PCI-DSS Cardholder Data Network/Environment), where a Pen test is required annually or upon significant change to the environment.
Compliance Testing/Security Audit:
Building your security architecture to accommodate compliance requirements should be foundational. It’s the best way to yourself up for success in future audits. Compliance testing and security audits are two peas in a tech pod. You should always maintain regulatory compliance for any business you would like to succeed.
2. Focus on People, Processes, and Technology
Usually we run across the following scenarios:
1. An organization has boundless technology - every gizmo, gadget, and security measure imaginable - but they lack the staff and training to keep it running and truly take advantage of it.
OR
2. An organization has plenty of staff, but they don’t have the right tech and processes in place to properly cover all the requirements.
OR
3. An organization has lots of security technology and properly trained staff to manage the technology. However, there are no processes or policies to govern the usage of the technology or processes to follow. This is a very common situation found following a breach.
The goal is to find the sweet spot and consider working with a consultant like IE that can help you determine the actual tech that you need so you don’t throw money away.
Security Awareness Training:
Most security breaches can be attributed to human behavior. That is the reason that nearly all security audits place Security Awareness Training as a strongly weighted item in the audit. Hackers know that an organization’s employees are the biggest vulnerability to the organization’s protected data. Consider investing in security awareness training for everyone. Everyone should be aware of compliance regulations and basic preventative measures that can keep your team from exposing the organization to well-placed threats by hackers leveraging social engineering.
3. Perform Risk Assessments
An annual risk assessment is a critical part of an organization’s risk management program. Most compliance architectures require risk assessments annually and upon significant change to the network/environment. This is also an opportunity to reassess the items in the risk log, to determine if they still pose residual risk or could be deprecated.
Some organizations use their risk assessments as security audit trial runs. It’s better to catch findings in the assessment phase and address them without the very real consequences of a security audit (i.e. losing the ability to process credit cards, etc.). Regular testing will ensure you are maintaining compliance and security standards.
4. Perform a Business Impact Analysis
Know. Your. Business.
In addition to understanding your company's preparedness when faced with emergency situations, you need to know what external factors can cause delays (think issues with supply chain, (etc.). If something were to affect your organization, like let’s say a worldwide pandemic ... how would your business survive? A business impact analysis will help you identify areas that need improvement, contingencies that need to be made in case of an emergency, and more.
An example of a question you may need to ask yourself is, “what does the accounting department need in order to continue paying invoices while working from home?”
5. Know your Network and Know your Compute Environment
You need to know how your system functions. For every reviewed process, you need to have people with an intimate knowledge of how it works. This is critical because if you know how your compute environment works, or you have people in your organization who know how it works, you can identify what is needs to function properly, and ultimately anticipate risks.
6. Identify Your IT Governance Team and Architectural Review Board
The question that haunts every IT department: How do you prevent Shadow IT?
What makes Shadow IT a tricky beast to tackle is that IT is unaware of it ... that’s what makes it Shadow IT.
Consider forming an IT Governance team or an architectural review board. This board/team will research any technology the company wishes to implement. These teams generally consist of upper management or designated points of contact within an organization. This internal team will review the requested tool, analyze existing tools to determine if there are any that your team may not be taking advantage of, and properly define how to implement the tool to meet any compliance requirements.
It should become a best practice to run every tool through IT before implementing it. There should be a regular cadence in place that involves a representative from IT governance or architectural review.
7. Make Your Risk Assessment Strategy “Law” in your Organization
You could have the most secure software in the world, but if the IT governance group is not aware of the software you are using or if it’s not administered correctly, that’s when you to run into issues.
Remember, security audits are not in place to shut you down. They are performed as a preventative measure to protect you and your business and ensure that you are running a secure establishment.
Determine your risk management strategy and enforce it in your organization. This is your best option for passing an audit and ensuring the security of your business and data.
IE Can Help You Establish your Risk Management Culture
We get it. A risk assessment, business impact analysis, and all the other large-scale prescriptive security measures may seem like a big step. But trust us when we say, if you accurately secure your organization and keep up the preventative maintenance, you will save your organization far more time, money, and headaches in the long run than what you would initially pay for the assessment. Think of how much a potential security breach could affect and cost your company.
Let us take care of your organization’s security needs. We can analyze your business, gather findings, and identify holes in your current coverage. We can take care of the time-consuming and all-important task of vulnerability management and recommend solutions that fit YOUR company’s needs.
Ready to test the waters? Contact IE’s Security Team!