Last month we asked if you were intimidated when auditors showed up at your reception desk? Or whether the very idea of an audit sent a chill through you? And in this webcast, we teamed up with Mike Chapple, Senior Director for Enterprise Support Services at the University of Notre Dame to describe how you can use five practical tips to extract the maximum value from your audit experience:
- Treat auditing as a lifecycle process rather than a special event.
- Understand the scope before the audit begins.
- You shouldn’t learn anything from an audit.
- Don’t be afraid to speak up.
- Expect and embrace findings.
If you missed it, don't worry. Five Insider Tips: Using IT Audits to Maximize Security is now available on demand, but what follows are the questions attendees asked and the answers:
Q/ I’ve been through many audits in my career and have found that auditors are generally reasonable people. However, once in a while you just get someone who is a real jerk, any advice for those situations?
Mike: Yeah, so that’s very true. I found myself in that situation a couple of times. You know it’s something you don’t want to happen, right, and I think everyone in the industry, you always try your best to make sure they get along with your auditors. It’s just good practice. It's a good way to have a nice normal relationship with someone and treat them well. But, sometimes you do wind up in situations where the person you are working with is just really unreasonable - just has that terrible kind of toxic personality. So, the best advice I can give you there is the same as would apply in any kind of situation like this where you are having difficulty working with someone and it's using your people management skills, kill them with kindness, try to make it work out. You’re in a situation where you really need this person to kind of get along with you at least and at least enough to be objective about the situation. So, if it gets to a really extreme situation, I think it’s even something to take up to management and the audit firm. So typically - if you are the line person or line manager who is being audited you are working with line auditors and there is a real difficult situation there - there’s a partner of the audit firm or something similar (assuming it’s an external auditor) that maybe your boss can talk with and try to work the situation out.
Q) Do you typically suggest something like a SAS 70 for general business controls?
Mike: Yes, so for those of you who might not be familiar with it SAS 70 - I think I mentioned during the session briefly - it’s a standard that's used for accessing the security controls of service providers. So if I am a data center hosting provider for example, I would typically have a SAS 70 done, where an independent audit firm comes in and takes the description I provided of my controls. There are different types of SAS 70: Type 1 and Type 2. If you are using these you should definitely research that and understand those. But, the auditor will come in and look at the controls and describe whether they have been implemented as stated in a Type 2 audit at least. So, I think that’s a very valuable tool. If you are a service provider you definitely want to get a SAS 70 audit done; so, you can demonstrate to others that your controls are solid. Those controls might be around general practice systems, like the questions asked. If you are someone who uses a service providers I think we've trained our security staff and contracting staff here to pretty much ask for a SAS 70 as one of the routine questions whenever considering outsourcing any service. I think it’s a very valuable standard to make use of.
Q) You showed a slide that pictured the regulatory landscape as a complex of overlapping requirements. What’s the best way to prepare for an audit when an organization is subject to many different laws and other obligations?
Mike: Well, Renee, I think you actually kind of addressed this well in your wrap up. We do have this sea of overlapping requirements and hopefully we don’t have many situations where requirements actually conflict with each other. But, we do have a lot different laws and regulations and standards requiring us to do different things and it can become very difficult and challenging to track all of those. So, I think the phrase you used was a harmonized approach to compliance. It is really taking all of these different requirements and outlining the security controls that you think are best for your organization. So, what do you think you should do, just out of basic sound security practice and then once you’ve done that, mapping them to all these different compliance requirements. Then, of course, you have to identify any gaps between the standards, requirements, and laws and what you’re doing. But then you can use that mapping to show that you are complying with requirements and then just use verification of your controls to make sure your complying with everything. So you don’t necessarily have to do a PCI walk thru and a HIPAA walk thru and everything else, you can just do a control walk thru and have confidence that that mapping that you’ve done means - if you satisfy yourself during your own internal control assessment - you are meeting all these different compliance requirements.
Renee: Okay, sounds like a good plan!
Q) Are there any tips you can offer for responding to audit findings where the remediation is going to cost more in time and money than you can afford? We have had auditors who don’t understand what their findings will cost to resolve.
Mike: Yeah, sure, and this is exactly what the management response in an audit report is for. So auditors will come and tell you what they think needs to be done; and I guess the specific answer depends a little bit upon the context too and what type of audit it is. In particular whether it is an audit for an assessment of controls that you decided are necessary or if it’s PCI or something like that where the auditors are saying that you are not complying with the law or regulations which you are required to comply with - it’s a little different. But, the management response is where you can talk about risk. So there are four different things that can do when you face a risk: You can take action and mitigate the risk, which is probably when the auditor is asking you to do; you can transfer the risk to someone else by buying insurance; you can avoid the risk by changing your business practices or the fourth thing is you can do is accept the risk. You can say 'yes, I understand that. We know we have this control deficiency but, we think that given the cost of implementing that control that it’s simply not cost effective, and we are willing to accept the burden of that risk based upon that analysis.
Rene: Ok. So, let management respond and kind of help you out in that situation?
Q) I have encountered a situation where over concern with security actually seems to produce a less secure environment, for example, non single sign on and many different password policies for different systems. Can you comment?
Mike: So, I'd be curious to know more detail around that specific situation and I know we can’t get it but, I can’t imagine a security requirement that would say you couldn’t use single sign-on. So, certainly different regulations, different standards, might have different ideas about password strengths. You know, some might say 8 characters, alpha numeric, some might say you have to have a symbol, there are all these different things. I would think this goes back to the harmonization, that you should be able to find the middle ground. Not even a middle ground. You should find a standard that you can use for your organization that meets all those different requirements. I have not seen people using it like you must have 15 character passwords or ridiculous things like that, but if you can appeal to the and meet the most stringent of the standards I don’t know why you can’t use a system like that for a single sign-on.
Renee: I agree. The harmonization will work here too as well.
Q) What are the most frequent findings in a typical IT audit?
Mike: Well! I don’t know that there is a typical IT audit. As I think back across a lot of the audits I’ve been involved in, you do see some themes I guess, one that I have seen a lot of recently is software development life cycle. You know I shared one of the stories of that a little bit. But, you see auditors looking at that quite a bit now in places where custom code is being developed. I also see a lot around account management, the practices that you follow for provisioning accounts and de-provisioning accounts especially. So, you know a lot of the time you see an auditor come in and say to HR “give me a list of the last 20 employees who have been terminated “or “all the separations within the past 6 months” and they go and check to see if they still have accounts. If the practices aren’t right and the business process is not being followed properly you wind up with some discrepancies there. Then reviewing logs and monitoring is probably another big one because that is the boring part of security and people tend to overlook it.
Mike: All sorts of different things.
Renee: But in that case automation of some of those tedious workflows might be able to help. With user provisioning: make sure that it’s simplified and also made as streamlines as possible so, that they don’t have administration level folks doing that type of work can help as well.
Q) Do you recommend the self-assessment before the audit visit or simultaneous?
Mike: I guess if you want to be able to make changes you would have to do it before, right! I don’t know how much in value there would be in doing an assessment during the time the audit is going on because you are just going to discover the same things the auditors are discovering at the same time. So it goes back to the lifecycle. You don’t necessary want to pair, or tie the assessment directly to the audit. You want to be doing the assessments continuously, to make sure whenever you get audited you are ready for it. But, specifically your facing the situation where an audits coming up and you want to do an assessment I would certainly think you would want to do that in an advance to give yourself a chance to correct any issues before the auditors come.
Renee: I can’t think of a situation where you want to do it simultaneously.
Mike: You’re going to get a report that tells you what you just learned.
Renee: Right! Yeah, that’s kind of limited there, so, okay.
Q) You mentioned that there are always findings after an audit. I understand this from my experience, but my boss has the unreasonable expectation that we should come out squeaky clean. How can I get him to understand this point?
Mike: Well, you’re right to say this is an unreasonable exception. I'd kind of turn the tables a little here and ask your boss to point to an audit report he has seen, in a past, that came out without any findings. I doubt he is able to find one of those. Another thing you might be able to do, if maybe if this is someone who is not familiar with IT, is draw a parallel to the organization financial audit if you are in a publicly traded company, or whatever other kind of audit this person might have experience with, and maybe they would be more familiar with that and kind of realize that findings are inevitable. So, I would think, what I would encourage that person to do is instead of focusing on the existent of findings, which is not necessarily the most important thing. They should focus on the severity of those findings, so how bad were they? And then also repeat findings so what you wouldn’t want to see is if there’s a finding in this year’s audit tat the auditors come back and have the same finding again next year.
Renee: Right, that sounds like good advice.
May 10 2011, 03:05 PM
Filed under: Security, HIPAA, PCI, Regulations, PCI-DSS, Logs, Mike Chapple, IT Audit, Notre Dame, Auditors, Requirements, Service Providers, Hosting, SAS70, Audits, HR, Remediation, Data Center, single sign-on, User De-provisioning, Monitoring, User Provisioning, David Shephard, Security Web