What every IT department needs to know about IT audits

Last month I addressed data governance in ““Preventing data breaches is a business problem not an IT issue.” In that article I stressed that too many clients have the Technology and Processes down but many don’t have the right staff in place or if they do have security staff they report to IT. We need a separation of duties between the IT department and an Audit or compliance department. Otherwise it’s the fox guarding the chickens.

IT has a mission to push out new technology and fix it when it fails, so how can the IT department also oversee any real security and compliance function? The answer is they can’t, as it’s the fox guarding the chickens.

Enter data governance, which starts at the top. Too many clients don’t know that “Information Security Governance is a fundamental responsibility of senior management to protect the interests of the organization’s stakeholders. This includes understanding risks to the business to ensure that they are adequately addressed from a governance perspective. The tone at the top must be conducive to effective security governance. It is unreasonable to expect lower-level personnel to abide by security policies if senior management does not,” as noted by the IT Governance Institute 2003.

This is a common issue for clients that don’t do well on audits. A security and compliance function must be in place and it should be separate from the IT department if at all possible.

If you work in the IT department one of your biggest fears may be the dreaded IT audit. Long before I was a consultant, I remember how our team felt when the IT auditors showed up. We had no idea what they were going to cover? How could we know, we were not IT auditors! But little did we know all we had to do was ask or better yet learn about the framework they were using and do our own self-assessment ahead of time.

I often see clients that need help with (especially those without an independent security and compliance department or function) Audit and Compliance Frameworks. Earlier in my career I worked as an IT security staff member where I saw the importance of securing firewalls, servers and a multitude of IT devices, but later realized at that view point I was walking through a forest when I could have been flying over it.  

With an understanding of security and compliance frameworks you see the whole forest from a birds eye view and it takes on a totally different perspective, you no longer see security devices or individual gates; you will see a whole city that you must protect! Only this view from above via a security and compliance framework provides one with a complete risk management strategy.

In our practice we constantly see very skilled IT departments that don’t have the exposure to a robust security and compliance framework. By educating all IT staff members on the importance of compliance frameworks, a company can improve its audits and better, they can actually reduce risk by having everyone in IT on board to counter the dynamic threats we are all exposed to every day. The IT department can and should play a key role in responding to IT audits, audits that are there to assure the company meets this minimum standard that is the foundation for security.   

One excellent framework to learn is the NIST (National Institute of Standards and Technology) Cyber Security framework. This particular NIST framework is the result of executive order 13636,” Improving Critical Infrastructure Cybersecurity” issued by the President of the United States. This was of course in response to the many data breaches that are hurting our country and its economy.  

Audit or compliance frameworks focus on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. This is where we move from an IT device centric mode to a total business risk mode.

The NIST framework consists of three parts: the Framework Core, the Framework Profile, and the Framework Implementation Tiers. The Framework Core is a set of cybersecurity activities, outcomes, and informative references that are common across critical infrastructure sectors, providing the detailed guidance for developing individual organizational Profiles. Through use of the Profiles, the Framework will help the organization align its cybersecurity activities with its business requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk. NIST 2014

NIST

The five framework core functions are defined below. These functions are not intended to form a serial path, or lead to a static desired end state. Rather, the functions can be performed concurrently and continuously to form an operational culture that addresses the dynamic cybersecurity risk.

• Identify – Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.

Examples of outcome Controls/Categories within this Function include:Asset Management; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.

• Protect – Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services. The Protect Function supports the ability to limit or contain the impact of a potential cybersecurity event.

 Examples of outcome Controls/Categories within this Function include: Access Control; Awareness and Training; Data Security; Information Protection Processes and Procedures; Maintenance; and Protective Technology.

• Detect – Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event. The Detect Function enables timely discovery of cybersecurity events.

 Examples of outcome Controls/Categories within this Function include:Anomalies and Events; Security Continuous Monitoring; and Detection Processes.

 • Respond – Develop and implement the appropriate activities to take action regarding a detected cybersecurity event. NIST 2014

Keep in mind this is a single governance framework, You may be familiar with other frameworks like ISACA’s Cobit, The US government’s FISMA, PCI DSS for retail credit cards, or HIPAA for healthcare. They each have their specific industry application, the NIST framework shown here is a good general framework to consider when you are not mandated to comply with PCI DSS or HIPAA or any other legally mandated compliance framework. It’s a way for an unregulated business to do what it should do without regulators forcing it to do the right thing.

What these frameworks all have in common is a baseline standard to measure your organization against. We are looking for gaps from your organization with an established standard. All compliance frameworks were created from best practices and the incorporation of what was learned from past data breaches or intrusions. This makes them impossible to be current with the threat of the week, but they are still the foundation for security. For more on why audit matters check out the latest Verizon data breach investigations reports. According to Verizon’s reports many data breaches were not highly difficult.

All compliance frameworks include the measurement of data security, security awareness, access control, asset management, communications security, data backups, disaster recovery/business continuity planning and much more. Think of it as a standards check list with one major exception, it’s risk based and therefore is not just a check list.

For example: A company may have a list of assets, but it must be a current list and it must be relevant. The assets must include types of assets that the organization is trying to protect. An organization must take the asset list and consider real dynamic threats and vulnerabilities. For example, an asset may be a web server, a threat is a cybercriminal trying to hack into it and a vulnerability might be a missing patch, an unsecured server room or an insider that has a criminal record.

This is just the tip of the iceberg and is not check box auditing, it’s risk management. You must look at and consider realistic threats to any asset and its data you are trying to protect. What makes this more interesting and challenging is that the vulnerabilities and threats can change daily or hourly! Take a look at this daily dashboard. See the latest vulnerabilities? The latest phishing attacks?

In the table above you can now see that the categories or controls, as many frameworks call it, like asset management and risk assessment are listed in their corresponding function in this example Identify. Data security falls under Protect, continuous monitoring falls under Detect and so on.

An organization can use the framework as a key part of its systematic process for identifying, assessing, and managing cybersecurity risk.

Putting it all together, let’s see how to actually use this simple NIST cyber security framework. Remember we are trying to protect your data within an organization, this includes data that is stored, processed or transferred within technology and also includes paperwork on your desk.

Step 1: Prioritize and scope. The organization identifies its business objectives and high-level organizational priorities. With this information, the organization makes strategic decisions regarding cybersecurity implementations and determines the scope of systems and assets that support the selected business line or process. The Board of Directors must be involved to assure the priority is in line with the business strategy and its mission. What is the most valuable to this company? What resources does it have to protect it? Will the company provide the necessary resources to protect it? Is it required to protect it by law? What compliance framework is mandated by law?

Step 2: Orient. Once the scope of the cybersecurity program has been determined for the business, the organization identifies related systems and assets, regulatory requirements, and overall risk approach. We have assets, and want to protect them from the latest threats and vulnerabilities. This step looks at where is this critical data? Is it in a server? A database, online or internal? What laws govern its protection? In the end this step says what cyber security, compliance framework we will use.

Step 3: Create a current profile. The organization develops a Current Profile by indicating which control or category outcomes from the Framework Core are currently being achieved. This is the baseline of our current operating environment.

Step 4: Conduct a risk assessment. This assessment could be guided by the organization’s overall risk management process or previous risk assessment activities. The organization analyzes the operational environment in order to discern the likelihood of a cybersecurity event and the impact that the event could have on the organization. This is where we actually look at risk and are not doing a check box audit. A check box audit is not realistic and therefore a waste of time. It was not too long ago that this was unfortunately, the focus of many audits.

A risk assessment example: a company in Florida has a server at a beach side resort. The asset contains credit card or proprietary data, its threat model includes hackers, internal theft of data or the threat of a hurricane flooding the data closet it’s located in. We can either accept the risk, transfer it, or mitigate it, by putting the service in the cloud, or relocate the server to an office or center further from the rising waters on the beach. The cloud option mitigates risk but adds new risk.

Do we trust the cloud provider not to copy and use the data for its own personal gain? Are they meeting good compliance standards that assure we are making a good decision? How likely is the cloud provider to be compromised? We must also consider our organizations risk appetite. Are we working in DoD, credit cards, financial, healthcare? All have different risk profiles. Healthcare has become a major target as it contains a person’s full identity, not just a credit card that is only good for a very limited time.

Step 5: Create a target profile. The organization creates a Target Profile that focuses on the assessment of the framework controls or categories describing the organization’s desired cyber security outcomes. This is the standard we want our baseline to match. Only the CEO and executive team of your organization can say what this should be.

Step 6: Determine, analyze, and prioritize gaps. The organization compares the current profile and the target profile to determine gaps. Next it creates a prioritized action plan to address those gaps that draws upon mission drivers, a cost/benefit analysis, and understanding of risk to achieve the outcomes in the target profile. The organization then determines resources necessary to address the gaps. Using profiles in this manner enables the organization to make informed decisions about cyber security activities, supports risk management, and enables the organization to perform cost-effective, targeted improvements. We simply take step 3 the current control state and compare it to the desired control state in step 5 while considering cost and benefits.

Step 7: Implement action plan. The organization determines which actions to take in regards to the gaps, if any, identified in the previous step. It then monitors its current cyber security practices against the target profile. This is an ongoing process, it never ends. We don’t simply become compliant or secure and stop, it’s a constant daily challenge.

So always keep in mind that security and compliance is not a once a year event, or even monthly, it’s ongoing and continues as threats and vulnerabilities change every day. Don’t forget your organization’s assets may change. Adding just one new server or network appliance can have a huge impact.

By becoming familiar with risk management frameworks that are applicable to your organization you and your IT team will be on the way to not only meeting basic compliance, but you will be doing your due diligence and moving beyond compliance to meaningful risk reduction that has a real impact to the business and its bottom line.

Remember that compliance is static and legalistic, security is dynamic, intelligent and forward looking. Use compliance as a baseline for security. Once you have achieved 100 percent compliance you will then have the foundation for security, real security like adding data analytics to look for indicators of compromise, this will actually help protect your business in today’s ever changing threat landscape. Good luck on your next audit.