The ability to effectively and efficiently audit IT security has never been more important. Whether internal or external, financial or operational, business or regulatory, audits are increasingly performed of IT controls and IT security. This increase is driven by the need of the business and auditors to rely on internal controls, the requirement to effectively manage risk, along with the role of the auditor in assessing compliance with regulations, policies and standards. IT auditors often leverage manual procedures, scripts and network vulnerability scanners when auditing technical IT security. Unfortunately, these are fraught with challenges and limitations and often create an undue burden on the auditor.
Why traditional security auditing methods fail
Manual audit procedures for IT security, while still fairly common and in some cases unavoidable, tend to take considerable time to perform, often require significant technical expertise and rarely result in a thorough evaluation of system security.
Using scripts to gather data from targeted systems automates a significant piece of work, but fails to perform the most important and often most time-consuming piece of work – the interpretation of the data and the identification of compliance exceptions and vulnerabilities. Moreover, the manual analysis of data is highly prone to errors, leading to flawed audit reports or oversights of potentially high-risk exceptions.
Network-based vulnerability scanning is common practice, often delivered as appliances or as software-as-a-service. While these are important tools in the arsenal of IT auditors, they are subject to several limitations, often unable to prove compliance with policies and standards, rarely determining if a system has already been compromised and frequently giving an inaccurate view of security.
Automating IT security audits for compliance and data protection
Given the problems with traditional methods of security auditing, the best solution for CIOs to approach the matter is by automating as many audit procedures as possible. The automation of auditing ensures that potential compliance and security issues are identified and addressed by the IT department before being picked up by auditors. This not only saves the headache of escalated issues, but improves the overall data protection and security throughout the entire organisation.
For CIOs looking to automate their IT security audits for compliance and data protection, a solution should meet the following requirements:
Reduce the workload of IT auditors and other involved personnel: The IT security auditing approach should leverage technology to audit technology where possible, as well as minimising the amount of manual procedures.
Assess compliance with policies, regulations, standards and leading practices: Compliance with applicable policies and standards (for example Centre for Internet Security benchmarks) and other drivers (for example Governance/Framework and PCI-DSS) are vital for most organisations. The approach should facilitate compliance by identifying exceptions from policies and standards.
Support exceptions to policies: Business-justified exceptions often exist within policies, standards and guidelines. It is vital that the tool allows the auditor to capture, document and process exceptions to the policies and report on them.
Support the automation of security assessment processes: For many organisations, the ability to automate a robust workflow helps to ensure procedures are followed without over burdening security staff.
Provide a combined assessment of security posture across the company’s critical, heterogeneous technologies: IT security audits are generally performed of heterogeneous environments, not of just a single platform. The solution should work like an auditor works – by assessing all needed critical platforms together.
Provide an accurate assessment of security posture: IT security audits should provide a comprehensive picture of security from an “administrator’s point of view”, so it is clear where compliance exceptions and vulnerabilities exist.
Support continuous auditing: The solution should be automated and enable assessments to be scheduled on a recurring basis, performed during off hours, holding the results and data securely for subsequent reporting and analysis.
Support segregation of duties: Any tool that provides security auditing should restrict access appropriately for the roles and authorities of the users within the organisation, while enforcing proper change management procedures.
Scale securely: The solution should grow with the business and support the entire enterprise, working over large, distributed networks with little impact on utilisation and other resources. Moreover, it should communicate and store data securely.
There are a number of solutions currently available that automate the auditing process and provide a much more accurate view of an organisation’s IT security, and where potential weaknesses might be. Both internal IT security teams and auditors can have a tool designed for both policy compliance assessments and vulnerability assessments on a heterogeneous basis.
By implementing a solution that automates the auditing process, CIOs can ensure their IT security teams are freed up to perform more valuable tasks and auditors can quickly move onto the next audit.
Martin Mooney is the country manager at NetIQ New Zealand.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.