How data security auditors can work smarter, not harder
Technology is omnipresent. Technology is helping businesses work faster, smarter and become more innovative. But the same, technology is introducing more security risks.
Organizations are deploying security technologies and implementing continuous monitoring to mitigate these security risks. Audit departments within organizations are planning to conduct more technology audits than ever before. They are looking to automate their audits. They are looking for newer, smarter audit tools.
But before we go any further to identify any new tools, let’s look at the same continuous monitoring tools already deployed within the organizations, which could help the auditors as well.
I have always said that the strength of the security program is only as strong as its weakest link. One weak link for some organizations is getting an accurate inventory of their internal and external-facing assets.
Most organizations utilize tools which can inventory assets connected to the network. Depending on their IT environment (e.g. physical servers or virtualized servers), they could use asset inventory software from VMWare, Microsoft Hyper-V, or IT Service Management tools from IBM, CA or BMC. There are freeware or shareware tools available to perform these functions as well. Also, software used to review logs can be used for asset inventory (see the next topic on SIEM).
The auditors could utilize the data from these tools as input into their asset inventory audits. If an organization is unwilling or unable to provide these reports, the auditors could use software like NMAP to get an accurate count of asset inventory. For those auditors who feel uneasy using a powerful software like NMAP, they could ask their network administrators to run the report, and provide it in a saved format which can be an input to NMAP.
Security Information Event Management
Most organizations deploy a software called Security Information Event Management, or SIEM, to review the events from various logs (e.g. audit logs from firewall, switches, routers, servers, end points etc.). The SIEM software can generally provide the following information to the organization as well as the auditors:
- Asset inventory
- Servers on which regular vulnerability scans are run
- Servers which have the highest alarms (possible malicious security activities)
- Servers which have the most critical and high vulnerabilities
The SIEM software generally has reports which can be used for audits. The auditor can also get continuous feeds from SIEM to get real-time data.
Identity and Access Management
Most auditors are always trying to verify the access authorizations for a given user. Most organizations have a software called Identity and Access Management or IAM. IAM not only automates the identity and access provisioning process but also provides automation in provisioning accesses to diverse technology platforms (e.g. Windows servers, Linux servers, ERP systems etc.). IAM stores all this information in a database that can be used by auditors to generate reports.
In addition, today’s IAM also can manage identity and access provisioning for cloud applications. This also makes the termination process easier to manage and audit.
Some auditors get a chill up their spine when they are asked to audit network firewalls, Intrusion Detection (IDS) or Intrusion Prevention Services (IPS), due to the technical nature of the audit.
Modern firewalls are definitely not the kinds that require detailed technical knowledge. Today’s firewalls are smart and have a lot of features, like easy-to-understand dashboards, which auditors can utilize.
To start with, firewalls have a management console and a reporting capability that can be used to conduct the audits. In addition to the live feeds from the network appliances, auditors could combine the reports from SIEM (see above) to analyze and interpret the information provided by the firewall dashboards and reports.
Mobile Device Management
I have always thought that smart devices (phones, tablets etc.) are the weakest link for many organizations. A software called Mobile Device Management (MDM) is used by organizations to manage not only mobile devices like phones and tablets, but also laptops. The assets are registered with MDM, and security policies are pushed down to the assets for enforcement.
Auditors can utilize the information contained in the MDM database to ensure that the smart devices are not the weakest link within the organization.
(Editor’s note: Sajay Rai, CISM, will present on this topic at ISACA’s North America CACS 2018 conference on May 2 in Chicago.)