January 23, 2020//Tony HowlettLast Updated: November 19, 2020
If you’re in a regulated industry or serve customers that are, sooner or later you will probably have auditors examine your cybersecurity setup. This may be on the behalf of clients, or for your own internal corporate governance. No matter the reasons, IT and security administrators often stress at the thought of auditors going through their systems and networks, finding fault with the configurations, or pointing out embarrassing holes that should have been fixed.
Even in the best case, the thought of facing auditors in their offices, asking questions, and requesting documentation doesn’t bring joy to any rational IT professional. It’s time that could be spent on other projects or priorities but like it or not, cybersecurity audits are becoming a fact of life for most enterprises. And, if they have to be done, you may as well get through them with a little hassle and findings as possible. Having been both an IT auditor and auditee for many years, I learned the mistakes that often make the resulting report more harsh than it needs to be.
Here are a few tips to keep you sane during a cybersecurity audit and get you through it without too many black marks from them.
This is the first, and probably most important tip. Remember, auditors are just doing their job, and they’re not generally out to get you. External auditors are hired by the company to make sure the company is secure, which, if we’re being honest, should be your goal too. I’m not saying that you won’t get an occasional auditor with an ax to grind, or one that is not technically trained and asks ridiculous questions. Resist the urge to stonewall or hide things. They do this for a living and will dig in and eventually get the info they need, possibly going even deeper to make sure you aren’t withholding anything else. And in the case of a regulatory exam, lying can sometimes be a crime.
Be as honest and complete as you can without elaborating needlessly on the sins of past administrators. Try to establish a good rapport with the auditors. Treat them like human beings and get to know them as people. Often times, the same auditors will return next year and having that connection can make things go smoother; they will be more likely to be understanding about your unique situation, and maybe why you haven’t done certain things due to an overloaded schedule, limited budget, or another reason. Don’t try to match a nasty auditor with sarcasm and sass. You won’t win, they have the ability to write the final report, you don’t. The old adage of killing them with kindness will go a long way towards a fair and even-handed audit report.
The Boy Scout motto of “Be Prepared” is never truer than when you have an IT security audit scheduled. An ounce of prep is to avoid a pound of audit findings. When sent a list of documents to collect, make sure you have them ready in a neat and organized format; have it loaded on a USB drive or DVD for easy access, or in a tabbed binder if they prefer printed format.
The easier you make it on them to find the information they need, the less they will bother you with questions and requests during their visit. Make sure any people they will want to talk to are in the office and available to them. On the flip side, a lack of audit prep shows a disdain for the process and will surely put the auditors on the warpath. Not having requested documentation might indicate deeper problems like the lack of good logging and monitoring, which leads to my final point
A common saying among auditors is that if someone didn’t write it down, it didn’t happen. Having a great disaster recovery plan in your head will gain you no points with auditors. Just like those math tests in college, you have to be able to show your work to get credit. They will want to see DR/BCP plans, network maps, policies, and other documentation in written or electronic format. It’s also important that it’s well maintained and updated regularly. If the date on the DR Plan is years ago, it won’t do you much good.
And it’s not enough to have firewalls, IDS systems, and other technical protections. They will also want to see good monitoring of these systems and documentation that someone reviews them on a regular basis. Having centralized logging systems such as Syslog and SEIMs for firewalls, routers, and IDS systems as well as PAM and VPAM for privileged access tracking will help you in your audit prep and impress auditors.
Finally, all this advice also assumes you are already doing all the best practices that make up a good InfoSec program. No amount of preparation or good attitude is going to save you from poor cybersecurity hygiene. Those topics are the subject for a much longer article (or whole books), but as long as you have a reasonably well put together InfoSec program, these tips can help you score better on your audits and come through it less stressed.