SAN FRANCISCO -- Security audits can be used by security administrators and officers to improve or verify their work, but audits can hurt if admins aren't savvy about the process.
"Remember, what doesn't kill you makes you stronger," said Roeland Stouthard, an information security manager with the United Nations and a former auditor with KPMG Information Risk Management, at this week's RSA Conference 2003. "But on the other hand, it's good to exercise."
Security audits can be performed internally or by external firms.
External audits can have many facets. Auditors may do ethical hacking to test systems and networks. They may also review projects to make sure they are meeting objectives. Tools and applications being used by an enterprise may also be scrutinized. Source-code reviews of homegrown applications can also be on the agenda.
For Paul Bergman, director of IT for Maxygen Inc., a Redwood City, Calif.-based biotech firm, external audits are a way of "closing loopholes" within the company's infrastructure and do not pose a threat. His company doesn't have the internal expertise to double-check its security, so auditors provide a verification of their work, Bergman said.
Security staffers should prepare for audits by becoming aware of the auditing process -- something that, in some cases, could enable them to influence the outcome, expose security issues or push a particular agenda through.
Security managers shouldn't be intimidated by auditors. In fact, auditors like it when you challenge them, because it shows you really care about your work and processes. "No one has carte blanche. Auditors tend to ask for more information than they need," Stouthard said, noting that making auditors explain why they are requesting information makes for a better audit.
Preparing for the audit
Before an audit takes place, it's worthwhile for the security staff to request to see the audit charter so they know the objectives of the audit. It would also be appropriate to ask which documents and people auditors are going to request access to. This gives the staff the opportunity to gather information and put things in writing. "Nothing is more impressive than someone with a big binder," Stouthard said.
Auditors like output. Preparing models and other kinds of data allows you to influence the process by making the auditors' jobs easier. But care has to be used so that the information truly reflects the points you are trying to get across, Stouthard said.
Managing expectations is another way of ensuring that the audit goes well. Staff should be aware of the kinds of things auditors are looking to learn from them. For example, if a project manager is talking about everything from money to deadlines to managing risk, that could set off some warning lights. "The auditors may look to see if the plans are too detailed," Stouthard said.
Focus just on strengths?
Of course, showing auditors how some things are running well should be a goal. But letting auditors know about weaknesses has its advantages as well. For example, security staff could highlight certain problems that they know the company has and suggest solutions. These could end up in the auditor's final report, which is usually given a fair amount of attention and weight by management, Stouthard said.
Also, letting auditors know what one has learned from security problems gives the eventual recommendations some weight; the recommendations may seem more legitimate if auditors know the real-world experience.
Additionally, one should be aware of how auditors will perceive weaknesses or strengths. For example, telling about how a developer took it upon himself to fix a software bug in seconds flat may seem like a good thing. But to auditors, this could show that the company doesn't have enough change or configuration management and that the developer may have too many privileges.
After the audit
Once the auditors' report comes out, there are few things a security manager can do to influence the outcome. Things they should look for are recommendations that are too vague or too concise; auditors are not implementation specialists. So if a report casually recommends a single sign-on project that could cost $1 million, then that should set off warning lights, Stouthard said.
Sometimes, there is an opportunity for a manager to submit a written reaction to the audit. But this is not the place to be negative or nitpicky, Stouthard said. "Don't whine in the reaction, as it will live on [long after the details of the audit are forgotten]."
FOR MORE INFORMATION:
- FEEDBACK: What kind of preparations does your enterprise make for a security audit?
Send your feedback to the SearchSecurity.com news team.