03. Audit Management

Audits are designed to root our organizational failures --- whether those failures are created by not having a security mechanism in place or having one that isn’t functioning at peak efficiency. In and of itself, that can be a scary proposition for security management and operational security teams. For each failure, or perceived failure, security teams likely will need to perform some action.

But security audits can be incredibly beneficial to the organization. Done correctly, they can help the organization:

• Set strategic direction for IT and Security Operations teams
• Help determine budgetary needs for the fiscal year
• Prove compliance with a standard; or
• Expose weakness or failure in existing controls

In this way, audits can be a blessing and a curse.

Now that you understand why audits are performed, you should also understand how they operate. Audits are performed by auditors or assessors who are hired by your organization, customers, regulatory agencies, or others to assess the state of your security operations. They can be similar to a Governance control assessment in that assessors ask you or your organization to provide documentation or evidence that your organization has a specific security control. For instance, the assessor may ask you to provide evidence that anti-virus software is installed on every computer. You would need to provide some type of list, or otherwise, that demonstrates that each computer does actually have anti-virus software installed. The assessor will then match your provided evidence against a list of control objectives that come directly from compliance obligations or otherwise. For any control objectives that your organization fails to address properly, the assessor will create a finding.

In preparing for an audit, it's important to understand exactly what an assessor might be looking for. There are typically a few types of audits that might be performed. They are:

• Questionnaire based assessments: Literal questionnaires asking specific questions about your organization’s security environment.
• Technical assessments: Hands-on automated or manual review of certain technical control, including penetration tests, vulnerability scanning, and, etc.
• Manual assessments or review: A manual review of policies, procedures, or technical configurations.
• Interviews: Interview with stakeholders to verify that controls are operating as expected.
• Onsite assessments: Assessors come onsite to organization locations and perform any number of the above.