By: Darcy Kempa
April 22, 2021
Cybersecurity Audit Tips And Tricks
By: Darcy Kempa
April 22, 2021
Occupational tips and tricks are often the results of many years of personal experience. Over an employee’s lifetime, personal successes and failures are analyzed to identify what worked and what did not. They can then use the successful tips or tricks to improve performance, reduce waste, or save time. The following cybersecurity audit tips and tricks are shared for the benefit of auditors and auditees alike.
Review the Previous Audit
Proper preparation is important to a successful audit. One good way to prepare for an audit is to review the results from the previous audit. This is important for two reasons:
First, the review provides the auditor with some familiarity with the controls used during the last audit. This is important because they should know the purpose of each control to be reviewed. If there are any questions or concerns, it is better to address them before the actual audit.
Second, the review will expose them to documented failures and unsatisfactory performance. These should be noted to help identify possible consecutive failures in the ongoing process. Back-to-back failures for control should be investigated to identify a root cause.
Identify Restricted Access Areas
Organizations may decide to restrict common access to certain areas. These areas may include Security Operations Centers, server rooms, or backup/data storage areas. On the other hand, a cybersecurity audit may require the person to have physical access to these restricted areas to complete an audit.
It is important to identify these restrictions in advance to help auditors gain access to these areas during an audit. There is nothing worse than having them waiting for restricted access (badge, escort, etc.) to do his/her job. Identifying and mitigating these restrictions in advance helps ensure a smooth and timely audit.
The purpose of a cybersecurity audit is to verify satisfactory compliance with designated controls. The problem is that “satisfactory compliance” can sometimes be defined differently by auditors and auditees. Unless the control provides extremely specific information about what is viewed as satisfactory compliance, there will always be a possibility of disagreement.
If a major disagreement between the auditor and auditee occurs, it is recommended to involve managers and/or supervisors. The point is to keep the disagreement professional and not personal. It is important to understand that the auditor is not a judge and jury but a reporter of the facts. Likewise, the auditee does not have the authority to freelance and decide how to satisfy a control’s requirements. Disagreements are better resolved objectively and by those with authority to modify controls or behaviors.
Protect the Audit Results
Once an audit is completed, it is important to treat the audit results as confidential information only to be shared with those with “a need to know.” Some people may hesitate at accepting this idea but once analyzed; it is easy to see how powerful the audit results can be to a hacker.
The results of a cybersecurity audit may provide the following information:
- Department/division responsibilities (Who owns what)
- Control questions (Are OEM provided passwords changed)
- Audit results (OEM provided passwords are not changed)
Individuals familiar with penetration testing can see that can obtain a lot of valuable information. Responsibilities, the types of control questions (or lack of them), and the results can improve a hacker’s chance of breaking into a network. It is recommended to protect the cybersecurity audit results as if it was proprietary information.
This tip/trick is for the department/division head more than the auditor or audit team. It is possible to use negative cybersecurity audit results as a justification for additional funding. The inability to satisfy a control once or multiple times can motivate senior-level management to provide additional money to fix the problem.
This tactic, however, must be well thought, show a positive return on investment, and solve a control discrepancy. This means that the return on investment must be higher than the cost of the new appliance, software, manpower, or training needed to satisfy a control. The requestor must translate “improved security posture” into dollars and reduced potential financial loss for this tactic to work.
Pertinent Training Options.
Cybrary provides online training courses in information technology and cybersecurity. These courses cover a myriad of subjects from project management to penetration testing to auditing. Take and online course and enhance your knowledge.