|
|
|
Features
< Back
Sarbanes Oxley : Technology : Auditing
Can You Prove You're Ready for Your Next Audit?
How to create an effective configuration auditing process
By
Dave Eike
|
|
Dave Eike
Director of Enterprise Solutions
Shavlik Technologies
|
When businesses face internal or external IT compliance audits, lack of information and absence of a plan lead to fear and uncertainty in all levels of the organization. In preparing for the audit, executive members of the organization ask questions that IT administrators dread having to answer. These questions include:
• How secure is the network?
• Is our sensitive information protected from unauthorized access?
• How will the organization’s controls hold up to scrutiny?
• Are all of our machine settings within the stated security policy?
• How will we find time to prepare for the audit?
These questions are born out of a high level of uncertainty regarding the true status of the network, not because IT administrators aren’t performing their duties. IT administrators just do not know for certain the true state of the organization’s security posture throughout the network, and they lack the time and technology required to review every configuration of every system on the network.
Rather than starting your audit preparation by asking these questions, resolve to achieve the peace of mind that knowing all the answers provides. Your business will be better prepared for an audit if you understand why security configuration management is important and what steps you need to take to prepare for and undertake the IT system audit process.
Why security configuration auditing is important
Security configuration auditing helps ensure companies meet regulatory guidelines and standards, such as the following:
• Sarbanes Oxley (SOX) requires companies to disclose information regarding finances and accounting. SOX helps prevent financial malpractice and accounting disclosures. All public companies must adhere to SOX regulations.
• Gramm-Leach Bliley Act (GLBA) requires financial institutions to protect customer data and provide privacy notices. Banks and financial institutions must follow GLBA.
• Health Insurance Portability and Accountability Act (HIPAA) requires health care organizations to ensure the privacy of personal health information. Hospitals, medical centers and any business dealing with patient medical records must comply with HIPAA.
• Payment Card Industry (PCI) specifies how to secure information systems and media containing cardholder account information to prevent access by or disclosure to any unauthorized party. PCI also covers how to effectively delete unnecessary data. Companies that store, process or transmit credit card holder data must follow PCI.
• ISO 17799 / 27001 is an information security management system (ISMS) standard published in October 2005 by the International Organization for Standardization and the International Electrotechnical Commission. Its full name is ISO/IEC 27001:2005 - Information technology — Security techniques — Information security management systems – Requirements, but it is commonly known as "ISO 27001."
• COBIT is an IT governance framework and supporting toolset that allows managers to bridge the gap between control requirements, technical issues and business risks. COBIT enables clear policy development and good practice for IT control throughout organizations. COBIT emphasizes regulatory compliance, helps organizations to increase the value attained from IT, enables alignment and simplifies implementation of the COBIT framework.
Auditors use configuration audits to verify compliance with regulations and internal security policies, and to ensure sensitive information is secure and protected. For example, HIPAA requires organizations handling patient records to ensure they remain private and are protected against data leaks. If a computer containing patient records drifts out of compliance with the security baseline, it is at risk for audit failure, and it exposes sensitive information to unauthorized access. As a result, the company may be subject to failing an audit, paying a fine or both.
To achieve a higher degree of security and be prepared to pass regulatory audits, organizations should focus the majority of the IT budget on security rather than compliance. Secure systems will lead to regulatory compliance, but being compliant doesn't always translate to IT systems that are secure. An organization can comply with HIPAA, SOX or other regulations without resulting in a secure network because the regulations only refer to certain information on your network, and do not consider your entire network.
That means every organization, including those that don't have legal requirements to comply with regulations, should take proactive steps to ensure consistent system configurations to protect proprietary information from unauthorized disclosure. This can help a company reduce downtime, manage security vulnerabilities and better control insider misuse by having configuration controls in place.
Preparing for the configuration audit
To best ensure preparedness for an audit, it is important to understand that security encompasses system configurations, best practices, and policies. Compliance regulations often focus on policies established by upper management and procedures defined by IT teams. These are termed soft controls. Along with soft controls, information security involves the protection of hardware, including servers and other network devices, from attacks. These are termed hard controls. An organization that has both soft and hard controls in place is more likely to be secure and in a position to demonstrate compliance with regulations.
Configuration audits look at individual system settings based on the established security baseline for a particular operating system, such as Microsoft Windows® Vista. An auditor samples about 15 to 20 percent of all Vista machine configurations and compares them to the stated security baseline configuration. This involves comparing the registry and system settings on each installation of Vista to the baseline. If the results show deviation from the baseline, the auditor increases the sample size and reports on all variations from the stated standard.
Normally, the auditor randomly selects the sample; therefore IT must review all machine configurations to ensure compliance with the identified security baseline. IT personnel must then fix any machines out of compliance with the security baseline to reduce the chances of the auditor finding a deviation. Since security settings change over time, IT personnel need to perform regular internal audit reviews, especially close to an upcoming formal audit.
Providing the right proof
Organizations are responsible for providing the auditor with network configuration status data for review. Public companies and those required to adhere to regulations can't avoid an audit, but they can be prepared to help ensure the success of the audit. They can establish security baselines, perform routine internal audits, and document procedures, thus saving time and money during the audit. Auditing systems can be tedious, especially if the company is spending the time and money to manually prepare for the audit. However, there are automated compliance solutions available that can streamline this process. While many organizations avoid the time and expense in establishing this preparation process, the alternative (not being in compliance) is potentially much more costly, especially for large organizations.
Also important in staying compliant and preparing for audits is to have a standard reporting structure that proves the company reviewed its systems and also that the company fixed issues in a timely manner. Reports must show that the organization reviewed the settings, as well, as reviewed them again after identifying deviations. This demonstrates to an auditor that the company routinely reviews and takes corrective action on system configurations.
Stay one step ahead with configuration management
Though audits can be intrusive, the only way to avoid surprises during the audit is to verify system configurations on all machines comply with the organization’s stated security baseline. Organizations cannot realistically rely on "stare and compare" techniques to check compliance. This manual technique is time consuming and prone to error; the technician doing the comparison may miss a configuration deviation. Auditors are notorious for their ability to sniff out exceptions.
While an organization always has a level of uncertainty regarding systems and networks slowly drifting out of compliance over time, there are ways that the organization can help ensure it's in compliance with its stated security baseline. The most cost-effective and sustainable approach is to use an automated compliance management solution that scans the network, then reports on and fixes anything out of compliance such as missing patches, poorly created passwords and incorrectly configured systems, firewalls, routers and operating systems that could allow unauthorized access. Such a solution also compares and enforces security settings on systems.
Regularly conducted audits provide proof for everyone from the IT administrator to the CEO that their networks are secure and audit-ready. With the right configuration controls in place, the company cuts system failure downtime, security vulnerabilities, internal security threats, overall management cost, and potential fines for non-compliance.
Dave Eike
Director of Enterprise Solutions
Shavlik Technologies
|
|
|
|
|
