Background

Blame it on the WorldCom or Enron scandals, the rise of electronic payment transactions or the advent of cyber crime/espionage/maliciousness but in any case we have seen the increase of audit requirements of the past ten or more years. I am not hung up on the past - the "good ole days" when no one had to worry about their sensitive data and systems being misused, I am not nostalgic. The fact of the matter is that most of us were so naive that we didn't know that we should be worried. But then, these afore mentioned events and many others brought us back to earth with a bump. Enter the age of compliance, system and security requirements, and worst of all: "the auditor."

The Problem

It's a rare organization that hasn't had to respond to an auditor's questions about policies, procedures, and proof. If you are one these few you should count yourself lucky. But don't celebrate too long; I suspect your time is coming. More and more organizations and IT departments in particular are finding themselves "in scope" to use an auditor's term - in other words some contractual or legal requirement makes it necessary for them to prove something. And it is the purpose of the audit process to verify this proof.

The usual audit follows a predictable pattern:

1. Tell me what you will do.
2. Show me how you will do it.
3. Prove to me that you did it.
4. Show me what you did with the results.

The first request sounds something like “Show me your policy for ." This is the “tell me what you say you will do”. If this is your first audit (or your fiftieth) and you find that you don't have a policy for , no problem. A few minutes on Google and you can have a policy. Note: I don't advocate this. Policies should be specifically tuned to the needs and structure of the organization, vetted by all stakeholders and seriously considered before adoption. But, such a Google search can give you something to hand the auditor.

The second request would be “Show me how you meet this policy requirement," in other words what set of actions are used to meet this policy and how do they address all aspects of the requirement. This is a procedures document. If the policy requires strong passwords and you are a Microsoft shop, then a document describing how Active Directory is configured to require passwords to be a certain length, complexity, etc… is necessary.

The first two auditor requests could be handled without too much pain, but here comes the killer: “Prove to me that you have been doing this”, and specifically “show me the results of this randomly selected sample of dates/events/types." If you have not been collecting this data there is no legal, ethical, or even easy way of generating it. Audit lost.

There is a follow-up question "What did you do with the results?" This usually refers to corrective actions and changes to improve operations, but if step three was not fully satisfactory there is no need to consider this step.

The Solution

Some of the best scary stories are the ones where the reader/viewer knows what's coming but the hero doesn't. We yell at the movie screen, "Don't go in the woods," and then watch as the scary consequences unfold. Well here we are, "Don't go into the audit unprepared!" But this is real life and real jobs and investors' money (livelihood) is at stake. So how do we prepare for the audit?

Plan - You don't know what the auditor will ask for but you know the kinds of questions he will ask. Study the requirements in question, anticipate what a reasonable person would ask (no jokes here please) then prepare accordingly.

Plan some more - Create the procedures documents that support the policies created above. Compare them to how others achieve the same result; you don't have to do something just because that's how it's always been done. At the same time, you don't have to change it if it works. Have a reason for any change.

Execute - The most important step is to execute. All the planning in the world is worthless until it is put into action. Know what data is important to collect, understand how to collect it reliably and securely, and how to preserve it safely.

If you follow these three steps I guarantee your audit findings interview will be a much happier experience. The auditor may still find things that need improving, but you have a solid foundation to build upon.

The Problem

You have probably seen it in the news recently – the latest big security breach.  Both Visa and MasterCard announced that a “third-party processor” experienced a data breach exposing sensitive cardholder data. That third-party processor was Global Payments, Inc.  Global Payments (GPN) is the intermediary between merchants and the banks that issue credit cards and handles millions of financial transactions a year.

When a breach like this occurs it hurts more than the individuals whose information was put at risk; it hurts Global Payments’ reputation, market share and potentially even its existence as a company. Both Visa and MasterCard were quick to point out that there was no breach of their systems. Still they were feeling some of the hurt as well. It’s because of this collateral damage felt by Visa and MasterCard that has led to the PCI DSS standards.

Global Payments is subject to PCI DSS as well as other regulatory and compliance requirements. Since GPN is publicly traded they must be concerned with Sarbanes-Oxley. They deal with sensitive personal data and operate in several states so federal and state privacy requirements must be met. If they have European Union employees or cardholders there is EU Safe Harbor issues.

Fulfilling these various requirements invariably leads to a tremendous audit effort and cost - both internal and external audits involving many hours spent evaluating security and away from processing transactions. 

The Solution

The Challenges Associated with Antiquated Audit Processes – Recently I took my taxes down to a local tax preparer and while it isn’t exactly like an audit there are some similarities. I gathered up my grocery bag of receipts and forms and headed for her office.  We spent hours going through the pile of paper. We filtered out the unnecessary documents, searched for those that were missing but required, and eventually made sense out of the chaos. The process was completely manual and not documented (every year I have to go home and get things I forgot.) It was not much fun. It took a lot of time away from “more important” activities.

There are organizations that use a similar manual process every time they face a compliance audit. They have to discard reports that aren’t necessary and scrounge for missing documents that are really needed (if they can find them after the fact at all.) These manual efforts result in a costly and unsatisfactory audit – lots of man-hours spent and still a bad report because the data was not available.

The Benefits of Continuous Monitoring and Streamlined Audit Activities - So how can IT operations effectively prepare for an audit?  Continuous monitoring eliminates the manually-intensive response of addressing cyclic audit requirements. In a perfect world you would be always collecting the events (and every compliance authority requires that), safely and securely saving them, and have a way to easily generate the reports needed. All this without redirecting an admin away from his normal duties.

Strategies for Implementing Automated Information Controls That Help Streamline Auditing – I have been involved in IT audits for a long time and on both sides of the table as well. In every case, planning and preparation are as important as the results. In other words, it is just as important to identify specific requirements and procedures as it is to pass a vulnerability scan. IT operations must understand what the compliance authority is expecting in terms of evidence of compliance and then develop baselines, processes and procedures to gather the evidence to support that expectation.

At the heart of this “perfect world” effort is a documented and repeatable mechanism for gathering event data, protecting these events from modification, and preserving these events for later review.

Automated Monitoring Promotes Operational Excellence, Streamlines Risk Management and Reduces the Cost of Audits - This perfect world solution is exactly what Secure Vantage Technologies’ Audit Manager 2010 provides. Secure Vantage Technologies (SVT) provides IT Security Auditing solutions helping enterprises meet their specific IT compliance and regulatory requirements. SV T’s Audit Manager 2010 can help your company to reduce the time and resources you spend in the IT security auditing process, thus helping you meet your deadlines and save money in the process. Based upon industry best practices and expert guidance, Audit Manager 2010 is designed to reduce the work effort associated with preparing for external audits by ensuring that appropriate security events are monitored, logged, alerted on, and archived in accordance with the organization’s security requirements.

Written by: Terry Dalby - CISSP, CISM

Compliance has become an incredibly important part of daily operations for many organizations today. Being able to show the organization is in compliance with requirements like HIPAA, SOX, NERC, or other regulatory mandates is not just a “nice to have”, it is an absolute business requirement. If a company or organization does not comply with the required regulatory compliance standards set forth by leaders in their industry, they can suffer a variety of penalties, fines, or, in some cases, prosecution. To further complicate matters, many myths have arisen surrounding compliance and how to achieve it.

Compliance is not simply a single product, department, or service. Compliance is achieved via a combination of products, people, processes, and technology. In order for an organization to comply with a given set of mandates, the organization must include a variety of all of these to be successful. This balance of manpower and technology can seem overwhelming, and sometimes can create a false sense of security. Even if you have completed your regulatory compliance boot camp, trained your staff, documented your policies, and implemented your procedures, you may still be at risk. You may be fully compliant, but still not fully secure.

Many IT departments face this very challenge today. The problem is primarily one of perception. Industry regulations and compliance standards were never meant to be the end result. These standards were meant to be a platform on which IT organizations could begin to build their own rigorous set of standards to which the organization should adhere. This would allow IT departments to build upon the standards, adding the security measures and additional requirements for their internal needs. An organization may even pass their audit, and yet still not be fully secure. Most organizations have considered regulatory compliance to be the end, where it should be merely the beginning. Furthermore, it should be noted that security and compliance are not one in the same.

Different industries and vertical markets also have different ways of dealing with compliance issues, which can further complicate the issue. Organizations that have to comply with HIPAA, for example, have an entirely different set of concerns than an organization that must meet NERC requirements. This can cause further concern when it comes to understanding what “compliance” really means. In many cases, being compliant just means that some basic needs have been met, such as ensuring SSL is used during transactions, whereas other regulatory standards may require vastly more complex stipulations, such as ensuring the ability to track who has viewed what particular data, when, and how. Therefore, each organization will have to tackle the issue from entirely different viewpoints. One organization may be primarily concerned with privacy of data and security thereof, whereas another may primarily be concerned with ensuring reliability of data provided and ensuring uptime and accessibility of that data. Some organizations may be faced with a combination of all of these.

As you can see, one size really does not fit all when it comes to compliance. There are myriad requirements, and knowing how and where they apply to your organization can be a rather complex challenge. As I mentioned before, a combination of products, people, and technology are required to accomplish these tasks. One piece of this puzzle should be auditing and compliance products that can ease this burden.

Secure Vantage Technologies is the #1 solutions provider of IT security and auditing technology for the Microsoft enterprise data-center and cloud based initiatives for System Center Operations Manager. From security monitoring and event collection to IT GRC auditing and compliance, SVT provides your business with the important tools needed to achieve IT GRC alignment.  

The release of System Center Operations Manager 2012 is upon us, and the question on everyone’s mind is "Will SVT support it?" The answer is ‘Yes, we will support it." As of now the schedule release for the SCOM 2012 update to the SVT products is the end of January 2012.

As Microsoft evolves SCOM into its next form, there are significant changes. Most notable change is the removal of the Root Management Server (RMS). In SCOM 2012 only the management servers will exist. It is easy to imagine the scope of the changes required when such an integral component suddenly is no longer available. However, our team is working diligently to assess these changes and now believes we can have a SCOM 2012 version of the product available by end of the first quarter.

We will continue to update everyone on how the upgrade process will work as the changes progress.