Leverage efficiencies. For most organizations, a security audit is hard because there’s too much to do and a knowledge gap between the auditor and the IT group, Pike says.
“Over the last several years we've seen a concentration on narrowing the knowledge gap in two ways,” Pike says. One is by using frameworks that consolidate audit control tests. “Instead of auditing one control over and over to meet different standards, it’s more effective to understand that several standards require auditing a specific control. Audit that one control in a meaningful manner and pass the results through to every standard as opposed to doing a poor audit five times.”
The second, and probably more important way to narrow the gap, is to use analytics. “Especially for the enterprise market there have been significant advancements in injecting audit process into technology,” Pike says. “These solutions can eliminate false positives and create a focused view of where systems might have problems.”
Major auditing firms are leading the charge in developing customized systems in highly regulated industry to tackle well-known audit challenges, Pike says. “Currently some of these solutions can be expensive, but over the next few years should find their way into the mid-market,” he says.
Make sure the audit is comprehensive. The IT infrastructure now extends well beyond the walls of the organization, and the audit needs to reflect that.
“Our audits/assessments involve a cross-functional approach that involves an assessment of tools, processes and response procedures,” says Myrna Soto, corporate senior vice president and global CISO at media company Comcast. “The emergence of mobile technology and cloud services expands the technical capabilities required” to conduct an effective audit.
Traditional protocols can’t be assumed to be applicable for areas such as cloud-based computing capabilities or data storage, Soto says. “Testing containers and portability of data stores in the cloud—for us, a private cloud infrastructure—is important,” she says.
“Network zoning has evolved as a result of cloud infrastructure capabilities and effective assessments/audits must account for multiple vulnerabilities.”
As an example, network security audits account for one vector, but when you’re assessing something for the Internet of Things, including multiple connected devices performing multiple functions, that requires a comprehensive end-to-end assessment of security protocols for a variety of transactions, Soto says.
“Protocols can include access controls, data masking, authentication and intrusion prevention,” Soto says. “Needless to say, the evolution of technologies has required an evolution of assessment needs and ultimately audit practices.”
Barton agrees that security audits need to be comprehensive and cover areas such as understanding all ingress and egress points for data within the organization and the controls applied to those points; knowing where all sensitive information is stored within the organization; knowing what systems support revenue generation and where they reside related to security controls; and evaluating internal security policies.
Sign up for CIO Asia eNewsletters.