Featured Article
Working Well with Auditors
Diana Kelley, Partner, SecurityCurve
Introduction
For some IT professionals, the mere mention of an audit conjures painful images of being trussed and stuffed like a Thanksgiving turkey. If you’ve ever been through an audit that you weren’t prepared for, you may harbor your own unpleasant images of an audit process gone wrong. As recently as 10-15 years ago, many auditors were just learning their way around the “new world” of IT, while just as many computer and network professionals were beginning to learn their way around the audit world.
At that time, auditors were seen as the people that swooped in and made an IT staffer’s life miserable – by telling them where their controls were failing, by pointing out control deficiencies (both real and imaginary) to management, and by recommending difficult to implement fixes that may have satisfied a regulatory requirement but didn’t take into account the underlying business processes.
Caught in a communications stalemate, many IT and audit departments operated at odds for years. And, unfortunately, that’s where some of us still are. But the world keeps turning. It’s time to move on - to leverage the complimentary roles that IT and audit fulfill to achieve maximum effectiveness in our risk management programs. By working cooperatively with the internal or external audit teams, IT and security can gain support and cost-justification for risk mitigation projects.
Turning Log Review into Log Management
Think it’s not possible for IT, security and audit to work well together? Not so - consider log management. Many regulations explicitly or implicitly require log review. PCI is explicit, requiring that every log, for every system in the cardholder data environment (CDE), be reviewed every day1. In healthcare, HIPAA calls for regular review of records2, like audit logs and FISMA, the Federal Information Security Management Act,3 calls for log review for federal agencies. What’s interesting about these mandates is that while all of them call for review of the log files, none of them specify how to accomplish a comprehensive log review program. Depending on the size of the organization and the number of systems on the network, the log files could account for gigabyte or even terabytes of data per week. Parsing through all of that information manually would be extremely labor intensive and inefficient. Automated log management: aggregating the log information into a central spot and using an automated parsing engine to sift through it all is a more effective and achievable approach.
Log management for security’s sake alone may be difficult to “sell” to executives as an investment that will benefit the organization. It’s not uncommon to hear budgetary war stories from IT and security administrators who unhappily watch log management funding get cut quarter after quarter in favor of other projects that are deemed more impactful to the company’s bottom line. And here is where the auditor/IT relationship can come into focus. Auditors are looking for controls and systems that enable them to sign off on log review requirements, IT and security are looking for ways to meet those requirements in an effective way. By linking a log management implementation project to a compliance requirement, the cost-justification for the program is elevated and is far more likely to stay in the budget after the next round of cuts.
Tips for Working Well with Auditors
Hopefully you’re now convinced that auditors and IT work better in a cooperative rather than competitive environment. But if you’ve never worked with auditors before, you might be wondering how you can bridge the communication gap. To help you with that, here’s a short list of tips that I’ve seen work in a number of organizations:
- Speak their Language – Know the regulations and mandates the auditor is checking for and be sure you are using normalized terms to describe your controls. For example, NIST SP800-53 refers to “audit records” and “user activity logs.” If your department has a different name for this information; be sure to have a notation in your reporting that explains why your “syslogs” are functionally equivalent to NIST’s “activity logs.”
- Know the Frameworks – Many auditors use well-known compliance frameworks to round out their regulatory specific assessment process. If you have controls in place that map to these frameworks, call this out for the auditor. Using log management as an example there are maps to ISO/IEC 27001:2005, A.10.10.1: “Audit logs recording user activities, exceptions, and information security events shall be produced” and COBIT 4.1 DS13.3: “Ensure that sufficient chronological information is being stored in operations logs to enable … reconstruction, review and examination…”
- Write it Down – While techies are great at white boarding – they don’t always excel at written documentation. To an auditor a perfectly implemented process and set of controls is still materially deficient without current documentation to go with it. Make sure not only that you have the required documents ready for the auditor, but also that it is up to date and accurate.
- Make it Clear – Network maps that show zoning and segmentation as well as locations of relevant systems will help the auditors assess compliance and, where appropriate, help to reduce the scope of the audit zone. Name audit sensitive systems according to a standardized model, such as by location or purpose. While it might be fun to name your mail servers and firewalls Kenny, Cartman, Kyle, and Stan – it’s not going to help an auditor identify these systems during an assessment.
- Anticipate their Reporting Needs – Generate reports that are mapped back to the regulations or mandates in question. In the case of log management systems, build rules that identify auditor hot-buttons such as: logging user access to a database that stores credit card information or proof of encryption controls in a database storing PII.
Summary
There’s an old aphorism that says you can catch more flies with honey than with vinegar. The same might be said of successful compliance work. While it may be tempting to recoil when you see the person with the compliance checklist, it’s more effective to work with, rather than against the audit team. What you might find out is that not only is your next audit season a little less contentious, but also that you may have found an ally in the cost-justification process.
Footnotes:
1 PCI DSS Requirements 10.2 “Implement automated audit trails for all system components” and 10.6, “Review logs for all system components at least daily,” PCI DSS v1.2.1, July 2009
2 HIPAA 164.308(a)(1)(ii)(D): “. . . regularly review records of information system activity, such as audit logs,” Code of Federal Regulations (CFR) Part 164
3 NIST SP800-53, AC-13: “The organization reviews audit records (e.g., user activity logs) for inappropriate activities” and NIST SP800-92
Related content: Read our whitepaper series on compliance to learn how Log Management helps address the most important regulations and mandates including FISMA, PCI-DSS, HIPAA, NISOM and Sarbanes-Oxley
Industry News
Big-Box breach – The inside story of Walmart’s attack
Internal documents reveal for the first time that the nation’s largest retailer was among the earliest targets of a wave of cyber attacks that went after the bank-card processing systems of brick-and-mortar stores around the United States beginning in 2005.
Did you know? EventTracker combines both Log Management and Change Monitoring capabilities to provide holistic protection from risks posed by hackers
Manage your Network right
Focus on specialized tools targeting specific areas of network management - As current IT trends push us to the lofty goal of cloud computing, and Software as a Service is promoted by all the biggest software vendors, now is the time to be sure that your network-management capabilities are as good as money can buy.
Note: EventTracker beats products from IBM, CA and BMC in the above article. Don’t miss the review on page 3.
IT automation: Top 5 common mistakes
Automating data center processes may sound like a cure-all for the recession-fueled manpower gap in today's IT departments, but that isn't always the case, according to IT experts.
Did you know? EventTracker automates the collection, consolidation, correlation and analysis of all log data across an enterprise to help reduce the cost of IT resources, increase service levels, improve network availability and overall security.
FBI warns of $100M cyber threat to small-business
Cyberthieves are hacking into small- and medium-sized organizations every week and stealing millions of dollars in an ongoing scam that has moved about US$100 million out of U.S. bank accounts, the U.S. Federal Bureau of Investigation warned…There has been a "significant increase" in what's known as ACH (automated clearinghouse) fraud over the past few months, much of it targeting small businesses, municipal governments and schools.
Did you know? EventTracker’s Small and Medium Enterprise editions provide all the robust features of an enterprise SIEM solution, without the associated overheads and costs, for comprehensive protection from all types of malicious activity.
Cisco MARS shuts out new third-party security devices
Cisco has finally publicly acknowledged it won't add support for new third-party devices to its security information and event monitoring appliance, ending months of speculation about the future of its Monitoring, Analysis and Response System. Some claim it's the beginning of the end for MARS as a multi-vendor SIEM device.
Worried about Cisco MARS? Take advantage of Prism’s SIEM upgrade plan specifically designed for existing MARS customers and those currently evaluating MARS for a SIEM project. Contact us for more information.
Featured Webinar
Detecting a hacking attempt
Threat profiles are evolving constantly and growing in sophistication, and the impact of successful attacks is extremely severe in terms of lost revenue and negative publicity. This webinar shows an actual hack in progress and provides step-by-step techniques to detect the intrusion before costly damage is caused.
LogTalk
Follow LogTalk on Twitter
Subscribe to the LogTalk RSS feed
Subscribe to LogTalk via email
This document is provided for informational purposes only. The information contained in this document represents the current view of Prism Microsystems, Inc. on the issues discussed as of the date of publication. Because Prism must respond to changes in market conditions, it should not be interpreted to be a commitment on the part of Prism and Prism cannot guarantee the accuracy of any information presented after the date of publication.
INFORMATION PROVIDED IN THIS DOCUMENT IS PROVIDED 'AS IS' WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND FREEDOM FROM INFRINGEMENT.
The user assumes the entire risk as to the accuracy and the use of this document. This document may be copied and distributed subject to the following conditions: 1) All text must be copied without modification and all pages must be included; 2) All copies must contain Prism's copyright notice and any other notices provided therein; and 3) This document may not be distributed for profit. All trademarks acknowledged. Copyright Prism Microsystems, Inc. 2005.
Prism Microsystems, Inc.
8815 Centre Park Drive
Columbia MD 21045
Back to Newsletters
