By Mark Lanterman, Chief Technology Officer, Computer Forensic Services
Carolyn Engstrom, Director of Corporate Compliance
In the last two articles of this series, I discussed the role of maturity assessment and security assessment as connected though distinct aspects of a strong security program. This article will delve into a third and comparatively more in-depth component. Security auditing builds upon the information reached as a result of the security assessment portion in order to come to conclusions about the efficiency of an organization’s internal controls.
A security audit focuses on the completeness, design, implementation, and efficacy of internal security controls. While controls are identified during the security assessment to mitigate identified risks, a security assessment provides only a rudimentary evaluation of the control design. Perhaps more importantly, a security assessment is conducted under the assumption that the controls are effective in mitigating risks. Conversely, a security audit will delve much deeper into how a particular control is designed and how it is implemented over a period of review. Periods of review are decided by management based on the amount of assurance desired that a control is operating as expected. This period typically lasts twelve months, but can ultimately be any length of time depending upon the needs of the organization.
Security audits can vary widely in their scope and rigor. Although some controls are identified during the security risk assessment, security auditing is another method of independently reviewing the completeness and accuracy of the risks and controls. Controls have many different potential categorizations to identify potential vulnerabilities in their design and implementation.
A typical categorization is preventative or detective. Preventative controls prevent a risk from occurring. For example, to prevent damage to a server the organization may secure the data center with a key card lock and restrict access to appropriate personnel. A detective control detects that either a preventative control failed or that a risk materialized. In the previous example, a detective control may be a review of the access log to the data center to detect that access was improperly granted to an unauthorized individual. As identified in the second article of the series, controls can be categorized as administrative, physical, or technical. Administrative controls are typically process-oriented and relate to the establishment of policies and procedures. Physical controls can relate to people, locations, or utilities whereas technical controls relate to logical controls.
Categorizing controls is important to support a common security principle: defense in depth. This principle ensures that there are appropriate layers of controls so that if some fail, others will still be there to further reduce the risk. A risk should generally have a preventative and a detective control. While preventing a risk from occurring at all is preferred, it is not always feasible. Combining a control to detect any failures of the upstream process is advisable. Having a mixture of administrative, physical, and technical controls over a key risk area is recommended. This security principle aptly illustrates that no security program is perfect. In consideration of evolving risks and vulnerabilities, organizations should account for possible deficiencies in even the strongest controls.
Typical frameworks for generalized security audits include the Center for Internet Security’s Critical Security Controls, the National Institute of Standards and Technology’s Special Publication 800-53 Security and Privacy Controls for Federal Information Systems, and ISACA’s Control Objectives for Information Technology (CObIT) 5. When evaluating technical controls on a specific system, particularly for baselining the expected configurations, the Defense Information System’s Security Technical Information Guide (STIG) and the Center for Internet Security’s Secure Baselines provide significant guidance.
Controls are tested thorough observing the individuals responsible for performing a control, reviewing documentation to evidence that a control was performed, and by interviewing key people responsible for the design, execution, and review of controls and independent testing. In independent testing an auditor will obtain data and perform the control himself to determine if the same result was obtained by the control performer. For areas of risk that may have inadequate controls, an auditor may produce evidence that a risk materialized and its extent.
Security audits are the most objective of the security components that have been discussed in the first three articles of this five-part series. By concluding on the adequacy and operational effectiveness of controls, it provides feedback to the maturity assessment and the risk assessments. Is the organization more or less mature based on the recommendations in the audit? Were any threats, vulnerabilities, or control overlooked in the security risk assessment? Were controls operating as expected to prevent a risk or does more residual risk exist than was previously identified?
Similar to maturity and security assessments, security auditing could be described as a defensive measure designed to test the strength of internal controls that prevent recognized threats in addition to minimizing residual risk. In the next part of this series, I will describe the role of yet another defensive measure. Technical vulnerability scanning is an essential, though often overlooked, technique used to develop a strong security plan. This technique is incorporated into the three previous overarching components and is utilized routinely for organizations to remain aware of potential problems in their security infrastructure. This defensive measure is a crucial aspect of the final offensive security measure, penetration testing.The Components of Strong Cybersecurity Plans Part Three: Security AuditingClick To Tweet