“We’ve been breached.” These are three words no executive wants to hear from their IT staff. Any mailing or data processing company that deals with sensitive client data likely generates reams of written security policies, because let’s face it, customers want to know that their vendors take security seriously, or they won’t continue to be customers. At some point, management has likely sat down with staff, and possibly an outside consultant, to select a security framework, such as NIST SP800-53, ISO 27001, or HITRUST CSF, and complete the long process of scoping, tailoring, and documenting company procedures.
Having those policies in place is a good start, but it’s only a start. Security policies are only as good as the last time they were tested. Or to use a sports or music analogy, the proficiency of play is often determined by how recently and frequently someone has practiced. A good security posture is the result of learned and practiced behaviors and processes, along with proper equipment. Determining how well policies are followed and how closely written procedures describe actual practices is called auditing.
There are two kinds of audits: external and internal. External audits are performed by independent, professional auditors certified in their particular field of practice. For example, a CPA would conduct a financial audit, or a SOC 1 report on Internal Control over Financial Reporting. A cybersecurity auditor conducting a SOC 2 audit would likely have a certification such as the Information Systems Audit and Control Association (ISACA) Certified Information Systems Auditor (CISA). External audits rigorously test sets of specific controls relating to proper risk management and standards.
An internal audit is conducted by the company’s own staff. The purpose of an internal audit is generally to prepare for the external audit, which costs the organization significant money. Without first conducting an internal audit, the risk of major findings during the external audit is unknown. An internal audit is therefore a mandatory step before the outside firm comes in.
We will be dealing with internal audits here and external audits in the next part of this series.
Who Should Conduct an Internal Audit?
Internal audits are commissioned by senior company management. The audit team members should be chosen from among subject matter experts who represent a wide array of departments in the organization, and the audit leader should be familiar with the relevant cybersecurity standards and policies currently in use. Management should provide the internal audit team with a charter that lays out the mission, and the independence to complete the audit and provide truthful, unbiased results.
A charter may be something like: Examine all cybersecurity policies and procedures to ensure they have been reviewed and updated per the document requirements. Test at least 40% of policies against the NIST 800-53R5 standards and controls via observation, evidence collection, and interviews with key personnel. Perform at least one walkthrough or simulation of an actual security event involving IT and production staff. Report results to the COO within three weeks after the start of the audit.
Note that a good charter includes guidelines for what is to be tested, a timeline for the process and a deadline for when results should be reported, and guardrails to keep the audit from becoming an unlimited hall pass for the audit team to induce havoc. A good internal audit timeline should also schedule in adequate time for the team to plan, learn, and coordinate in advance of the actual audit. Telling your audit leader to have the team ready in a day or two is a recipe for confusion and chaos.
What Should Be Audited?
The first element of an internal audit is called a “desk audit.” This is where the audit team assembles the organization’s policy and procedure documentation and determines if the policies are current and have been recently reviewed. It’s useless for auditors to test procedures that are five years out of date, or controls that are obsolete because the framework referenced is deprecated. Are your policies collecting dust? The internal audit team will find out.
The desk audit should be performed in advance of the control testing, though it can also be performed simultaneously, if done in manageable phases. The audit team should follow a timeline with interim meetings built in to determine whether to continue in a particular area, or to tailor the controls tested before proceeding. This will keep the team from wasting time or going down rabbit holes.
It is important to understand what limitations are placed on the auditors. An audit is not a penetration test, so auditors need to be careful not to get into an antagonistic relationship with those being audited. There is no need, for example, to pull a fire alarm, or activate an incident reporting system to test the controls dealing with those areas — unless the charter specifically calls for that kind of intrusive test. Internal auditors must always “stay in their lane.” A cybersecurity audit need not expand the scope into safety, OSHA, professional or legal practices, or financial risk. Asking about the versions of software products in use, when they were last patched, and how the hardware and software inventory is compiled and maintained is, however, well within the scope.
Internal auditors are independent, but they are not to be loose cannons. An auditor merely observes, gathers evidence, and interviews to determine how well policies and procedures represent the ways in which things are actually done in the organization. In other words, “test” does not mean an adversarial pass-fail situation. It is, rather, an informational, cooperative process.
Findings and Mitigation
The purpose of the internal audit is not to rubber-stamp a “pass” to satisfy external auditors or customers. The main point is to provide an honest assessment of how well the organization’s management goals and objectives align with its cybersecurity and risk management programs — and how the people who perform daily tasks follow the policies that govern both.
The internal audit team should directly brief senior management on its findings and recommendations. The auditors should not have power to assign mitigation tasks, but their findings may recommend further, more in-depth audits, or bringing in professionals to help reduce risk.
Management should not fear these findings, nor dole out punishment for honest assessments that may not convey happy news. The findings should be taken seriously, and mitigation recommendations that follow from the audit should be added to a Plan of Action and Milestones (POA&M) or similar document.
Finally, management should plan the internal audit with sufficient time to complete mitigations before going to the next phase — the external audit. Producing a “to-do” list without addressing the items on it will only make the external audit more painful, as it will likely confirm the validity of the internal audit.
Remember, as you go through this sometimes-arduous but necessary process: A thorough internal audit can be the single most valuable tool for reducing any organization’s cybersecurity risk.
This article is part 1 of a 2-part series on security audits. Part 2 will focus on external audits.
Steve Berman is Director of Risk and Compliance for DATAMATX, one of the nation’s largest privately held full-service providers of high-volume print and electronic transactional communications. He has been involved in cybersecurity for over 25 years and has a Certified Information Systems Security Professional (CISSP) certification. For more information, visit www.datamatx.com.
This article originally appeared in the March/April, 2024 issue of Mailing Systems Technology.