Tips for working well with auditors; Inside the Walmart breach

November EventSource Newsletter
By Diana Kelley, Partner, SecurityCurve

Working Well with Auditors 

For some IT professionals, the mere mention of an audit conjures painful images of being trussed and stuffed like a Thanksgiving turkey. If you’ve ever been through an audit that you weren’t prepared for, you may harbor your own unpleasant images of an audit process gone wrong. As recently as 10-15 years ago, many auditors were just learning their way around the “new world” of IT, while just as many computer and network professionals were beginning to learn their way around the audit world.

At that time, auditors were seen as the people that swooped in and made an IT staffer’s life miserable – by telling them where their controls were failing, by pointing out control deficiencies (both real and imaginary) to management, and by recommending difficult to implement fixes that may have satisfied a regulatory requirement but didn’t take into account the underlying business processes.

Caught in a communications stalemate, many IT and audit departments operated at odds for years. And, unfortunately, that’s where some of us still are. But the world keeps turning. It’s time to move on – to leverage the complimentary roles that IT and audit fulfill to achieve maximum effectiveness in our risk management programs. By working cooperatively with the internal or external audit teams, IT and security can gain support and cost-justification for risk mitigation projects.

Turning Log Review into Log Management

Think it’s not possible for IT, security and audit to work well together? Not so – consider log management. Many regulations explicitly or implicitly require log review. PCI is explicit, requiring that every log, for every system in the cardholder data environment (CDE), be reviewed every day1. In healthcare, HIPAA calls for regular review of records2, like audit logs and FISMA, the Federal Information Security Management Act,3 calls for log review for federal agencies. What’s interesting about these mandates is that while all of them call for review of the log files, none of them specify how to accomplish a comprehensive log review program. Depending on the size of the organization and the number of systems on the network, the log files could account for gigabyte or even terabytes of data per week. Parsing through all of that information manually would be extremely labor intensive and inefficient. Automated log management: aggregating the log information into a central spot and using an automated parsing engine to sift through it all is a more effective and achievable approach.

Log management for security’s sake alone may be difficult to “sell” to executives as an investment that will benefit the organization. It’s not uncommon to hear budgetary war stories from IT and security administrators who unhappily watch log management funding get cut quarter after quarter in favor of other projects that are deemed more impactful to the company’s bottom line. And here is where the auditor/IT relationship can come into focus. Auditors are looking for controls and systems that enable them to sign off on log review requirements, IT and security are looking for ways to meet those requirements in an effective way. By linking a log management implementation project to a compliance requirement, the cost-justification for the program is elevated and is far more likely to stay in the budget after the next round of cuts.

Tips for Working Well with Auditors

Hopefully you’re now convinced that auditors and IT work better in a cooperative rather than competitive environment. But if you’ve never worked with auditors before, you might be wondering how you can bridge the communication gap. To help you with that, here’s a short list of tips that I’ve seen work in a number of organizations:

  • Speak their Language – Know the regulations and mandates the auditor is checking for and be sure you are using normalized terms to describe your controls. For example, NIST SP800-53 refers to “audit records” and “user activity logs.” If your department has a different name for this information; be sure to have a notation in your reporting that explains why your “syslogs” are functionally equivalent to NIST’s “activity logs.”
  • Know the Frameworks – Many auditors use well-known compliance frameworks to round out their regulatory specific assessment process. If you have controls in place that map to these frameworks, call this out for the auditor. Using log management as an example there are maps to ISO/IEC 27001:2005, A.10.10.1: “Audit logs recording user activities, exceptions, and information security events shall be produced” and COBIT 4.1 DS13.3: “Ensure that sufficient chronological information is being stored in operations logs to enable … reconstruction, review and examination…”
  • Write it Down – While techies are great at white boarding – they don’t always excel at written documentation. To an auditor a perfectly implemented process and set of controls is still materially deficient without current documentation to go with it. Make sure not only that you have the required documents ready for the auditor, but also that it is up to date and accurate.
  • Make it Clear – Network maps that show zoning and segmentation as well as locations of relevant systems will help the auditors assess compliance and, where appropriate, help to reduce the scope of the audit zone. Name audit sensitive systems according to a standardized model, such as by location or purpose. While it might be fun to name your mail servers and firewalls Kenny, Cartman, Kyle, and Stan – it’s not going to help an auditor identify these systems during an assessment.
  • Anticipate their Reporting Needs – Generate reports that are mapped back to the regulations or mandates in question. In the case of log management systems, build rules that identify auditor hot-buttons such as: logging user access to a database that stores credit card information or proof of encryption controls in a database storing PII.

Summary

There’s an old aphorism that says you can catch more flies with honey than with vinegar. The same might be said of successful compliance work. While it may be tempting to recoil when you see the person with the compliance checklist, it’s more effective to work with, rather than against the audit team. What you might find out is that not only is your next audit season a little less contentious, but also that you may have found an ally in the cost-justification process.

Footnotes:

1 PCI DSS Requirements 10.2 “Implement automated audit trails for all system components” and 10.6, “Review logs for all system components at least daily,” PCI DSS v1.2.1, July 2009
2 HIPAA 164.308(a)(1)(ii)(D): “. . . regularly review records of information system activity, such as audit logs,” Code of Federal Regulations (CFR) Part 164

3 NIST SP800-53, AC-13: “The organization reviews audit records (e.g., user activity logs) for inappropriate activities” and NIST SP800-92

Industry News

Big-Box breach – The inside story of Walmart’s attack
Internal documents reveal for the first time that the nation’s largest retailer was among the earliest targets of a wave of cyber attacks that went after the bank-card processing systems of brick-and-mortar stores around the United States beginning in 2005.

Did you know? EventTracker combines both Log Management and Change Monitoring capabilities to provide holistic protection from risks posed by hackers

Manage your Network right
Focus on specialized tools targeting specific areas of network management – As current IT trends push us to the lofty goal of cloud computing, and Software as a Service is promoted by all the biggest software vendors, now is the time to be sure that your network-management capabilities are as good as money can buy.

Note: EventTracker beats products from IBM, CA and BMC in the above article. Don’t miss the review on page 3.