Plate spinning is a balancing act!
While it’s hard to get a single plate started, the real difficulty is keeping them all going at once. You have to regularly check-in on the plates you started earlier – or else disaster!
A good cybersecurity program will have a mix of controls, some are automated, set in stone, or just “set and forget.” They continue to work well over time without a lot of oversight.
Other controls are the opposite, they’re complicated, have many moving parts, may involve multiple teams, or may not be used very often. These controls tend to degrade over time because humans are bad at infrequent, unscheduled activities and tend to take their eye off the ball over time as time passes with no check-ins.
In other words, the plates stop spinning, fall, and… crash!
This latter group of controls need oversight to maintain their effectiveness, meaning you need a control to manage your controls! Just like the plate spinner, you can’t focus on creating new controls without keeping all the old ones spinning!
The most effective way to keep your controls spinning is through regular Internal Audits.
Internal Audits: Not just for Compliance
Many organizations first approach internal audits from the standpoint of compliance, since both ISO 27001 and SOC 2 require you to perform them. However, the reason these standards require the practice is because, when performed correctly, internal audits demonstrably improve your cybersecurity! So they are very useful outside of the scope of compliance, too.
You can and should be performing internal audits for their own sake, since they will give you confidence that your security program is operating as you think it should be. You can maximize the value they provide your company by focusing on the really important cybersecurity controls.
These controls you select for your internal audit should be the fragile ones that are more likely to degrade, such as access management with employee offboarding. Or they should be very important controls that have a lower chance of degrading but still have to ALWAYS be perfect, such as ensuring that MFA is always on for all cloud administrator accounts.
Some Plates Need More Attention
Employee offboarding, as an example, is a very complicated process. Multiple teams working together, lots of access points to clean up, and it has to be done quickly and completely. Has that been done consistently over the last few months in your organization?
“Maybe” isn’t good enough, you have to check!
An audit that you’re doing for your own benefit doesn’t need to be overly formal, but it should be repeatable. The difference between an “audit” and “just checking in” is the level of detail and purpose that goes into it. make sure you have an audit plan that at least identifies the following:
Control: WHAT does the control say to do?Owner: WHO is responsible for this control?Criteria: HOW will you evaluate if the control is operating effectively?Evidence: WHAT evidence can you ask for to validate your criteria? Findings: WHAT did your sampled evidence tell you?Evaluation: WHAT is your conclusion about the control, based on the evidence?
Example:
Control: Terminated employees must have all critical access removed within 24 hours of termination.Owner: Dave, HR ManagerCriteria: View list of terminated employees from last 3 months, and confirm access was appropriately revoked.Evidence: Employee offboarding spreadsheets and Jira tickets.Findings: 3 spreadsheets were completed the same day as employee termination, but one (Joe Smith) was terminated late on a Friday and it wasn’t noticed by IT until Tuesday because Monday was a holiday.Evaluation: Control not operating effectively.
Note that some controls may have extremely large data sets that are functionally impossible to review in their entirety. If you wanted to audit a dev team’s code reviews for a large company, there could be hundreds of pull requests per month. In this case, it makes more sense to use a small sample of the data set to represent the whole. Keep in mind that there is a chance you might miss a control failure or two if you don’t have a large enough sample size, so use your best judgment to determine how much or how little to assess.
Internal Audit Best Practices: How to Plan for your First Audit
This section will cover internal audit best practices, including a step-by-step process of conducting internal audits.
Before the audit:
There are three steps to take before you begin your internal audit. They are worth exploring in more depth.
1. Select your controls.
Internal audits do take a considerable amount of internal time, so you want to focus your attention on the most important controls, ensuring you get the most value. Team members should be able to tell you which controls are high-priority if you give them enough notice.
Be sure to avoid auditing easy controls you are actually confident in! It’s far more valuable to select controls that may be a challenge, or that require rigorous process upkeep to stay in compliance. It’s very easy to let controls such as employee offboarding, security training, and change management fall out of compliance. These are great controls to select. The other set of controls worth checking are controls that must ALWAYS be correct. Even if they are easier, a failure is a big deal that can put you in serious trouble!
Schedule the audit and send out the list of controls you’ll be testing at least a week in advance. These typically last 60-90 minutes and require preparation time, so you have to give your team a chance to prepare!
If your team has not seen the controls and didn’t have time to prepare, the audit could go way over the 60-90 minute time slot, and be much less effective.
2. Establish trust with your security team.
Ensure that employees know they are not going to get in trouble if there are findings. Nobody is perfect. It is normal for cybersecurity controls to slip occasionally. An internal audit is a controlled environment where failures can be safely learned from with no ramifications. Failure means opportunity for improvement. Ultimately, it’s good to fail here!
If employees feel like they could get in trouble, they may attempt to cover up mistakes. This is detrimental to the goal, and a far more serious offense than, for example, forgetting to check an access management log a couple of times in the last six months.
You want to catch as many mistakes as possible to improve.
3. Define what your goals are for each control.
You need to have a reasonable bar to measure your controls against. Different goals may be appropriate for different times. Early on, you could measure against where you want your organization to be in a year’s time.
If you wanted to audit a new onboarding security training process, you could set the goal to have 90% of all employees receive training within 30 days. Eventually as the process becomes more mature, you could raise it to 100%.
For an internal audit that’s in preparation for a quickly-approaching external audit, match your goals to what you expect from the external auditor.
OK, you are now truly ready for your first audit, finally. Onto the good part.
During the audit
During the audit, you (or your designated internal auditor) will ask your team to prove they are following the controls. You should read out the language of each control clearly, so everyone understands what is being said. Then, you should ask for evidence.
The type of evidence provided will depend on the control being audited. Evidence can include verbal explanations, walking through a process on a screen share, screenshots the team has on hand and more.
It’s important to document the evidence your team provides in this process. Make sure you record everything . If things are moving a little too quickly, ask the team to slow down or repeat themselves. It’s important to capture all of this information, so that conclusions can be drawn later.
One last thing to note – the first audit is always a little bit weird. If it’s a new experience for all involved, that’s okay. Subsequent internal audits go much much smoother than the first.
After the Audit
The audit might be the main event, but some of the most important work happens after it’s over.
The best improvements will come with the help of an internal audit report . This document summarizes the findings of the audit. It is the most important deliverable to come out of the internal audit process – it’s what’s used to guide future improvements.
In the report, you will compare the evidence collected against each of the associated controls and the defined goal for each control.
Then, each control should be assessed as “operating effectively ” or “not operating effectively. ” Additionally, note any “areas of improvement” your team could implement to mitigate control deficiencies.
Remember to have reasonable goals for controls to be measured against. A control can be considered operating effectively even if it isn’t operating perfectly.
The internal audit report feeds into your cybersecurity roadmap. Make plans to address its deficiencies, and you’ll have a better program for your next audit.
Turning Audit Results into Recommendations & Improvements
Now that you’ve run an internal audit and created a report, you can use the results to provide recommendations back to control owners.
For example, you could ask Dave in HR to make sure to add a step to verify acknowledgement from all teams that they’re aware of their offboarding subtasks before leaving on a Friday. Then, track and follow up to make sure it gets implemented.
The control list should vary somewhat in subsequent internal audits. Some critical controls will be staples, worth checking every time. Other, less critical controls, should be rotated in and out.
For example, you may decide to check employee offboarding every quarter, but you may only need to check on your vendor approval process twice a year.
Consistency is Key to Maximizing Internal Audit Value
We’ve talked a lot about how to do internal audits up to this point, but one thing we can’t forget is that they are no good if not done consistently!
Come up with a reasonable frequency to do your internal audits and stick to it! What this will look like in-practice varies heavily from organization to organization, but the point is to ensure you have some consistency and assurances that the most critical controls do not have time to degrade between audits.
Like plate spinning, each control must have momentum added to it occasionally, or else it will fall off!
It’s much better to discover that someone forgot to deactivate Disgruntled Danny’s access to Salesforce a month or two after termination in an internal audit, rather than eight months after he was terminated when his account was involved in a security incident!
CRASH!
Avoid the sound of one of your cybersecurity controls slowing, falling, and crashing.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.