Research Publication Date: 2 October 2007 ID Number: G00152216 The Top 10 Risk and Security Audit Findings to Avoid Paul E. Proctor Risk and security audits can waste time and valuable enterprise resources, especially if findings are inappropriate. This best-practices document can help chief information security officers (CISOs) and other key enterprise risk decision makers work proactively to avoid wasted effort while addressing audits and audit findings. Key Findings A risk and security audit frequently represents a time-consuming distraction for the enterprise as a whole and for the IT organization in particular, without offering real-world risk-control advantages. CISOs and other risk professionals should prepare to negotiate with auditors, to ensure that audits and audit findings address areas of genuine concern and value to the enterprise. A collaborative relationship with your auditor is by far the most effective approach to addressing the organization's needs. Addressing common auditor areas of concern proactively can reduce the level of effort required to handle audit findings. Recommendations Proactively develop and implement risk- and security-related controls, instead of waiting for auditors to identify problem areas. Develop, in advance of negotiations with auditors, reasonable and appropriate controls for reasonably anticipated risks. Ensure that all the risk organization s controls and other practices are sound and defensible, so that you can resist unreasonable findings or mandates by auditors. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.
TABLE OF CONTENTS Analysis... 3 1.0 Audit Findings: A Clear and Present Danger... 3 1.1 Understand the Auditing Landscape to Become a Better Negotiator... 3 1.2 A Proactive Approach to Governance, Risk and Compliance... 3 1.3 Types of Auditors... 4 1.3.1 Prescriptive (Traditional)... 4 1.3.2 Collaborative... 4 1.4 Types of Findings... 4 2.0 The Top Top-10 Risk and Security Audit Findings to Watch For... 5 2.1 Audit Finding No. 1: Data Classification... 5 2.2 Audit Finding No. 2: Change Management... 5 2.3 Audit Finding No. 3: Administrator Controls and Shared Accounts... 6 2.4 Audit Finding No. 4: Identity and Access Management... 6 2.5 Audit Finding No. 5: User Activity Tracking and Log Analysis... 7 2.6 Audit Finding No. 6: SOD in ERP Systems... 7 2.7 Audit Finding No. 7: Physical Access... 7 2.8 Audit Finding No. 8: Business Continuity Management and Disaster Recovery... 8 2.9 Audit Finding No. 9: Sourcing Controls and Partner Agreements... 8 2.10 Audit Finding No. 10: Education and Awareness... 9 Publication Date: 2 October 2007/ID Number: G00152216 Page 2 of 10
ANALYSIS 1.0 Audit Findings: A Clear and Present Danger A risk and security audit is theoretically designed to help CISOs and other security and risk professionals avoid practices and activities that present unacceptable levels of residual risk for the enterprise. In practice, however, audit findings are too often a clear and present danger to effective enterprise governance and the business s bottom line. A risk and security audit can be a time-consuming distraction for the enterprise as whole and for the IT organization in particular, and yet not offer real-world value in terms of addressing reasonably anticipated risk. Audit findings are intended to be valuable "checks and balances" that prevent enterprises from engaging in activities that present unacceptable ("inconsiderate") levels of residual risk. Too often, however, they represent a time-consuming distraction without real-world value in addressing reasonably anticipated risk. One of the key elements in ensuring that audits are effective in reducing risk is to understanding the "auditing landscape": recognizing the different types of auditors, the different types of findings and, particularly, the types of finding that can waste the IT organization's time or the enterprise's resources and should therefore be preempted or avoided through a proactive approach. 1.1 Understand the Auditing Landscape to Become a Better Negotiator Because there are no definitive standards for compliance with regulations and auditing guidelines, auditing is fundamentally a process of negotiation. To pass audits and make the audit process genuinely valuable to the enterprise, CISOs and other key decision makers need to understand the different types of auditors, the different types of audit findings and the most serious audit-related problems. Auditors have different levels of aggressiveness, backgrounds and approaches to arriving at findings. For this reason, the audited enterprise's relationship with the auditor is critical. This view is supported by Gartner research that shows enterprises moving away from the traditional adversarial approach with auditors to one that is fundamentally cooperative and collaborative. Some audit findings are fair; others are not. Some are reasonable; others are not. Some can be argued against successfully, and some are best left uncontested. Types of findings that are not useful typically fail to address a defined control objective, "prove a negative" and are therefore not actionable, or identify a need without prescribing the controls necessary to address it. Understanding the different types of audit findings will enable enterprise security or risk professionals to negotiate where it is appropriate, and to do so successfully. Findings that prove to be appropriate vary widely, according to the specific requirements and risk profiles of the enterprise. Many enterprise stakeholders, including the legal department, will need to be consulted when making decisions that address these findings. 1.2 A Proactive Approach to Governance, Risk and Compliance It is always a mistake to wait for audit findings to improve the enterprise's security situation. Enterprises and internal organizations must take a proactive approach to audit findings by creating a process-oriented program that delivers effective governance, risk management and compliance (GRC) activities. Governance comprises decision-making authority and accountability. This encourages desirable individual and enterprise behaviors, typically enabled by a framework for example, Control Objectives for Information and Related Technology (CobiT), IT Infrastructure Library (ITIL) and Publication Date: 2 October 2007/ID Number: G00152216 Page 3 of 10
International Standards Organization (ISO) 27001. The specific framework used is less important than having a process in place that provides prescriptive guidance with control objectives. Many Gartner clients have effectively implemented hybrids, made of multiple published frameworks and "homegrown" requirements. Risk management is a formal process for identifying and measuring reasonably anticipated risks, so that the enterprise can be protected against risks that are truly relevant. This issue becomes critical in many negotiations and disputes concerning audit findings. Compliance is the process of building a defensible case that the enterprise or an organization in the enterprise has taken the right steps, at the right time, given the circumstances. Too many enterprises focus on reactively addressing findings, rather than on understanding and addressing appropriate risks with appropriate controls. 1.3 Types of Auditors Auditors fall into two broad but recognizable categories. 1.3.1 Prescriptive (Traditional) Auditors have traditionally tended to take a prescriptive approach telling the enterprise or organization what problems they have identified and how they expect them to be addressed (sometimes even specifying the technologies to be used in addressing them). In the most extreme and least helpful cases, auditors have no real connection to the businesses they audit and no real interest in engaging in dialogue. Prescriptive auditors can, however, have good working relationships with the audited entities and effective segregation of duties, and still address the shared goal of reducing risk to acceptable levels. 1.3.2 Collaborative Gartner has identified a strong trend toward the use of auditors who are willing to work with enterprises and their personnel, and with whom it is possible to develop an effective working relationship. This is unquestionably the best approach, because it leads to more-effective communication and better risk control throughout the enterprise. 1.4 Types of Findings Audit findings also vary widely, in terms of their reasonableness, their effectiveness, and their bottom-line business impact. Findings that are valuable typically identify needs without being excessively prescriptive about the controls necessary to address those needs. They also can typically be implemented in a series of phases aligned with the enterprise's strategic and tactical requirements. Such findings can usually be addressed effectively through negotiation and collaboration with the auditors. Examples of unreasonable findings include the following: Findings that do not address the control objective for example, a finding that requires firewall monitoring (a security monitoring control primarily concerned with confidentiality) to address Bill 198, which is a requirement by the Canadian province of Ontario to address controls for the integrity of financial reporting. Findings that prove a negative for example, a finding that requires a control to prove that no unauthorized changes have been made to a production system (highly problematic, because it's difficult to prove that something did not happen). Publication Date: 2 October 2007/ID Number: G00152216 Page 4 of 10
Findings that prescriptively require an inappropriate control for example, a finding that requires encryption on a back-end system with few users, taking resources away from controls needed to protect more-important front-end systems with greater business impact and risk. Findings of this type should be negotiated aggressively. Gartner's risk and security analysts have identified 10 common risk and security audit findings that most enterprises, and most organizations in those enterprises, should avoid, if possible. We also offer best practices for each the minimum remediation required for all enterprises, Gartner's recommendations, and sets of advanced measures that may be taken to meet enterprise-specific requirements. 2.0 The Top Top-10 Risk and Security Audit Findings to Watch For 2.1 Audit Finding No. 1: Data Classification Typical Finding: The auditor is unable to produce an inventory of assets and associated classifications. What It Means: The enterprise doesn't know what it has, so the organization doesn't know how to protect it. How to Avoid the Problem: Classification is almost always a problem for enterprises, because traditional classification mechanisms and controls have failed, wasting critical resources. It is reasonable for an auditor to recognize that an enterprise has no idea where its sensitive data is held or how it is protected, but it not reasonable to expect an enterprisewide classification and labeling scheme which experience shows will almost certainly fail to be implemented. Minimum Remediation Required: Create an ad hoc list of critical systems and publish a reasonable classification policy. Gartner's Recommendation: Conduct an inventory and classification project. (Manual classification will always be dangerously incomplete, so automation of this process is strongly recommended.) Advanced Measures: Implement formal asset management, creating automated mechanisms to identify sensitive data and use mandatory controls and content-aware mechanisms to prevent data leakage. 2.2 Audit Finding No. 2: Change Management Typical Finding: The auditor cannot find evidence of change management on material systems. What It Means: No one in the enterprise is tasked with controlling mission-critical changes, so it is impossible to know what problems might result from changes. How to Avoid the Problem: It is widely recognized that unauthorized changes by privileged users represent a far greater risk than external threats, such as malicious-code attacks. For this reason, auditors are focusing more intensely on change management to reduce risk, particularly in response to the requirements of the U.S. Sarbanes-Oxley Act. However, audit findings of this type are usually not useful or actionable for IT and other risk-related organizations, which have little or no control over the enterprise's change management practices. Publication Date: 2 October 2007/ID Number: G00152216 Page 5 of 10
Minimum Remediation Required: Maintain separate development, testing and production environments, and implement a change request process. Gartner's Recommendation: Implement enterprisewide change management processes and best practices. Advanced Measures: Implement a full change management database (CMDB) with configuration auditing and automated change recognition. 2.3 Audit Finding No. 3: Administrator Controls and Shared Accounts Typical Finding: Too many administrator ("root") accounts are not tied to specific individuals. What It Means: Accounts are not tied to particular identities, so access controls and monitoring tools are ineffective. How to Avoid the Problem: Administrator accounts have privileges to access any data and execute any application or transaction, typically with little or no tracking or control. These accounts which in some enterprises number in the hundreds are frequently not tied to specific individuals, so the accounts can be used to do virtually anything, with little or no possibility of detection. Moreover, an enterprise may have hundreds of administrators, each of whom has uncontrolled access to all systems. This proliferation of account privileges is, understandably, an issue of considerable concern for auditors. Minimum Remediation Required: Avoid the sharing of accounts of any type by users, and tie each identity and each privileged account to a specific individual. Gartner's Recommendation: Reduce the number of privileged accounts by limit privileges to those that administrators specifically need. Advanced Measures: Auditors may require tracking all administrator activity which is manageable if the number of administrators is reduced. However, IT organizations will want to push back on this requirement to address only critical, in-scope systems. 2.4 Audit Finding No. 4: Identity and Access Management Typical Finding: The auditor cannot determine each user's privileges, or determine that each user has appropriate, and appropriately approved, privileges. What It Means: The enterprise does not know who has access to what systems or data, or whether that access is appropriate or approved. How to Avoid the Problem: The need for effective monitoring and enforcement of the identity and access management (IAM) process which can be defined as controlling who has access to what is a longstanding concern for enterprises, especially those in highly regulated industries. These include financial service providers governed by regulations from the U.S. Office of the Comptroller of the Currency, the U.S. Securities and Exchange Commission (SEC), the Securities Industries Association, the U.S. Gramm-Leach-Bliley (GLB) Act and the Basel II Accords. The recent focus on IAM audit and compliance has been driven primarily by Sarbanes- Oxley separation-of-duties requirements and the U.S. Health Insurance Portability and Accountability Act (HIPAA). A sound IAM process addresses problems such as excessively long wait times for new-user privileges, authorizations that are not removed when people change roles and accounts that remain open when people leave the enterprise all legitimate concerns for auditors. Minimum Remediation Required: Develop and implement processes for creating (provisioning) and removing (deprovisioning) users. Publication Date: 2 October 2007/ID Number: G00152216 Page 6 of 10
Gartner's Recommendation: Automate the user provisioning/deprovisioning and identity auditing processes. Advanced Measures: Implement role management, privilege attestation or enterprise segregation of duties (SOD) detection and remediation. 2.5 Audit Finding No. 5: User Activity Tracking and Log Analysis Typical Finding: No evidence of activity log collection and analysis can be produced. What It Means: The enterprise is unable to track user activity and produce a record of which employees have accessed which systems or data, or when. How to Avoid the Problem: The need to track user behavior not just user access rights and privileges has become a "hot button" issue for auditors. Activity tracking and analysis has tremendous value as a deterrent to inappropriate behavior and as a form of remediation. However, massive investment in a comprehensive enterprise-monitoring infrastructure is unnecessary. Enterprises and IT and other affected organizations should focus their activity tracking and analysis efforts on implementing controls that address areas of real risk. Minimum Remediation Required: Manually review logs for mission-critical systems. Gartner's Recommendation: Implement basic automation for centralization and report generation. Advanced Measures: Implement a full security information and event management (SIEM) application (likely most appropriate for enterprises with large numbers of critical data sources and complex correlation and analysis requirements). Be wary, however, of SIEM implementations that require the storage of enormous amounts of data that will never be accessed, because this is an expensive and essentially worthless exercise. 2.6 Audit Finding No. 6: SOD in ERP Systems Typical Finding: The enterprise is unable to control SOD issues in ERP systems that affect the integrity of financial reporting. What It Means: The integrity of financial reporting could be compromised by the use of conflicting permissions. How to Avoid the Problem: SOD conflicts and the controls necessary to prevent them will remain an issue of serious concern for auditors for the near future. SOD violations sometimes indicate deliberate fraud, and always represent an unnecessary vulnerability that can lead to undesirable financial activity. Minimum Remediation Required: Manually review all ERP users' permissions to identify conflicts. Gartner's Recommendation: Automate the detection and remediation processes, and "instrument" the provisioning workflow to prevent future conflicts. Advanced Measures: Monitor ERP transactions continuously for risky use of conflicting permissions. 2.7 Audit Finding No. 7: Physical Access Typical Finding: Physical access to the enterprise data center is uncontrolled. Publication Date: 2 October 2007/ID Number: G00152216 Page 7 of 10
What It Means: The enterprise's critical systems, applications and information assets are at risk of damage, misuse or alteration by persons gaining unauthorized access to facilities. How to Avoid the Problem: Physical access control for systems and assets containing sensitive data is an issue of legitimate concern for auditors and for business managers and must be addressed appropriately. The measures taken will vary, but, because there are common elements, our recommendation in this area is identical to the minimum required. Gartner's Recommendation (Minimum Remediation Required): Develop and implement access policies and minimal controls (for example, door locks and sign-in sheets) to enforce those policies and deny developers access to sensitive areas. Advanced Measures: Implement appropriate security technologies, such as proximity cards, complex multifactor authentication, access control tracking integrated with log-in records or video surveillance. When considering technologies, recognize that not all enterprises and types of sensitive data require the highest levels of control. These should be residual-risk decisions driven by business issues, not auditors' concerns. 2.8 Audit Finding No. 8: Business Continuity Management and Disaster Recovery Typical Finding: The auditor cannot locate current, environmentally relevant business continuity plans or evidence of internal controls requiring the periodic updating and review of such plans. What It Means: The enterprise's critical systems and business processes could be crippled by a natural disaster or other emergency. How to Avoid the Problem: A series of high-profile events including the terrorist attacks of Sept. 11 and the devastation of Hurricane Katrina in the U.S. have refocused attention on business continuity and disaster recovery. Every enterprise should have a minimal plan in place to protect business operations in the event of reasonably anticipated threats (for example, floods, for facilities located on flood plains; earthquakes, in seismic-activity zones; and fires, for virtually all enterprises). The enterprise's requirements in these areas should be determined by business managers, working with the IT organization and other affected internal organizations. However, if they fail to do this, auditors are likely to step in. CISOs and other risk professionals should be prepared to resist unreasonable auditor demands in this area, working with line-of-business managers and other key decision makers to define appropriate risks. Minimum Remediation Required: Write and distribute a minimal business continuity and disaster recovery plan. Gartner's Recommendation: Write a formal plan using established best practices, then test that plan annually. Advanced Measures: Maintain a "hot site," with automated failover and failback capabilities, and conduct annual full failover testing. 2.9 Audit Finding No. 9: Sourcing Controls and Partner Agreements Typical Finding: The enterprise's agreements with business partners and third-party service providers do not specifically address data protection requirements. What It Means: Sensitive data may fall into the hands of unauthorized parties due to inadequate partner/service provider security measures. Publication Date: 2 October 2007/ID Number: G00152216 Page 8 of 10
How to Avoid the Problem: In the normal course of doing business, enterprises increasingly share sensitive data with partners and other external parties, such as service providers. Controls should be in place for the transfer of the data and its protection while in the control of the external party. These issues increasingly affect bottom-line business results, particularly when enterprises find they cannot trust their partners' data practices, or their partners find they cannot trust theirs. This is especially important in completely outsourced IT environments. These environments require that the enterprise understand the service-level agreements (SLAs) in their contracts with service providers and monitor those SLAs carefully. Minimum Remediation Required: Review the risk and security requirements of all agreements and contracts with business partners and third-party service providers. Gartner's Recommendation: Require all external parties to present evidence of security controls, conducting annual reviews of those controls, and add risk and security requirements to all contracts and other agreements with external parties. Advanced Measures: Require Statement on Auditing Standards (SAS) 70 Type 2 audits, or equivalent external review and attestation, of all controls. 2.10 Audit Finding No. 10: Education and Awareness Typical Finding: The auditors cannot find formal evidence that employees know and understand their data protection responsibilities. What It Means: The security of enterprise systems and information assets are placed at risk by well-intentioned, but uninformed employees. How to Avoid the Problem: Risk is frequently brought on by individual behaviors that are easily controlled, and risk can often be mitigated simply by telling people not to engage in certain activities. For this reason, education and awareness programs typically offer the greatest return on investment of any security measure the enterprise can implement. Minimum Remediation Required: Create and distribute a security practices manual for all employees and other stakeholders (for example, partners and independent contractors). Gartner's Recommendation: Formalize your training program with specific, target instruction and professionally produced instruction materials. Advanced Measures: Require computer-based training, tracking and reporting on completion, and set specific (metric) compliance goals. Acronym Key and Glossary Terms CISO CMDB CobiT ERP GLB GRC HIPAA IAM chief information security officer configuration management database Control Objectives for Information and Related Technology enterprise resource planning Gramm-Leach-Bliley Act (U.S.) governance, risk management and compliance Health Insurance and Portability Act (U.S.) identity and access management Publication Date: 2 October 2007/ID Number: G00152216 Page 9 of 10
ISO SAS SIEM SLA SOD International Standards Organization Statement on Auditing Standards security incident and event monitoring service-level agreement segregation of duties REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 U.S.A. +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo 153-0042 JAPAN +81 3 3481 3670 Latin America Headquarters Gartner do Brazil Av. das Nações Unidas, 12551 9 andar World Trade Center 04578-903 São Paulo SP BRAZIL +55 11 3443 1509 Publication Date: 2 October 2007/ID Number: G00152216 Page 10 of 10