17/03/2023
Compliance
Audit management is the most classic application of SGRC systems. It answers the question:
What is going on with information security now?
Conducting compliance audits is both an obligation and a right of organizations.
It is not for nothing that the presence of functions, implemented by systems of this class, is present in almost every standard/framework, which regulates the construction of cybersecurity systems.
Compliance as an obligation
On the one hand, organizations are always subject to a number of normative legal documents and regulations. They are the driving factor for the birth of an organization’s audit management process. The problem that comes to mind first is the need to generate reporting documents on the results of audits. However, it is only the tip of the iceberg.
The audit process includes four basic steps, which generally correspond to Deming’s PDCA (Plan – Do – Check – Act) cycle:
Let us analyze each of these steps.
Planning
At this stage, organizations try to plan a list of necessary actions and define the objects to be audited, the requirements they have to meet. and the timeframe for the audit.
The first challenge that cybersecurity employees face is the assets inventory. It is good if the organization already has solutions in place to keep track of them. However, even at this step, there is a need for something more than purely technical information about the number of hosts and implemented systems. Moreover, in our practice, we often see that different solutions give different information even about the number of hosts in the infrastructure. When conducting audits, it is important to understand the intangibles associated with the systems – the processes they support, and the information they process. Next comes a need to understand how critical these assets are, who owns them, etc.
Such information will first and foremost allow conclusions to be drawn about what regulations apply to the assets – systems that process personal data, for example, must comply with GDPR.
However, the planning phase does not end there. As the number of assets grows, it becomes increasingly difficult to keep track of their audits. When sitting down to form a plan, an employee must clearly understand:
– When was the last time the asset was audited?
– Is this or that asset included in the near-term plan?
– Do other asset properties (location, type, etc.) meet the criteria for inclusion in the plan?
All these data must be at the user’s fingertips at the moment of deciding to include assets in the plan. The more systems that need to be accessed for information, the less efficiently the responsible employee’s resource is spent. Switching between sources not only consumes time, but also the attention span, which in turn increases the risk of human error.
And finally, the audit plan itself. In its classic form, it is a table with the following information:
– Type of verification (regulatory document)
– Audit scope (asset)
– Scheduled dates
– Actual dates
– Status
– Responsible staff.
At a low level of process maturity, the plan is periodically printed out and checked against its previous version. At a higher level, it is maintained electronically but still requires manual updates and constant human monitoring. For full automation, the plan must be integrated with the asset base, user system, and role model.
Thus, the spontaneous regulatory-driven process begins to bog down fairly quickly. The first problems show up when audits stop being spotty and the number of assets being audited goes into the dozens. Employees begin to waste time on monotonous manual tasks.
How can an SGRC system be useful at this stage? It can solve the following tasks:
– Provide complete information about the resource-service model of assets, superimposed on the data on the checks being performed. And here one of the criteria for selecting a system should be to understand how information about assets will be “glued together” from different sources, whether there is a proprietary inventory engine, multitenancy mode, etc.
– Help form the criteria by which regulatory documents are linked to assets, and automate the application of those criteria to map all the entities of interest to each other.
– Become a single place to store information about regulations that apply to an asset.
– Generate an audit plan, and monitor its implementation.
Conducting an audit
This audit procedure usually consists of filling out a questionnaire. The list of questions most often is the requirement of a regulatory document – a law, a regulation of the regulator, etc. In respect of each requirement, the auditor assigns a grade on a scale (e.g. “complied with – partially complied with – not complied with”) and also fills in additional information, and generates a list of evidenсes (confirming the compliance or non-compliance with the requirement).
At this stage, the most obvious difficulty is the human factor:
– The list of questions should be presented in a clear and easy-to-understand form.
– The auditor should give an assessment strictly within the established scale.
– The auditor should understand what and how he/she should fill in for each of the questions. And also, what data is not subject to editing on his/her part.
For a while, these factors will be the main obstacles to the convenience of the process and can be solved by using spreadsheets.
The real pitfalls will emerge with the accumulation of historical information and the alignment of the planning process. The more assets are audited regularly, the more information needs to be stored in a format that is easy for quick access and building different trend lines. Major regulations may include dozens to hundreds of issues. For each one, the auditor may need to see the history of assessments as well as the evidences attached for different years. In addition, in the case of errors made earlier due to inattention, as well as the dismissal of the employees who updated the tables, this snowball risks turning into a real avalanche.
The use of SGRC systems at this stage allows for systematizing the format of input data, tracking the attached evidence, and managing historical information on audits. Moreover, SGRC will help to create discipline in entering and storing information, which later will significantly save the resource of employees, whose expertise will be important at the next stages.