This article was authored by Art Provost, Vice President of Security Services and Senior Information Security Officer, at Filament Essential Services, an Apptega trusted partner. To learn more about how to navigate audits affordably and with minimal business disruption, register for our March 22 webinar with Provost and the Apptega team.
It’s a word that, if not scares, at the very least, makes IT management, your security team, and executives uncomfortable. When you’re doing everything you can to keep things running, the last thing you want is to have someone come in and tell you you’re doing it wrong. Almost as bad is hearing that you may be doing it right... but you can’t prove it.
I manage the security program for a federally-regulated not for profit. It is subject to third-party review and an audit by Federal regulators annually. We use Apptega’s Assessment+ tool to manage how we maintain and present our security program to outside organizations. It’s been a game-changer for us. Sit back, relax, and I’ll take you through our process.
After meeting with the auditor and defining the scope of the review, the auditor presents an evidence request list (ERL). The list contains all of the documentation that would show that you’re doing the things you’re supposed to be doing over the course of the past year. You immediately have a panic attack to go along with the to-do list that’s longer than your arm. You start requesting copies of evidence from all of the people that should produce it, as well as tackling the list you are responsible for.
A week before the audit starts, you’re still gathering documentation, following up with people, and trying to get everything ready for the auditor meeting. You have a directory that’s hopefully got some form of organization, but still contains more information than you need in some places and far less in others.
The auditor arrives and spends a few days interviewing staff and asking you questions and reviewing the evidence you have provided. At the end of each day, you feel like you’ve been through the wringer. You have to know and be able to articulate how you meet each control, each process, and each procedure. It’s the longest oral exam you’ve ever taken.
The auditor leaves and, hopefully, you did your job well, coming away with an issue-free report. Otherwise, you have a list of things that you have to implement, change, or otherwise do to disrupt your staff.
We’ve gone through several iterations of finding methods to track and maintain our evidence, our security program, and its related tasks, and above all, to protect the sensitive information that we’re charged with protecting.
- We started with the top-level directory and mapping the evidence to the ERL. It worked but was difficult to maintain.
- We moved to separate the evidence by control families – our security framework specifies 18 of them. Now I have 18 directories each with a bunch of items to maintain. It takes more searching to find what I need, but interviews do tend to be grouped by control family. Things were better and worse at the same time.
- More organization is better, right? Each control family has between 4 and 25 controls where we have to demonstrate compliance. The next step in our evolution was to create more sub-directories for each control. This method allowed us to ensure that every control was addressed, but in the cases where we could use the same piece of evidence for multiple controls, we had multiple copies of the same file. Evidence has an expiration date, and this method made keeping all of the evidence fresh more difficult. Version control was also a nightmare. There were several cases where we would have several versions of the same evidence in separate control directories. Refreshing evidence was also a manual and resource-intensive process. We also ran into some issues with our directory names getting too long for Microsoft’s liking.
If you’ve made it this far, you must really want to know how we solved this. The answer is… well, we’re still evolving. We partnered with Apptega and are using their platform to manage our security program. Over the past year, we’ve migrated our evidence and artifacts into their platform and have been working to organize things.
There have been a few missteps along the way:
- We initially uploaded multiple copies of artifacts and tied each to the controls to which they applied. This led to the same issue we had with multiple copies in the previous iteration. Apptega has a great solution for linking documents to multiple controls – we just needed to apply it properly.
- Scheduling and calendaring tasks over multiple days made for a very crowded calendar.
- Teaching our auditors to use Apptega for their review and helping them to understand how we are using the product has been a challenge, but one that the platform's intuitive design has eased.
- Naming conventions should be worked out and agreed upon prior to using the tool to maintain evidence.
The Apptega framework gives us much better ways to represent our security program to both the casual observer and the auditor alike. High-level graphs are combined with drill-downs to narratives with one more click required to get to evidence of compliance.
All in all, we’re very happy with the tool. Our annual third-party audit interviews were brief, direct, and to the point. There weren’t any surprises. The audit was completed with a handful of recommendations to bolster our evidence of compliance, but no findings or areas where we were deficient. The normally stressful audit was almost a non-event.
To learn more about how we breezed (relatively, of course) through the process, please join our March 22 webinar, A Step-by-Step Guide to Navigating High-Stakes Audits, presented by Apptega and Filament Essential Services. You can register here.
CISSP, CISM, GIAC: GSEC, GPEN, GWAPT
Vice President, Security Services and Senior Information Security Officer, Filament Essential Services
“I’m officially the old guy that knows the process pretty well.”
Art has been working in Information Security for over 30 years, with experience in the Department of Defense, Fortune 100 financial and communications companies, Managed Security Service Providers, and most recently an organization regulated by a Federal Agency. Art has completed numerous audits both as an auditor and auditee.
Want to learn more? Register for our March 22nd Webinar: A Step-by-Step Guide to Navigating High-Stakes Audits. Art Provost, VP of Security Services at Filament Essential Services, will deliver more insight on what to expect when an audit comes.