This article was authored by Art Provost, Vice President of Security Services and Senior Information Security Officer, at Filament Essential Services, an Apptega trusted partner. To learn more about how to navigate audits affordably and with minimal business disruption, register for our March 22 webinar with Provost and the Apptega team.
Audit. It’s a word that, if not scares, at the very least makes IT Management, the Security team, and Executives uncomfortable. When you’re doing everything you can to keep things running, the last thing you want is to have someone come in and tell you you’re doing it wrong. Almost as bad as hearing that you may be doing it right, but you can’t prove it.
I’ve been working in Information Security for over 30 years, with experience in the Department of Defense, Fortune 100 financial and communications companies, Manages Security Service Providers, and most recently an organization regulated by a Federal Agency. I’ve been part of more audits than I can count, both as an auditor and the auditee. At this point, I’m officially the old guy that knows the process pretty well.
After meeting with the auditor and defining the scope of the review, the auditor presents an Evidence Request List. The list contains all of the documentation that would show that you’re doing the things you’re supposed to be doing over the course of the past year. You immediately have a panic attack to go along with the to-do list that’s longer than your arm. You start requesting copies of evidence from all of the people that should produce it, as well as tackling the list that you are responsible for yourself.
A week before the audit starts you’re still gathering documentation, following up with people, and trying to get everything ready for the auditor to show up. You have a directory that’s got hopefully some form of organization, but still contains more information than you need in some places and far less in others.
The auditor arrives and spends a few days interviewing staff and asking you questions and reviewing the evidence you have provided. At the end of each day, you feel like you’ve been through the wringer. You have to know and be able to articulate how you meet each control, each process, and each procedure. It’s the longest oral exam you’ve ever been in.
The auditor leaves and hopefully, you did your job well, getting an issue-free report. Otherwise, you have a list of things that you have to implement, change, or otherwise do to disrupt your staff.
We’ve gone through several iterations of finding methods to track and maintain our evidence, our security program, and its related tasks, and above all, to protect the sensitive information that we’re charged with protecting.
1. We started with the top-level directory and mapping the evidence to the ERL. It worked but was difficult to maintain.
2. We moved to separate the evidence by control families – our security framework specifies 18 of them. Now I have 18 directories each with a bunch of stuff to maintain. It’s more searching to find what I need, but interviews do tend to be grouped by control family. Things were better and worse at the same time.
3. More organization is better, right? Each control family has between 4 and 25 controls where we have to demonstrate compliance. The next step in our evolution was to create more sub-directories for each control. This method allowed us to ensure that every control was addressed, but in the cases where we could use the same piece of evidence for multiple controls, we had multiple copies of the same file. Evidence has an expiration date, and this method made keeping all of the evidence fresh more difficult. Version control was also a nightmare. There were several cases where we would have several versions of the same evidence in separate control directories. Refreshing evidence was also a manual and resource-intensive process. We also ran into some issues with our directory names getting too long for Microsoft’s liking.
If you’ve made it this far, you must really want to know how we solved this. The answer is… well we’re still evolving. We partnered with Apptega and are using their platform to manage our security program. Over the past year, we’ve migrated our evidence and artifacts into their platform and have been working to organize things.
There have been a few missteps along the way:
- We initially uploaded multiple copies of artifacts and tied each to the controls to which they applied. This led to the same issue we had with multiple copies in the previous iteration. Apptega has a great solution for linking documents to multiple controls – we just needed to apply it properly.
- Scheduling and calendaring tasks over multiple days made for a very crowded calendar.
- Teaching our auditors to use Apptega for their review and helping them to understand how we are using the product has been a challenge.
- Naming conventions should be worked out and agreed upon prior to using the tool to maintain evidence.
The Apptega framework gives us much better ways to represent our security program to both the casual observer and the auditor alike. High-level graphs are combined with drill-downs to narratives with one more click required to get to evidence of compliance.
All in all, we’re very happy with the tool. Our annual 3rd party audit interviews were brief, direct, and to the point. There weren’t any surprises. The audit completed with a handful of recommendations to bolster our evidence of compliance, but no findings or areas where we were deficient. The normally stressful audit was almost a non-event.
Want to see how Apptega can help your organization break down the silos between compliance and security to increase efficiencies while cutting costs? See Apptega in action for yourself.