Does Audit Make us Secure?  Presented at ISACA SV Spring Conference, May 15th, 2015


Founder EnterpriseGRC Solutions

Companies that passed audit and had a major breach

View this presentation full screen.

March 18, 2015 “Three weeks before hackers infiltrated Premera Blue Cross, federal auditors warned the company that its network security procedures were inadequate.”

The Heartland intrusion began in May 2008, even though the company had passed multiple audits, including one conducted on Apr. 30. At the time, the Princeton (N.J.) company was in compliance with industry standards for data security, Carr says. Still, shortly afterward, 13 pieces of malware that capitalize on weaknesses in Microsoft (MSFT) software infiltrated one or more network servers.

"We get pinged 200,000 times per day by people trying to hack into our system," Carr says. "You do everything you can to make sure one of those pings doesn't get through, and we thought we had done everything we could do."

  • Does audit make us secure?
  • Why not?
  • Is it just me?
  • “Scope” implies permission for less secure practices on lower impact systems
  • We audit what we understand and miss the most important areas of security risk 
  • We expose a wide range of people to known areas of weakness
  • We distract people from their core responsibilities
  • We create a false sense of security by under representing complex and broken processes
  • Did I Pick the Right form of Risk Assessment?
  • Is our goal to determine if we are secure?
  • Is our goal is to enable a more secure enterprise?
  • Are we expected to engage business partners, to provide meaningful metrics, to inform choices and decisions?
  • Does the organization account for security responsibilities across all areas of IT service?
  • Effective security  & information management practices extend beyond audit

ITIL Service Lifecycle – Serving Business of Product Development, Sales and Services Enablement


  • Change Management
  • Service Asset and Configuration Management
  • Release and Deployment
  • Validation and Testing
  • Evaluation
  • Knowledge Management
  • Service Catalog Management
  • Service Level Management
  • Capacity Management
  • Availability Management
  • Continuity Management
  • Information Security Management
  • Supplier Management

GRC Contributes by using a Cyber Security Model

  1. Identify – CMDB, People, Process, Technology, relationships, alignment to controls
  2. Protect – Architecture, Infrastructure, Monitoring
  3. Detect – Defined Sources, Collection, Interpretation, Reporting Methods
  4. Respond – RCA, Corrective Action, Management Meetings, Plans, Optimization Targets
  5. Recover – Configuration baselines, response plans, lessons learned, Wiki, documentation, BIA

GRC Security Metrics inform control design effectiveness

  • Intrusion Detection Systems (IDS)
  • Virus Alerts - HelpDesk cases
  • DLP events
  • Vulnerabilities Identified, risk ranking, remediation, status
  • Patch requirements and mean time to remediate MTTR
  • Daily Anti-Virus status (Red, Yellow, Green), # of events blocked, cleaned, definition updates
  • Daily end point patching, # of systems in and out of compliance
  • % Daily system backups
  • # of Volume created, # purged

Security Project Plans, Milestones, Issues or Blockers

  • Infrastructure remediation
  • Post Implementation Effectiveness for corrected security problems (ROI)
  • Template Configurations v. distinct
  • Systems Monitored
  • Services per systems
  • Call Out to: Configuration Management using Cobit®5
  • Leverage Secure Email to Take Action: Confirm Incident Definitions, Review, & Response
  • Scheduled outputs to central mailbox (restrict delete)
  • Track incident notifications
  • Establish and RUN Rules for follow up
  • Set Flags to communicate closed corrective action
  • Only handle it once; make the message be the evidence
  • IAM - People and Access – Provide Integrated Reporting
  • PowerShell gathers local Admin accounts
  • ADManager pulls all members in all groups
  • Pearl Script flattens records
  • Query to Dashboard active HR System users and record allowed Roles granted based on Job Title
  • Grade effectiveness BY department (security roles and access grants)
  • Publish exception policy and have management sign off at least quarterly
  • Access Management – Program Management includes GRC, Systems, Security, and a Strategy
  • How can audit drive security? Manage Corrective Actions!

Fact v. Impact

Evolving Tools Framework – Enterprise Security Architecture (ESA)
Data System Relationships to Audit, Classification, Risk Model & Assess
Information Asset Management is a foundation Program

  • Asset Security – Data Oriented Risks
  • Identify where PII, PHI, and CHD is housed and accessible; Label (Classify )according to your company ISMS
  • (Data Encryption) Protocol Governance has inputs and outputs  to Enterprise Process and Risk Management
  • Assets must be understood down to the protocols, network and networking, and encryption
  • Document and Follow a Data Collection Practice
    Implement a meaningful output process
  • Data collection strategy
  • Source coverage – the architecture stack
  • Test mapping – a single collection to many controls
  • Validation process - independent
  • Imports, Reference Tables, Security & Audit Queries
  • Output to Corrective Actions tracking - Accountability
  • Enable Management  to use Executive Strategy to determine and implement their Risk Response
  • The risks identified have actual probability – get the lessons learned
  • In addition to collecting the results of planned exercises, the organization should make use of real events that further validate the BCP plan.
  • Information Security and Enterprise Operations should work together to track and resolve known conditions that delayed reasonable recovery of service.

REMEMBER: Materiality

  • Financial statement audits measure materiality
  • Integrated Audit (Security and Internal Audit) provides IT assurance on non-financial items requiring alternative measures (maturity models and process assurance methodology).
  • Conversations tend to focus on the value, investment, impact and opportunity - money
  • People may not remember your words, but they will always remember how you made them feel