Integrity Blog

IT Audit

Over the years, audits have gotten a pretty bad rap. They can take a long time and seem only to point out everything you’re doing wrong, not to mention the million others things they pile on your to-do list. IT audits don’t have to be that way however, nor should they be. There are many positives that come from audits.

Here are some tips to help get the most out of your next IT audit.

Select a Qualified Auditor

You may not have the choice of whether or not to be audited, but you do get to choose who conducts the IT audit. Select a firm with experience and knowledge. Audits are a great way to learn new threats, technologies, vulnerabilities, etc., so be sure to select an auditor that is willing to help you learn. Find a firm that is quick to respond and is open for discussions and questions.

Assign an Audit-Owner

Identify an individual from your organization to lead the audit efforts. This individual should be the ”go-to” person responsible for compiling documentation, communicating with the auditor, redirecting requests and being available while the auditor is onsite. Identifying an audit-owner to track documents and requests will help the audit move along efficiently. It’s also important to remember the auditor’s progress is dependent upon the audit-owner’s responses. Make sure this individual has time dedicated to the engagement.

Be Prepared

Some auditors will request documentation prior to arriving onsite. Be prepared to provide them with as much as you can. Of course, there will be some items that must remain onsite due to availability or confidentiality; so, make sure to have those ready when the auditor arrives. Also, remember that prepping for an IT audit is an ongoing process. If you’re scrambling last minute to throw everything together, you can expect the audit to take much longer. Compile documentation and evidence throughout the year, and save it in a central location so it can easily be found.

Another part of being prepared is understanding the audit process and what to expect. Make sure the auditor has outlined a clear plan for your organization. This should include a schedule and timeline.

Ask Questions

Auditors know that most people are not IT experts. Many of you are probably Vice President or Compliance Officer or even HR manager, as well as tasked with leading IT decisions. If you don’t understand something, ask for clarification. The IT world is full of terminology that many find unfamiliar. Don’t be afraid to clarify and validate information. This will help you avoid wasting time gathering incorrect documentation.

The tips above won’t make the audit successful unless you go into the audit with an open mind and a positive, ready-to-learn attitude. Auditors don’t want to be the bad guys. Look at the audit as a way to learn new things and improve your organization.


Tips for security training
Top Tips for Developing Effective

Security Awareness and Training Programs

To implement and maintain an effective information security awareness and training program, several “best practices” and building blocks should be used.

Get These Top Tips Now

IT Security Learning Continuum

If you work in the IT world or deal with information security on a regular basis, you will hear people talking about Security Awareness Training. This can be a confusing term, as awareness and training are not one in the same. Generating awareness of something is distinctly different than the act of training. With awareness it is about the learner receiving information from the teacher, whereas training is an active process with goals of the learner building meaningful knowledge and skills that facilitate action.

Learning is a continuum; it starts with awareness, builds to training, and can evolve into education. With help from the National Institute of Standards and Technology (NIST), this article will highlight the IT Security Learning Continuum and the differences between awareness, training, and education and how they are linked.

NIST - Figure 2-1: The IT Security Learning Continuum

Get helpful tips here for developing an effective security awareness and training program.

Security Awareness

Awareness is having knowledge of a situation or fact. According to NIST, “Awareness is not training. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations1 are intended to allow individuals to recognize IT security concerns and respond accordingly.”

In other words, people must have knowledge of security risks and threats before they can be expected to do anything about them. That is why security awareness is so important. We cannot expect people to innately understand existing risks, let alone react to risks, without some form of guidance.

An example of a topic for an awareness session (or awareness material to be distributed) is virus protection. The subject can simply and briefly be addressed by describing what a virus is, what can happen if a virus infects a user’s system, what the user should do to protect the system, and what the user should do if a virus is discovered. (NIST Special Publication 800 – 50)

There is a transition stage between awareness and training referred to by NIST SP 800-16 as Security Basics and Literacy. It consists of a core set of terms, topics, and concepts, and allows for the development of a more robust awareness program. It can also provide the foundation for the training program.

Security Training

Training is defined in NIST Special Publication 800-16 as follows: “The ‘Training’ level of the learning continuum strives to produce relevant and needed security skills and competencies by practitioners of functional specialties other than IT security (e.g., management, systems design and development, acquisition, auditing).” The most significant difference between training and awareness is that training seeks to teach skills, which allow a person to perform a specific function, while awareness seeks to focus an individual’s attention on an issue or set of issues.

Awareness is a basic necessity, but training is the difference maker when it comes to truly safeguarding an organization’s sensitive information. However, information security training conducted one time per year is simply not enough. Awareness and training activities should be spread across the year to provide greater persistence. Cyber threats are constantly changing, and the awareness and training program must be agile enough to provide information regarding the latest threats.

Security Education

Education is defined in NIST Special Publication 800-16 as follows: “The ‘Education’ level integrates all of the security skills and competencies of the various functional specialties into a common body of knowledge, adds a multidisciplinary study of concepts, issues, and principles (technological and social), and strives to produce IT security specialists and professionals capable of vision and pro-active response.” Education goes beyond basic security courses and training, it is accomplished through a degree program at a college, university, or other educational forum.

Security education is specific to those who wish to make security a career. In order to establish a successful security program, it isn’t necessary for one to have a formal security education. However, awareness and training are integral to a security-minded business culture.

1 There are several ways to present security awareness and training. Topics include password usage and management, policy, web usage, spam, social engineering, shoulder surfing, and many others. These topics can be presented through various materials including email advisory, periodicals, posters, conferences, seminars, and courses.
Tips for security training
Top Tips for Developing Effective

Security Awareness and Training Programs

To implement and maintain an effective information security awareness and training program, several “best practices” and building blocks should be used.

Get These Top Tips Now

Vulnerability & Threat Intelligence Information Sources

No matter which framework your organization uses to determine risks to information assets, understanding vulnerabilities and threats plays an integral role. With the sheer breadth of known vulnerabilities and (potential) threats, not to mention the ever-growing variants of identified malware, it’s important to narrow down information into a usable amount that can be used for risk analysis efforts. Your organization’s vulnerability and threat intelligence needs may vary over time, but it’s good knowing there are several sources available, including those described below.

Information Sharing and Analysis Centers (ISACs)

The ISACs, organized through the National Council of ISACs, provide sector-specific threat and mitigation information for their member organizations. ISACs started to form after Presidential Decision Directive-63 was signed (May 1998), requesting each critical infrastructure sector establish organizations for sharing information about threats and vulnerabilities. There are now 24 ISACs, covering a range of sectors, including healthcare, finances, retail, education, and emergency services, among others. To see the entire list of ISACs and description, visit: http://www.nationalisacs.org/member-isacs

United States – Computer Emergency Readiness Team (US-CERT)

The US-CERT provides a variety of threat information, alerts and tips. The agency’s site (https://www.us-cert.gov/) also provides information about product updates, such as those from Apple, Adobe, Cisco, and VM Ware. In addition, information about other organizations that share vulnerability and threat information can be found on the site.

Vulnerability Databases

Vulnerabilities need to be understood in order to analyze risks. There is definitely no lack of identified vulnerabilities in the National Vulnerability Database (https://nvd.nist.gov/home.cfm) and the Common Exposures and Vulnerabilities (CVE) database (http://cve.mitre.org/about/).

InfraGard

The Federal Bureau of Investigation partners with organizations in a public-private information sharing organization known as InfraGard. With chapters nationwide, InfraGard meetings are held routinely to present and exchange information about vulnerabilities and threats applicable to national security. All members, regardless of the industry or company they represent, must undergo a background check prior to being granted access to the organization’s portal and meetings. For more information, visit: https://www.infragard.org/

Information Security Professional Associations

There are several associations specific to information security, auditing, and risk. Association chapters provide great opportunities for networking with other information security professionals. Presentations and discussion at chapter meetings can be useful for maintaining awareness across myriad topics, including the latest threats and mitigations measures.

Free and Subscription-Based Sources

Threat intelligence is sometimes associated with the knowledge gained from digital forensics, but intelligence encompasses more than just “after the fact” information. A range of products are available to provide organizations with threat information, ranging from free or low-cost solutions to more expensive and capable products that analyze several hundred thousand feeds.

No matter which sources you use, your risk analysis efforts can benefit by having multiple choices for vulnerability and threat information. Within our daily schedules, we may not always find time to stay abreast the latest information, so it’s good to build in various vulnerability and threat assessment activities into your routine. To adequately determine risks, an organization must understand its vulnerabilities and potential threats.

Get our blog posts delivered to your inbox: