Preparing for an IT System Compliance Audit

IT audits often feel like something of a personal imposition, especially to the people who are responsible for operating the IT system. However they are a necessary evil that substantiate whether the IT system being audited conforms to any industry compliances that may apply, or industry best practice.

Industry Standards

Here in Europe ISO 9001 helps to ensure businesses adopt best practice in terms of quality of information, and procedural discipline, across both their entire administration infrastructure, and any production facilities; whilst within the IT sector, (across all industries), it is ISO 27002 which rules the roost in terms of recommending the measures that should be deployed in order to best safe-guard information security.

ISO 27002 (2013 edition) is broken down into several sub-sections which include:

·         Risk assessment

·         Corporate security policy

·         Asset management

·         Human resource security

·         Physical and environmental security

·         Communications and operations management

·         Access control

·         Building security into application

·         Security incidence management

·         Business continuity management

·         Compliance with standard, regulations and law

Viewed as a whole, this covers an entire IT infrastructure, and any one of these individual sub sections may be subjected to in-depth analysis and testing when an audit takes place. However, it should be noted that all ISO documents are not legal rules; they are offered as recommendations and guidelines. They are codes of practice.

The Case for a National IT Regulatory Body

As IT becomes of ever increasing importance, there may come a day when a national regulatory body may be deemed necessary - until then it’s very much a case of businesses following best practice in as much as how it relates to the industry sector they operate within, and the IT methodologies/technologies that they employ.

2 Types of IT Audit

In essence there are two different types of IT audit – internal and external. With internal auditing, the company audits itself and appoints an internal auditor (usually an existing member of staff) to carry out the audit, answering to either the IT manager, or the board of directors. An external IT audit is conducted by an outside company of IT auditors. Both types of audit have the same end in mind – to ascertain that the IT infrastructure is compliant with best practice. Of course every company has its own unique IT footprint, so audit briefs change from business to business in terms of what they cover. For example, only businesses employing cloud computing need to have their cloud computing procedures audited.

Regular Logging of IT System Activity

One of the most important best practices with regard to IT management and auditing is the ability to be able to log certain events, and formulate policies and action plans based on the nature of those events. This process means that both applications and devices are regularly reviewed, allowing any anomalies in security procedures to be addressed prior to any real harm affecting the network. The inspection of such a log will form an intrinsic part of any system audit.

Automatic Log Analysers

In reality, the amount of data generated by maintaining these sorts of logs is immense, and therefore not suitable to be handled manually. It should instead be managed by a bespoke piece of equipment known as an automatic log analyser.

The Need for a Manual Log for Extraordinary Events

There are certain extraordinary events, such as a system restart for example, that may not be recorded by the automatic log. It's therefore a good idea to have this sort of event manually written up by the person who instigated the system restart, noting any appropriate details such as who instigated the restart, the date, the time and the reason. Any such written logs need to be carefully filed so that they can be readily examined during any system audit.

System Fault Finding

Automatic logs are used to report two types of faults; namely those that are generated by the system itself and the applications that it runs, and faults that are reported by system users/devices. These logs can then be used as tools to help to identify trends or deep-rooted problems before they become too entrenched.

Calibrating the Alert Warning System

All operating systems and applications usually have a log and alert function written into them. This needs to be carefully configured so that all events above a predetermined threshold should result in alerts being issued to the system managers. These functions should be regularly reviewed, and if necessary, re-calibrated dependent on what is found on each subsequent inspection. This will help to ensure that the unscheduled event alert warning system is kept current.

Network Log Integrity

The integrity of any fault alert log is absolutely critical. A log is of no use whatsoever if someone hacking into the system is able to access it, and alter it in order to hide their footprints. It is therefore essential that these logs should be remotely backed up.

Policing the Network

There can be no exceptions as to which users are covered by the logging system. System administrators too must succumb to this procedure. However, it is important that they should not be able to access their own logs, as this will give them the ability to modify or falsify the log, should they be so inclined.

Procedures and Timescales for Repairing Faults

The details of any service level agreements (SLAs) that are in place also need to be made available for inspection during an audit. If there are no SLAs in place, then the internal procedures and timescales for repairing faults should be clearly documented, filed, and made available for audit as and when needed.

Accurate Time monitoring is Important

Although it's only a relatively small point, it is nonetheless an important one; all time-clocks on the system, and on any devices logging onto the network, must show an accurate timestamp. This is particularly important where BYOD is prevalent. BYOD users must be informed of this need, and if necessary, the system needs to be able to update the timestamp on any device connecting to it. Without accurate time records, the integrity of the event log will be compromised.

Management of Privileged Accounts

One of the first things that an auditor will look out for is the existence of any privileged accounts. These are accounts whereby certain users are granted special access privileges over and above that of the normal user. The problem with privileged accounts is in making sure that the privileges granted are still relevant and current.

Keep an Independent Privileged Account User Log

The IT manager should have a log of all privileged accounts. The log must record the details of each and every privilege account holder, who they are, and what they have access to and why. Each account holder should be assigned a review date at which point in time the information is re-examined to see whether or not it is still relevant.

It’s all too easy to lose track of people moving around within an enterprise and taking on new and different responsibilities, including of course those who leave the business’s employ. A review date also serves as a memory tickler to revoke any temporary privileges handed out to contractors and the like who are no longer on site.

The Increasing Importance of GRC

With IT becoming such an important entrenched function within any business, the need for regular audits, and the role and nature of the auditor, are becoming increasingly important. The role of GRC (governance, risk management and compliance) will be evolve into a crucial discipline for helping IT managers or CIOs (Chief Information Officers) to fully prepare for a thorough system compliance audit.