Achieving an Efficient, Measurable Process
By Tennelle Anderson, CISSP, CISA, CPA (Principal Security Consultant, SDS)
When I transitioned from “Internal Audit” to “Information Security” more than 10 years ago, I was immediately met with “you were an auditor, you deal with the auditors”. Once I realized no one else was going to take this disjointed and muddled (yet essential) function off my hands, I set out to turn my company’s audit scavenger hunt into an efficient and measurable process.
The most important thing I’ve learned during this experience is that all it takes is some consistency, organization, and proactive planning to eliminate your company’s audit scavenger hunt and make more effective use of your company’s resources. The following are some tips to improve security audit response.
“Where do I send this?”
The first phase of the scavenger hunt is identifying who will respond to the RFI once it is received in-house. A lot of time is wasted as an RFI is forwarded through a series of email inboxes. And RFI completion can be further delayed if any individual is out of the office or unable to check their individual email for an extended period of time.
1. Assign responsibility for completing these requests to a designated group of individuals. Believe it or not, there is an art to completing security questionnaires, and efficiencies can be gained by having a consistent group of individuals responding to them.
2. “Funnel” all requests to these designated individuals. Using a workflow management tool or ticketing system that end users are already familiar with provides a repeatable process that users are more likely to follow. If your organization needs a simpler solution, set up a group emailbox (e.g. SecurityInformationRequests at companyname dot com) accessible from the company’s intranet that end users can use to submit RFIs.
3. Provide education to frequently impacted groups. In my experience, security information requests often come via Sales or the Customer Relationship Managers (identify your company’s equivalent groups). Knowing this, my team of “responders” gave a short presentation at each monthly Sales new hire training meeting so that when the new Sales Reps inevitably received a questionnaire or other security request from a customer or client they would be able to forward the request quickly.
“Where do I get the answers to these questions?”
Once the request is received by the person(s) who will be responding, the next phase of the scavenger hunt will begin: where to find the information requested. I’ve found it valuable to apply the 80/20 rule to this exercise.
4. Organize and store the information you gather. The majority (80%) of security RFI’s are looking for the same core information. Once you’ve gathered this information once you can likely re-use it for subsequent requests. Organize and store this information in a place that can be accessed by the entire group of designated responders for future use.
5. Identify “Good Names to Know”. For the other 20% of information requested (e.g. information that is extremely technical or system-specific, or changes frequently) identify “Good Names to Know” (GNTK) – these are folks you can always count on to work with you to get information quickly or can tell you where to go to find it. Early in my career I was told “these people are treasures and should be treated as such” – I wholeheartedly agree and I encourage you to establish very good working relationships with these resources once you find them.
“Where do I find the documentation I need?”
The final (and often most difficult and time-consuming) phase of the audit scavenger hunt is obtaining the necessary documentation. Oftentimes this documentation already exists and is readily available – if you know where to find it.
6. Become intimately familiar with your company’s web site. Many of the documents that are repeatedly requested can be found on your company’s intranet, such as HR policies, employee code of conduct, acceptable use policy, security policies, etc.
7. Gain access to IT’s departmental procedures. After HR and Security Policies, the most commonly requested documentation includes process documentation that is typically owned by the IT organization, such as access control processes and forms, change control processes and forms, system development lifecycle processes and forms, data destruction processes and certificates of destruction, etc. Utilize your GNTK’s to obtain detailed information such as user lists, system configurations, and other report- or screen print-based evidence on a request-by-request basis.
One caveat to consider when it comes to providing documentation: some of the information may be classified as confidential and should not be shared via insecure and uncontrollable means such as email. Discuss with your Security team or Legal Counsel if you are unsure whether certain information should be shared, especially without a non-disclosure agreement.
It really is this simple – implementing and consistently applying the seven recommendations I’ve outlined here is the first step to turning your company’s security audit scavenger hunt into an efficient and measurable process. If you are looking for a repeatable client security audit response try using the SIG-Lite from Shared Assessments. We will address this approach in an upcoming blog. Stay tuned.
How Secure Digital Solutions Can Help
Information Security Audit Liaison Services (Audit Liaison) can add essential clarity help to improve security audits. From audit preparation to in-audit support to post-audit assistance with management’s response – we understand information security information requests and audits because we also perform them. We can be your coach, your buffer, and your advocate — and your staff can get back to their day jobs.