Audit as a means to verify compliance ... not the end game

In a previous post, I wrote about cybersecurity and GRC (governance, risk & compliance). In this post, I’ll share my thoughts on audit as a way to improve as well as verify cybersecurity and compliance. I’ll also shed some light on the most common regulatory compliance frameworks out there that would require an audit.

Achieving regulatory compliance often requires companies to undergo an IT security audit. The assessment tests the degree to which a system and its users can prevent data breaches and repel advanced persistent threat (APT) actors. When considered as part of an overarching GRC (governance, risk, and compliance) policy, a third-party audit delivers comprehensive benefits that include the following.

• Identifies Cybersecurity Vulnerabilities
• Helps Close Cybersecurity Gaps
• Avoids Risk of Government Penalties
• Provides Information for Improved Governance

The most important takeaway from a cybersecurity and compliance audit may be the written report and advice. This information helps proactive business leaders make informed decisions about critical next steps.

What Is a Cybersecurity Audit?

This is the independent, systematic examination of an organization’s cybersecurity posture. Audits ensure proper security controls, procedures, and policies work effectively.

Every organization has several cybersecurity policies. Executives use the audit to offer a "checklist" that validates whether the available controls work effectively. This helps them know what to expect from their security policies.

Audits target cybersecurity policies, guidelines, and standards. It also ensures that an organization implements optimized security controls and meets all compliance requirements. The scope of evaluation covers:?

• Operational security?– Security controls, procedures, and policies
• System security?– patching processes, hardening processes, management of privileged accounts, and role-based access
• Data security?– Encryption use, data security during storage and transmission, network access control
• Physical security?– Disk encryption, role-based access controls, biometric data, multi-factor authentication, etc.

Through cybersecurity audits, organizations can analyze their current IT practices in-depth, report their external and internal security systems, highlight weak areas, and propose solutions. This limits employee error, insider threats, phishing attacks, IoT devices, malware, and Distributed Denial of Service (DDoS) breaches.?

Audit as a means to verify Compliance

Cybersecurity auditors evaluate the effectiveness and safety of an organization's current IT structures to learn the required tools to meet compliance standards. After an audit, executives will quickly address the highlighted concerns, determine necessary changes, and pick the right solutions for a robust defense plan compliant with cybersecurity regulations.

Regulatory Compliance Frameworks

Meeting regulatory compliance frameworks may seem like the cost of doing business at first blush. But these organized guidelines and methodologies are established to protect valuable and confidential digital assets.

The act of meeting them and remaining in compliance improves the chances that hackers won’t penetrate a system. Regulatory bodies are still catching up to cybercriminals’ tactics. However, these are still some of the common regulatory compliance frameworks industry leaders need to aware of.

• SOX: The Sarbanes-Oxley Act requires publicly traded companies to meet managed asset controls. Companies are tasked with conducting a regular audit that reviews the viability of internal controls.
• HIPAA: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established rules regarding the protection of medical records and histories. Ongoing compliance remains necessary for organizations in the health care sector.?
• HITECH: The Health Information Technology for Economic and Clinical Health Act was introduced during the Obama Administration. The measure removed loopholes and incentivized HIPAA compliance.
• PCI DSS: The Payment Card Industry Data Security Standard (PCI DSS) involves regulations to heighten cybersecurity in the credit card industry. Developed by household name credit card corporations, its rules are not necessarily part of government oversight.
• SOC1: Service Organization Control 1 involves a written report following an internal control audit. The focus is relevant to a consumer’s financial statement.
• SOC2: This brainchild of the American Institute of CPAs defines five “trust service principles.” Certification is typically the result of passing a third-party audit.
• NIST: The National Institute of Standards and Technology is a non-regulatory organization that provides guidance around cybersecurity at the highest levels. NIST guidelines are widely adopted by the federal government and included in CMMC, among many others.
• FedRamp: The Federal Risk and Authorization Management Program crafts Cloud-centric cybersecurity guidelines. It establishes security assessment, authorization, and ongoing monitoring of cloud-based products and services.
• ISO: The International Organization for Standardization establishes technological and commercial standards. Although U.S. companies may not need to directly comply, it publishes rules adopted in many countries.
• GDPR:?The goal of GDPR (General Data Protection Regulation) is to provide more stringent data privacy and security measures and more user-friendly disclosures and reporting on data protection practices. This regulation aims to allow individuals to control the use and storage of their own data, including any personal identifiable information.
• CCPA:?The California Consumer Privacy Act of 2018 (CCPA) is?a data privacy law that outlines standards for data collection, consequences for businesses that cannot protect user data, and rights that California consumers can exercise over their data.

Meeting the standards established by these and other organizations usually results in compliance. Forward-thinking business leaders usually incorporate these frameworks as part of their ongoing business activities.

Audit is not the end game?

Compliance and Audit is not the end – they shouldn’t be treated as just checking a box. Organizations should still treat cybersecurity as an important aspect of their business, must have a strong cybersecurity program, practice it all times and continuously enhance the program over time. To shed the importance of all this, I’d like to revisit the famous Solar Winds hack from few years ago. This watershed incident stunned large corporations and government agencies who were largely in compliance with federal cybersecurity mandates.

Solar Winds Hack and What Made it Unique?

Hackers managed to penetrate the Solar Winds system and deploy a strand of malware into its widely distributed software. Cybersecurity insiders refer to this as the perfect “supply chain attack” because thousands of organizations in compliance with cybersecurity rules were impacted. At the time, the Department of Defense (DoD) was rolling out its Cybersecurity Maturity Model Certification (CMMC) program, and officials essentially gave companies in the military industrial base a pass. No fines were levied or credentials pulled because even the feds were blindsided.

“SolarWinds wasn’t normal. No one is going to take that against you and take your certification away against a nation-state actor penetrating in a way that has never been done before — absolutely not,” DoD official Katie Arrington said at the time. “But if you come in, and there’s a cyber incident at your company, and it happened because you weren’t deploying your multi-factor authentication, then you do run a risk.”

All told, 18,000 Solar Winds users were reportedly compromised, including the U.S. Treasury, Department of State, Intel, Cisco, Microsoft, and even the U.S. Department of Homeland Security. It seems impossible for corporations and government agencies with seemingly determined cybersecurity measures, in full regulatory compliance, to get stung. Unfortunately, those are the facts. How Solar Winds and others went wrong stands as a teachable moment for every small, mid-sized, or large corporation to learn a valuable lesson about the difference between cybersecurity and compliance.

In terms of the Solar Winds infiltration, reports indicate an intern used the password “solarwinds123” and posted it in a public space. Although Solar Winds may have been in compliance with government regulations, they failed to practice effective cybersecurity. The purpose of responsible cybersecurity is to prevent and deter threats.

Had Solar Winds mandated multi-factored authentication (MFA) for all its interns, threat actors would not have been able to leverage the predictable “solarwainds123” password. That’s just one example of cybersecurity vulnerabilities CEO and other industry leaders might not be aware of unless they insist on a third-party cybersecurity audit.

Compliance is important. Audit is important. But Cybersecurity does not have a beginning or an end. Cybersecurity is an ongoing process of protecting an organization’s business. I had written about the importance of cybersecurity especially in a remote work world, this a previous post.

Conclusion

Compliance and audit help an organization establish a comprehensive baseline for their security posture, while diligent security practices enhance the baseline to cover the organization from every angle.

Equal focus on both concepts empowers organizations to meet their market standards and demonstrate their commitment to digital security.?