Privileged Access Management Compliance Through the Eyes of an Auditor
Compliance audits are a stressful, time-consuming effort for many companies. In the Lockdown blog, we often talk about the tools and processes customers use to prepare for both internal and external information security audits. This time we thought we’d turn the tables and speak directly to an auditor to hear his perspective.
In this post, auditor and Information Security Specialist Edgar Perez Espinosa shares what’s on his security audit checklist and what really goes through his mind when he’s conducting an information security audit.
Delinea: How prepared are the companies you audit?
Auditor: There is not much advance notice in terms of process. Basically, companies focus more on investing in the “new generation” tools for increasing security and account management, but 70% of them lack a complete lifecycle to dispose of accounts correctly.
50% of the time companies do not properly understand the scope of the audit
Delinea: How long do you spend on an audit?
Auditor: Usually audits take from two weeks to one month. It will depend on the scope of the audit.
Delinea: What frustrates you the most about auditing organizations?
Auditor: What is most frustrating about security audits is that 40% of companies repeat the same missing controls: updated inventories (hardware and software), vulnerability management, and monitoring of PAM. That makes our work easy, as the findings repeat, but it continues to be a risk for them.
Delinea: What do you enjoy the most?
Auditor: What I enjoy the most is the fact that companies trust in our advice as experienced auditors, not only to find missing controls but to understand what really works for different companies. I like when Directors understand the risk for their organizations and they thank you for having made them conscious of that.
Delinea: With respect to privileged accounts, what type of security controls do you expect to see?
Auditor: First of all, I like to see the inventory of privileged accounts, who is responsible, and the process of assigning one of them. Then, in practice, what I usually look for is the workflow of real-time use of a privileged account and how it’s used, authorized, monitored, logged, and disposed of.
Delinea: How often do you see companies that do not achieve what is required of an audit?
Auditor: I might say that 50% of the time companies do not properly understand the scope of the audit, and do not even know their internal process and that is a big mistake. Audits are conducted to improve the security posture, but you should know your risks and define plans to minimize them.
Delinea: In what areas do you see most companies fall short? Why do you think that is?
Auditor: Based on experience, the top three domains where companies fall short are:
- Risk Management (mainly because strategically this has not been properly understood)
- Secure Software Lifecycle (usually because they focus on functionality instead of security by design)
- Incident Management (they respond to incidents but they do not know how to manage outside the organization and how to disclose breaches appropriately)
Delinea: What would you recommend to any company to be better prepared for a security compliance audit?
Auditor: In my opinion, my best advice is—do not fear audits. They should be seen as part of an improvement process. Instead, think of audits as a health check. How would you know if you have a disease if you don’t visit your doctor?
What steps can you take to prepare for your next compliance audit?
To see where you stand, first, run an internal audit of your privileged account security. Run Delinea’s free Least Privilege Discovery Tool and gets a comprehensive summary report highlighting your risks.
Compare how your privileged account security maps to compliance requirements for your organization. Some regulations are highly prescriptive while others provide broad guidelines and leave the details up to you. Make sure you know the requirements for compliance so you can be prepared when the auditors arrive.