Compliance audits are a stressful, time-consuming effort for many companies. In our blog, we often talk about the tools and processes customers use to prepare for both internal and external information security audits. This time we thought we’d turn the tables and speak directly to an auditor to hear his perspective.
In this post, auditor and Information Security Specialist Edgar Perez Espinosa shares what’s on his security audit checklist and what really goes through his mind when he’s conducting an information security audit.
Auditor: There is not much advance notice in terms of process. Basically, companies focus more on investing in the “new generation” tools for increasing security and account management, but 70% of them lack a complete lifecycle to dispose of accounts correctly.
50% of the time companies do not properly understand the scope of the audit
Auditor: Usually audits take from two weeks to one month. It will depend on the scope of the audit.
Auditor: What is most frustrating about security audits is that 40% of companies repeat the same missing controls: updated inventories (hardware and software), vulnerability management, and monitoring of Privileged Access Management (PAM). That makes our work easy, as the findings repeat, but it continues to be a risk for them.
Auditor: What I enjoy the most is the fact that companies trust in our advice as experienced auditors, not only to find missing controls but to understand what really works for different companies. I like when Directors understand the risk for their organizations and they thank you for having made them conscious of that.
Auditor: First of all, I like to see the inventory of privileged accounts, who is responsible, and the process of assigning one of them. Then, in practice, what I usually look for is the workflow of real-time use of a privileged account and how it’s used, authorized, monitored, logged, and disposed of.
Auditor: I might say that 50% of the time companies do not properly understand the scope of the audit, and do not even know their internal process and that is a big mistake. Audits are conducted to improve the security posture, but you should know your risks and define plans to minimize them.
Auditor: Based on experience, the top three domains where companies fall short are:
Auditor: In my opinion, my best advice is—do not fear audits. They should be seen as part of an improvement process. Instead, think of audits as a health check. How would you know if you have a disease if you don’t visit your doctor?
To see where you stand, first, run an internal audit of your privileged account security. Run Delinea’s free Least Privilege Discovery Tool and gets a comprehensive summary report highlighting your risks.
Compare how your privileged access management solution and privileged account security maps to compliance requirements for your organization. Some regulations are highly prescriptive while others provide broad guidelines and leave the details up to you. Make sure you know the requirements for compliance so you can be prepared when the auditors arrive.