These two magic words should be in every network manager and system engineer’s lexicon. It’s your get-out-of-jail (not necessarily free) card with an IT Auditor.
Every IT shop has an application, a device, a configuration that breaks good security rules and usually corporate policy, as well. Every one. Stuff gets bought and installed by another back office group that turns out to have a boatload of security holes. A legacy router in a critical location that can’t have its IOS upgraded. A bunch of wireless registers using WEP. A database that gives every user db_owner access. A firewall rule into the corporate network when everything should be going into a DMZ. (You don’t let anything into your network from the Internet, DO YOU??? Please say no.) Anyway, these issues will all come forward in an IT Audit. If they don’t, somebody should be looking into better IT Auditors.
So, if that has to happen, what controls can you put in place, that compensate for the risk of the vulnerability? Set up a firewall in front of that pesky application that Finance set up? Make that old router log connections AND remove telnet? Lock that firewall rule from IP address to IP address and require 2 factor authentication? All these things are good, but you need one more thing:
Documentation. Document the following:
1.) Your organization acknowledges the risk (identify the issue in the application, router, or firewall)
2.) Management acceptance of a break in policy (covers your assets)
3.) How those compensating controls specifically address the risk
4.) A plan and time line for removal of the vulnerability.
After this, you can hand it to the Auditor, and it will go in their report, but it can be considered reasonable.
Now, a large caveat here: Please resist the temptation to try and make a silk purse out of a sow’s ear. I’ve heard a boatload of excuses called “compensating controls” usually because someone higher up doesn’t want to spend the money. If they won’t listen to you, be honest with your IT Auditor. Management will often listen to an auditor because the report goes to the Board. Don’t take the heat for a bad management decision by backing it up with one of your own!
The second caveat is make sure you are actually doing the compensating control, whether it’s log monitoring, or firewalling, or whatever. Be prepared for the auditor wanting to review that control, just like all the others.
Some auditors might say I’m giving admins an easy out – but I don’t think so. It just means that auditors should look a little harder and know a little more about the systems they are auditing. If we all get smarter, we all get better.