Posted by: SarahCortes
Access control, business, compliance, compliance audit, Information Systems Audit and Control Association, ISACA, regulatory compliance, Security
So you got the word, the compliance auditors are coming in. It’s like that big squash or tennis match. You’re feeling pretty good, and you think you’re ready. After all, you’re an IT professional, conscientious, hard-working and knowledgeable. But do you know what standard the auditors will be auditing you against? Like your opponent on the squash or tennis court, is it:
How did you do? The correct answer, as those of you know who have the scars to prove it, is f, “none of the above.” That’s right, not even COBIT. And “F” is what you may be about to get until you know how compliance auditors operate.
They’re actually auditing you against you and your company’s own standards and policies. Yup, that’s it. No, they’re not auditing you “against” a COBIT checklist. They’re looking at your own policies and standards and comparing your actual operation to what is stated in those policies.
So, Step 1: Get ahold of those policies and standards.
Step 2: Reality check. Do they represent TODAY’s state of your IT operation? Or are they aspirational? Do they say, for example, “Terminate access rights for all users within 24 hours of employment termination?” Is that really happening, 365 days a year? How about over weekends? Do your security staffers ever have delays getting lists of terminated employees from HR? Do they ever have a gap in coverage due to an unexpected absence? How often do you run a reconciliation report of terminated employees from the last 12 months vs. active usernames? Does HR have the ability to run regular reports of transferred employees, whose access needs to be handled as if they were terminated?
All operations, no matter how large or professional, can have gaps of greater than 24 hours between terminations and access cutoff. And if your operation is NOT among the largest, with a significant access control staff, chances are good you‘ve got terminated employees with access going 48 hours to one week or longer before it’s taken care of. Here’s a secret: Everyone does. The auditors know it, if you don’t.
Ezra B. French, Second Auditor of the US.
- [Image via Wikipedia]
I’ll cover Step 3 in a future post. In the meantime, let me know in the comments if you have any questions so far.