Security Controls Validation For Internal Auditors – Top 5 Needs by Brian Contos
When it comes to cybersecurity, perhaps the most essential “check” that auditors are tasked with is controls validation. No longer are organizations being asked to simply verify that they have controls in place, but rather validate that those controls are effective.
Last week Verodin delivered two presentations at the RMISC, Rocky Mountain Information Security Conference, in Denver Colorado. The conference had security professionals but because of its partnerships with ISACA and ISSA, there were a large number of auditors too. We had two days of interactions with the 1,000+ attendees and found a lot of synergies between what auditors need and what Verodin provides.
Top 5 Auditor Needs
Here are the Top 5 needs auditors voiced to the Verodin team as it relates to how their roles are evolving.
1. Shifting from reviewing configurations to validating configurations work
Auditors have historically reviewed logs, reports, and configuration details against regulatory mandates, GRC and the like. While this provides a level of insight it is rarely empiric.
Verodin’s Security Instrumentation Platform (SIP) provides the ability to validate that the security controls in place are in parity with the various requirements and best practices you’re auditing. Verodin provides evidence-based reports regarding what’s working, what’s not, and prescriptive steps that can be taken to improve your security effectiveness.
2. Moving from a point-in-time to a continuous audit
Audits are a lot like a penetration test in that they give you a snapshot at a point in time of the state of your security. While this has some value, it is a legacy approach that no longer works efficiently in the complex and fast-moving world of security threats.
Verodin’s SIP provides continuous validation. Verodin safely executes real attacks in your production environment. This continuous validation approach where security controls are validated hourly, daily, etc., helps to mitigate the pitfalls of defensive regression – something that was working has stopped working because of security, system, network, application, personnel, process, or related changes.
3. Transitioning to automation for multiple mandates
Auditors are not generally tasked with auditing against one mandate. In fact, most auditors we spoke with have responsibility for audits related to internal GRC, industry standards, best practices, and regulatory mandates. This is a manual process that is slow, methodical, and error prone – especially when multiplied across potentially dozens of different mandates.
Verodin’s SIP validates multiple mandates continuously and automatically. This allows auditors to “manage by exception.” When an automated test fails, against any one of the multiple mandates, the audit team is notified. For example, something that was within audit parameters is no longer within audit parameters – such as a firewall that was blocking outbound FTP access from the critical server network is now allowing it. This allows auditors to validate against many mandates with an automated approach and manage variances by exception.
4. Generating evidence-based security trends – not assumptions
Auditors help bridge the gap between IT, security, and business. They are also responsible for articulating trends related to security effectiveness trending up or down and explaining why. Without a foundational platform that can provide details around the value that a new DLP solution provides, the decrease in response times because of better training, or more effective threat mitigation because of process changes, most of these trends will be based on assumptions – not evidence.
Verodin’s SIP not only validates your security effectiveness, but it trends the effectiveness over time. This allows auditors to see increases or decreases in security effectiveness across people, process, and technology. With Verodin, auditors can look at security effectiveness trends from a single attack on a security control to all attacks against all controls.
5. Operating with less dependence on other individuals and groups
Auditors often find it challenging to get access to the resources they need to conduct their jobs. Busy co-workers don’t always have the time or desire to grant access to the required systems, produce reports, share logs, etc.
Verodin’s SIP provides an easy to deploy, use and update architecture that validates your security effectiveness continuously and automatically across endpoint, network and cloud. Auditors become more autonomous with Verodin and as such become more efficient and effective. Verodin is designed with an intuitive interface, rich reporting, interactive dashboards and content that is frequently updated and can quickly and easily be added to with the latest third party content without programming, scripting, and related skills.
Verodin’s time to value is amazing as deployments are generally done in about a half day and training is usually completed a just a few hours. In short, your audit team can validate security controls without relying on others and focus on delivering results.
Verodin’s SIP is highly effective at security controls validation from a technical and business perspective and is applicable to many groups within your organization including:
- Security offense (red team)
- Security defense (blue team)
- Security and related leadership (CISO, CIO, CCO, CRO)
- CEO and board
- And of course, internal audit
Learn more about how Verodin works.
- Malicious File Transfer: What You Need To Know About an Attacker’s Methods and Techniques To Protect Your Organization From Malware by Ursula Cowan
- Verodin LATAM Party (Porto Alegre Brazil) by Brian Contos
- Policy Evasion: Evasive Techniques You Need to Understand to Prevent Breaches and Attacks by Major General Earl Matthews USAF (Ret)
*** This is a Security Bloggers Network syndicated blog from Verodin Blog authored by Verodin Blog. Read the original post at: https://www.verodin.com/post/security-controls-validation-for-internal-auditors-top-5-needs
