All.Net

Fri Apr 8 06:51:39 PDT 2016

Management: Auditing: How are audits managed within information protection?

Options:

Audits are treatred as follows:

Issue	Yes/No
Audit is used to verify the proper operation of the protection program.
Internal audits are scheduled with frequency based on risk levels.	(See table below)
Audit findings are treated in a timely fashion based on threats and consequences.	(See table below)
External audits are used to verify internal audits are working correctly.
Audit requirements include regulatory and other external mandates.

Audit management

Audit frequencies take the approach below:

	Low consequence	High consequence
High threat	Avoid this risk OR do deceptions only here
Medium threat
Low threat		Treat the threat as at least medium and reassess

Audit Frequency

Audit findings are followed according to the following conditions and within the following time frames:

Frequency	Conseqeunce	Action taken	Time frame
Always/Usually/Sometimes/Never	High	Treatment per risk management framework and [top / executive / ] management decisions	-
Always/Usually/Sometimes/Never	Med	Treatment per risk management framework and [top / executive / ] management decisions	-
Always/Usually/Sometimes/Never	Low	Treatment per risk management framework and [top / executive / ] management decisions	-

Audit findings treatment

Decision:

Audits should be managed with the approach below:

Issue	Yes/No
Audit is used to verify the proper operation of the protection program.	Yes
Internal audits are scheduled with frequency based on consequences.	See table below
Audit findings are treated in a timely fashion based on threats and consequences.	See table below
External audits are used to verify internal audits are working correctly.	Yes
Audit requirements include regulatory and other external mandates.	Yes

Audit management

Audit frequencies should take the approach below, with "Changes" indicating any time a significant change to personnel or systems are made:

	Low consequence	Medium consequence	High consequence
High threat	Avoid this risk OR do deceptions only here	Quarterly / Changes	Quarterly / Changes
Medium threat	Yearly	Quarterly	Quarterly / Changes
Low threat	Yearly on a statistical basis	Yearly	Treat the threat as at least medium and reassess

Audit Frequency

Audit findings should be treated at least according to the following conditions and within the following time frames:

Frequency	Conseqeunce	Action taken	Time frame
Always	High	Treatment per risk management framework and top management decisions	72 hours
Always	Med	Treatment per risk management framework and executive management decisions	7 days or less
Usually	Low	Treatment per risk management framework and management decisions	30 days or less

Audit findings treatment

Basis:

Internal audit processes: assure that operations meet internal requirements. This typically involves audit staff and a cyclical process that assures that high valued systems are revisited often while lower valued systems are covered consistent with their value.

External audit processes: act as independent verifications that operations are as they are supposed to be and also act to assure that internal audit is effectively doing its job.

Periodicity: for audits is a nontrivial matter with audit periods determined by risks, costs, resources, and time and cost to audit. Random audits, surprise audits, regular audits, and other time-related issues all fall under this broad category. We generally recommend against "surprise" audits as they are disruptive and expensive. There are enough surprises with other sorts of inspections, investigations, management walk-throughs, assessments, and so forth.

Standards: are typically what audits compare realities to. Auditors are generally tasked with relating performance to a standard so that a consistent basis for opinions can be used and comparisons can be done over time and between systems and organizations. It is normal to use the same standards for protection as are used for audit so that the audit provides reconcilable feedback on the adequacy of the program in meeting the standards set for it. The global standard for auditing information technology is CoBIT.

Coverage: expresses the extent to which audit processes cover the set of things that could possibly be checked in an audit. It acts as a metric on the audit itself as well as a means to evaluate the value of the audit. An audit that is passed but only covers an unimportant subset of the issues or systems at hand is not a very good reflection of the situation and has little utility.

Response to audit findings: Audit findings typically come in initial and final forms, and tend to be explicit statements of things that the enterprise should do or at least problems that should be addressed. In response to such findings, management at the proper level for the potential consequences involved should make risk management decisions according to enterprise policy approaches to either mitigate, transfer, avoid, or accept the risks, do so in a timely fashion, and act based on those decisions. A formal process is typically in place including lists of risks accepted, transferred, etc.