Audits Without Surprises

business meeting

A formal security or privacy audit may be motivated by a business requirement, state or federal regulation, or a proactive initiative to manage risk for your company. Regardless of the motivation or deadlines, any formal audit process usually can be made into a predictable and consistent process.  

What is a formal audit?

Your organization may be subject to FedRAMP, CMMC, or other derivatives of NIST 800-53 if you are delivering services to federal agencies.  You may be contractually required to undergo SOC2 or HITRUST by business partners, to show that you can handle their data or services safely and consistently.  Doing business in the EU may mean using the ISO 27000 security standards and definitely means addressing privacy requirements spelled out in the GDPR…and many states in the US are following this model for assurance of proper handling of sensitive personal data. 

FedRAMP – Federal Risk and Authorization Management Program (services for US fed agencies)
CMMC – Cybersecurity Maturity Model Certification (FedRAMP for the US defense)
NIST-800-53 – Security and Privacy Controls for Information Systems and Organizations (common US standard)
AICPA SOC2 – Service Organization Control-2 (an audit framework from the American Institute of CPAs)
HITRUST CSF – Health Information Trust Alliance Common Security Framework (certification for healthcare)
ISO/IEC 27000 – Information Security Management Systems (extensive series of standards from the International Organization for Standardization)
GDPR – General Data Protection Regulation (EU law on data protection and privacy in the European Union)
CCPA – California Consumer Privacy Act (a state law on data privacy, adapted from GDPR)

Coupled with a little forethought and planning, even a matrix of 3, 4, or more of these regulatory or standards frameworks become approachable without massive impact on a business.  Key to this is focusing on the bigger picture without rat-holing on a single standard, and managing the process holistically. For example, if your company provides services to a healthcare network, your business may be subject to SOC2 and HIPAA… but throwing yourself 100% into one of these standards may still leave you poorly prepared for the other.  

Approach and scoping 

Adopting a big-picture view means taking a step back, determining what part of your business is in-scope, then creating a matrix of both standards’ requirements for the in-scope network and services. Once you have a set of shared requirements, the first step is to determine what controls you already have that satisfy both.  Only then can you have a clear understanding of the different kinds of gaps; first the requirement-gaps (what you need to do for the set of common requirements, versus just one of the regulations/standards), and then control-gaps (needed controls that aren’t yet in place). 

It’s this combined view we’re talking about when we refer to a company’s “security framework” or “control matrix.”  Often the security leadership or consulting staff will create a big spreadsheet of the requirements and controls, or use commercial compliance software with pre-built tables and views to simplify the work.  Adding a third, fourth, or additional standard then becomes just another column on the spreadsheet… but the scope->requirements->controls->sort sequence stays the same. 

Likewise, knowing what to expect in the audit process can make it approachable and non-disruptive.  No organization “passes an audit” on the first run-through (they aren’t structured that way; it would be like a final exam in the first week of a class), and handing off the process to a single person to “just make it happen” isn’t a viable plan.  It can be made into a smooth process that appears simple, though, with a good plan and reasonable expectations.  Key to this is an in-context understanding of scoping and assessment. 

While conceptually simple, scoping the review process down to a reasonable level means including the systems, networks, and data that are involved in the audited service, and excluding the things that are not specific to that service. It may seem obvious, but forgetting to scope-out irrelevant portions of a business – such as test networks, lobby wifi, or salespeople’s laptops, when the audit should be scoped to a specific cloud service – is one of the most common errors made by bigger organizations. 

Assessment or “Pre-Audit”

Then we arrive at the audit, and there can be confusion over “audit” versus “assessment” versus “pre-audit” and similar terms.  The process becomes clear when you have the big-picture understanding that no auditor wants to issue a failure letter in the end. No matter what standard you’re being audited against, there will be an initial informal review (usually called an “assessment” or “pre-audit”) to determine if there are any major gaps (sometimes referred to as “material” or “substantive” gaps or omissions depending on industry and context) that would cause the organization not to pass.  

Work on remediation or omissions

One can think of an audit as a class where the whole grade is determined by the final exam; As noted before, it’s not expected that an organization “pass” the initial review, and auditors don’t want to “fail” a company if it’s avoidable. Consider the assessment or “pre-audit” activities as preparatory material, practice and quizzes, or a mid-term exam designed to prepare you for the final.  Accordingly, this is the proper time to dig into problems and address missing controls, exposing problems while they are still informal and can be addressed before a final pass for the formal audit. 

It’s also critical to understand that in most cases the auditor cannot recommend specific solutions to gaps or fixing technical issues as that would lead to a conflict of interest. A separate team or consultancy is usually engaged to handle technical remediation or missing policies and documentation, so that the formal audit team is never in the position of auditing their own work. With practical planning and awareness of the higher-level issues, your organization can arrive at the last steps of a formal audit with relative comfort, and an expectation of few surprises. 

Formal audits made predictable

Even better, if a second, third, or subsequent auditor team arrives in the weeks after the previous audit, you can be confident because they’ll be reviewing and testing mostly the same controls… just arranged (through your matrix or framework) with headings and labels that make sense to them.  It’s a good feeling knowing that your house is in order, when you can leverage each audit to better prepare for the next. 

Caliber Security Partners provides services at all phases of the audit lifecycle:

  • Basic and targeted policy development for new security programs, and audit-specific requirements for business growth and development
  • Audit planning and scoping guidance, separately or within full Security lifecycle planning services with annual roadmaps for security management
  • Pre-audit assessments against multiple standards, with expertise in ISO 27000, NIST 800, SOC2, HIPAA, GDPR, FedRAMP/CMMC, PCI
  • Technical and administrative security control development and remediation, working with internal or separately-contracted audit teams, or in preparation for expected audits
  • Technical testing of network and web/client/mobile application security, including cloud components (with expertise in SaaS, PaaS, IaaS contexts) 
  • Supply-chain security reviews, planning and delivery of Vendor Security Assessment programs, and event-specific third-party reviews 
  • Post-incident remediation and risk assessment, to maintain compliance within formal requirements and response timeframes; Custom services within the governance/risk/compliance space for security and privacy

A formal security or privacy audit may be motivated by a business requirement, state or federal regulation, or a proactive initiative to manage risk for your company. Regardless of the motivation or deadlines, any formal audit process usually can be made into a predictable and consistent process.  

What is a formal audit?

Your organization may be subject to FedRAMP, CMMC, or other derivatives of NIST 800-53 if you are delivering services to federal agencies.  You may be contractually required to undergo SOC2 or HITRUST by business partners, to show that you can handle their data or services safely and consistently.  Doing business in the EU may mean using the ISO 27000 security standards and definitely means addressing privacy requirements spelled out in the GDPR…and many states in the US are following this model for assurance of proper handling of sensitive personal data. 

FedRAMP - Federal Risk and Authorization Management Program (services for US fed agencies)
CMMC - Cybersecurity Maturity Model Certification (FedRAMP for the US defense)
NIST-800-53 - Security and Privacy Controls for Information Systems and Organizations (common US standard)
AICPA SOC2 - Service Organization Control-2 (an audit framework from the American Institute of CPAs)
HITRUST CSF - Health Information Trust Alliance Common Security Framework (certification for healthcare)
ISO/IEC 27000 - Information Security Management Systems (extensive series of standards from the International Organization for Standardization)
GDPR - General Data Protection Regulation (EU law on data protection and privacy in the European Union)
CCPA - California Consumer Privacy Act (a state law on data privacy, adapted from GDPR)

Coupled with a little forethought and planning, even a matrix of 3, 4, or more of these regulatory or standards frameworks become approachable without massive impact on a business.  Key to this is focusing on the bigger picture without rat-holing on a single standard, and managing the process holistically. For example, if your company provides services to a healthcare network, your business may be subject to SOC2 and HIPAA… but throwing yourself 100% into one of these standards may still leave you poorly prepared for the other.  

Approach and scoping 

Adopting a big-picture view means taking a step back, determining what part of your business is in-scope, then creating a matrix of both standards’ requirements for the in-scope network and services. Once you have a set of shared requirements, the first step is to determine what controls you already have that satisfy both.  Only then can you have a clear understanding of the different kinds of gaps; first the requirement-gaps (what you need to do for the set of common requirements, versus just one of the regulations/standards), and then control-gaps (needed controls that aren’t yet in place). 

It’s this combined view we’re talking about when we refer to a company’s “security framework” or “control matrix.”  Often the security leadership or consulting staff will create a big spreadsheet of the requirements and controls, or use commercial compliance software with pre-built tables and views to simplify the work.  Adding a third, fourth, or additional standard then becomes just another column on the spreadsheet… but the scope->requirements->controls->sort sequence stays the same. 

Likewise, knowing what to expect in the audit process can make it approachable and non-disruptive.  No organization “passes an audit” on the first run-through (they aren’t structured that way; it would be like a final exam in the first week of a class), and handing off the process to a single person to “just make it happen” isn’t a viable plan.  It can be made into a smooth process that appears simple, though, with a good plan and reasonable expectations.  Key to this is an in-context understanding of scoping and assessment. 

While conceptually simple, scoping the review process down to a reasonable level means including the systems, networks, and data that are involved in the audited service, and excluding the things that are not specific to that service. It may seem obvious, but forgetting to scope-out irrelevant portions of a business - such as test networks, lobby wifi, or salespeople’s laptops, when the audit should be scoped to a specific cloud service - is one of the most common errors made by bigger organizations. 

Assessment or “Pre-Audit”

Then we arrive at the audit, and there can be confusion over “audit” versus “assessment” versus “pre-audit” and similar terms.  The process becomes clear when you have the big-picture understanding that no auditor wants to issue a failure letter in the end. No matter what standard you’re being audited against, there will be an initial informal review (usually called an “assessment” or “pre-audit”) to determine if there are any major gaps (sometimes referred to as “material” or “substantive” gaps or omissions depending on industry and context) that would cause the organization not to pass.  

Work on remediation or omissions

One can think of an audit as a class where the whole grade is determined by the final exam; As noted before, it’s not expected that an organization “pass” the initial review, and auditors don’t want to “fail” a company if it’s avoidable. Consider the assessment or “pre-audit” activities as preparatory material, practice and quizzes, or a mid-term exam designed to prepare you for the final.  Accordingly, this is the proper time to dig into problems and address missing controls, exposing problems while they are still informal and can be addressed before a final pass for the formal audit. 

It's also critical to understand that in most cases the auditor cannot recommend specific solutions to gaps or fixing technical issues as that would lead to a conflict of interest. A separate team or consultancy is usually engaged to handle technical remediation or missing policies and documentation, so that the formal audit team is never in the position of auditing their own work. With practical planning and awareness of the higher-level issues, your organization can arrive at the last steps of a formal audit with relative comfort, and an expectation of few surprises. 

Formal audits made predictable

Even better, if a second, third, or subsequent auditor team arrives in the weeks after the previous audit, you can be confident because they’ll be reviewing and testing mostly the same controls… just arranged (through your matrix or framework) with headings and labels that make sense to them.  It’s a good feeling knowing that your house is in order, when you can leverage each audit to better prepare for the next. 

Caliber Security Partners provides services at all phases of the audit lifecycle:

  • Basic and targeted policy development for new security programs, and audit-specific requirements for business growth and development
  • Audit planning and scoping guidance, separately or within full Security lifecycle planning services with annual roadmaps for security management
  • Pre-audit assessments against multiple standards, with expertise in ISO 27000, NIST 800, SOC2, HIPAA, GDPR, FedRAMP/CMMC, PCI
  • Technical and administrative security control development and remediation, working with internal or separately-contracted audit teams, or in preparation for expected audits
  • Technical testing of network and web/client/mobile application security, including cloud components (with expertise in SaaS, PaaS, IaaS contexts) 
  • Supply-chain security reviews, planning and delivery of Vendor Security Assessment programs, and event-specific third-party reviews 
  • Post-incident remediation and risk assessment, to maintain compliance within formal requirements and response timeframes; Custom services within the governance/risk/compliance space for security and privacy