Introduction
Key Takeaways
The word “audit” conjures dread for the never-ending questions, paperwork, and pressure it implies. Organizations that partner with security-focused IT providers, though, not only stand the best chance of emerging from an audit unscathed, but can come away from the process with a roadmap for ongoing compliance and a trusted relationship with a long-term advisor.
In Apptega’s recent presentation with Art Provost, VP of Security Services at Filament Essential Services, we walk through everything you need to know about navigating a high-stakes audit, how your managed service provider (MSP) or managed security service provider (MSSP) can help, and the benefits that a well-managed audit offers. (You can listen to the full conversation here.)
Overall, there are three main areas in which an MSP or MSSP can help in an audit:
- Preparation
- Process
- Implementation
Preparation
By conducting a gap analysis against a well-structured System Security Plan (SSP), which documents controls to minimize threats (and often complies with a specific security framework), the MSP highlights strengths and weaknesses for review by the organization prior to the auditor’s prodding.
A gap assessment performed by your MSP against your chosen framework identifies unmet controls and areas for remediation. Despite being occasionally tedious, the value of this preparation cannot be overstated. Performing a comprehensive gap assessment and providing your MSP with access to your SSP prepares your business for assessment, organizes your evidence by control, and ultimately eases the audit process by limiting the questions an auditor will need to ask.
Process
The audit process itself consists of six stages:
- Scope: The auditee and auditor define the goals, objectives, and boundaries of the audit, including identifying the systems or processes to be reviewed and specifying the types of security risks to be examined. It’s essential to narrow the scope as much as possible and always have a written agreement.
- Evidence Gathering: The auditor provides an evidence request list based on the agreed-upon scope. You collect data and documentation related to the controls being audited. A comprehensive SSP is crucial for this stage.
- Interviews: The auditor interviews key stakeholders to gather information about their roles, responsibilities, and experiences related to security. According to Provost, it’s essential that “the people involved in interviews can honestly answer how they meet each control and show the relevant evidence.” Another tip for interviewees from Provost: Keep your answers tight. If the auditor asks, “Do you know what time it is?”, your response should be, “Yes.”
- Initial report: The auditor will present you with a draft report including findings from the scoping, evidence gathering, and interviewing stages. This often includes a description of security risks, vulnerabilities, and recommendations for improvement.
- Remediation: Your company addresses any security issues identified in the audit, this stage includes implementing new policies, procedures, or technologies to mitigate risk.
- Final report: A final report will be produced to summarize the audit process, the findings, and any remediation activities taken, as well as to provide an overall assessment of the security posture of the organization.
Cybersecurity is not a stagnant system – a fact that is only emphasized by the audit process. But when approached properly, an audit can elevate your system’s long-term stability. [To learn more about the process of evidence gathering, read this article!]
Implementation
Once you have received a final report, your MSP continues to play a critical role in helping your business remediate any security issues identified by an audit. Typically, if there are further findings in your report, your company has until your next audit to address the gaps.
While an audit is a defined process, ensuring you have a strong and comprehensive infosec posture is ongoing. Establishing a continuous improvement plan with the help of your MSP ensures your security compliance stays up-to-date, ahead of emerging threats, and aligned with constantly evolving frameworks and laws (and prepared for your next audit).
Audits are not a “one-and-done” process. In Provost's view, “A good security program is living.”
MSPs Turn an Audit Into an Asset
Having a comprehensive security framework is an essential piece of the infosec puzzle and relying on your MSP can make the audit a seamless process that provides direction to strengthen your security program.
In the end, information security is an iterative process that requires an iterative solution. Your MSP brings valuable expertise and resources to support your company through an audit and ensure you’re equipped to protect against potential security threats.