A year ago, before the COVID-19 pandemic, probably very few people could imagine how the world would change. Working from home, remote business meetings, online events, and digital concerts are only some new normal examples. The things we could not imagine going virtual very much did, to everyone’s surprise. One of the areas that tended to be very onsite and face-to-face was conducting a security audit – remote work security assessment.
Sure thing, that approach to auditing is also being revisited right now. Is remote audit possible without sacrifice on quality? Is onsite audit more a cultural thing or a real need? These are questions that arise; let’s try to look for the answers together.
What is a Security Audit in our meaning?
First of all, let’s recall that audit is a set of procedures to ensure that the audit subject complies with some requirements. For example, financial reports may be required to comply with IFRS. At the same time, the payment card data processing processes should meet the PCI DSS requirements. So, the first thing that matters – is what the requirements are. The more they relate to the audited subject’s physical environment, the more difficult it is to avoid onsite audit procedures.
Another significant factor would be the business’s nature, how physical it is – for example, a manufacturing business versus software development. And not least – the level of knowledge an auditor has about the audited company and the level of established trust. Yes, we know – audit should always follow the zero-trust rule. Although it is right in general, audit standards usually fall back to ‘reasonable assurance,’ which translates to ‘low-trust’ instead of ‘zero-trust.’
Typical Cybersecurity Audit procedures
Let’s go into some details and look at the typical security audit procedures. The critical objects audited would be digital assets (e.g., configurations and code, also known as CIs in ITIL), controls, and evidence of their effectiveness.
For the digital assets, the typical audit procedure would be examination, or in worst fact, observation. During an onsite audit, an auditor would usually have a meeting with someone who has access to the asset. During the meeting, the asset would be presented, and key artifacts (logs, screenshots, config files, etc.) would be provided (sent by email, copied to a thumb drive, etc.) to the auditor for further examination. The audit conclusion would come from the examination results.
So the meeting’s goal is to identify the assets and ensure that the auditor obtained the requested information without any interference. This audit practice can be replaced by a remote meeting and a screen-sharing session without compromising the audit quality. One could argue that it can provide an even better experience to the auditor.
Audit of manual controls may require sampling and physical evidence (whereas the automated controls audit is less demanding). During the onsite audit, the auditor can sometimes do sampling on the fly. I.e., picking the sample during the meeting, and then only sample evidence would be requested for examination. A remote audit would convert it to giving the whole population of cases and sample based on it.
In theory, it should lead to even better audit quality. However, it may be challenging for some physical evidence types to provide the whole population for sampling. Imagine a physical registry of entry to the building. Should the auditee scan and send it for sampling? How can an auditor make sure no pages are torn out from it? So there may be cases where the remote audit quality suffers, or the audit cost noticeably increases.
Of course, any audit of non-digital assets (like physical security) or digital assets connected to physical endpoints (e.g., LAN access from a physical socket) is difficult to replace with purely remote procedures.
Remote and Onsite Cybersecurity Audit Standards
Let’s see how official audit standards will change to incorporate the new normal of pandemic times. We at Berezha Security would see the following approach to onsite procedures beneficial for both the audit quality and the auditor’s safety:
- In case the auditor can get safely to the place of audit, ensure the environment itself is safe, e.g., no close physical contact with other people, premises are regularly disinfected, etc.
- If the auditor can’t get safely to the place, involve 3rd parties that can and instruct them to assist the auditor and ensure the evidence chain of custody
- In case neither is possible, organize a virtual experience using a secure video-conferencing tool to show the auditor everything they need to see
It’s important to remember that in both remote and onsite audits, the key to good audit quality lies in identifying and understanding what is audited, control over information selection, and data sharing procedures. As an auditor, make sure you decide what to select, make sure you examine what is indeed deployed, and see what you want to see, not what you are shown. Adhering to these basic rules will allow most audit work to be done remotely without compromising quality. Let’s leave the pleasure of face-to-face meetings and small talks for safer times.
Stay healthy, and take care.