Speaker: James Tarala
Event: SANS Webcast
Date: August 29, 2024
Watch on YouTube: https://www.youtube.com/watch?v=iS-Qx4dDaDU
Introduction
Cybersecurity audits are essential for ensuring organizations are effectively managing risk. In this SANS webcast, James Tarala shares insights from the Cybersecurity Risk Foundation (CRF) Audit Framework, providing actionable guidance on enhancing audit practices.
Tarala emphasizes that audits should be more than a compliance exercise—they should drive security improvements and strategic decision-making. This webcast outlines best practices, methodologies, and enhancements that organizations can implement to elevate their audit strategies.
Key Takeaways
- Audits should focus on validating security safeguards, not just compliance. A well-structured audit strategy ensures that organizations are actively reducing risk.
- The CRF Audit Framework offers a structured approach to cybersecurity audits. It provides guidance on audit planning, safeguard validation, and reporting.
- Cybersecurity risk assessments play a crucial role in audit strategies. Organizations should focus on identifying missing safeguards that could lead to security failures.
- A long-term audit plan is critical for continuous improvement. Audits should be planned years in advance, balancing emerging risks with foundational security controls.
- Direct observations enhance audit quality. Simply reviewing documentation is insufficient—auditors should verify security measures through hands-on evaluations.
Summary of the Discussion
The Role of Cybersecurity Audits
Tarala discusses the evolution of cybersecurity audits, highlighting how organizations have shifted from basic compliance reviews to strategic risk assessments. He explains that effective audits validate that security controls are in place and working as intended.
The CRF Audit Framework provides a structured methodology for conducting cybersecurity audits, helping organizations prioritize safeguard validation and improve their overall risk posture.
Enhancing Audit Strategies with the CRF Audit Framework
- Determine Who Performs the Audits
Organizations should consider a multi-layered approach to audits:
- First-line teams (IT and security teams) should conduct internal control self-assessments.
- Second-line teams (governance, risk, and compliance teams) should oversee security functions and policies.
- Third-line teams (internal/external auditors) should independently verify security controls.
The Three Lines Model, a framework established by the Institute of Internal Auditors (IIA), helps organizations define these roles and responsibilities.
- Develop a Long-Term Audit Plan
Most organizations plan audits one year in advance, but Tarala recommends developing a five- to seven-year audit roadmap. This allows organizations to:
- Ensure comprehensive coverage of security controls over time.
- Balance foundational security audits with reviews of emerging risks.
- Allocate training resources strategically to prepare for technical audits.
- Standardize Audit Evidence Collection
Many audits rely heavily on documentation review, but direct observation of security tools and controls enhances audit quality. Organizations should:
- Conduct live demonstrations of security controls, such as vulnerability management tools.
- Review real-time security logs to verify policy enforcement.
- Assess how alerts and security incidents are managed.
- Use Structured Data for Audit Reporting
Organizations often rely on unstructured data (e.g., Word documents, spreadsheets) for tracking audit results. Tarala recommends moving towards structured, queryable data that enables:
- Automated analysis of audit trends.
- Comparisons across multiple assessments over time.
- Integration with governance, risk, and compliance (GRC) tools.
- Implement a Risk-Based Approach to Audit Findings
Not all security gaps are equally critical. Tarala suggests categorizing findings based on:
- Strategic Controls: Security measures explicitly required by the organization’s chosen frameworks.
- Industry Best Practices: Safeguards recommended by leading cybersecurity organizations.
- Non-Strategic Controls: Security measures not mandated by the organization but still beneficial.
By assigning risk ratings to audit findings, organizations can prioritize remediation efforts effectively.
- Track Audit Deficiencies Using a Cybersecurity Risk Register
To ensure audit findings lead to action, organizations should:
- Maintain a centralized risk register to track deficiencies.
- Use GRC tools or structured databases to record audit findings.
- Ensure audit results are integrated into strategic decision-making.
Actionable Insights
- Expand audit scopes beyond compliance reviews. Focus on validating security effectiveness rather than just meeting regulatory requirements.
- Develop a multi-year audit plan. Balance high-priority risks with foundational security reviews over time.
- Enhance audits through direct observations. Instead of relying on documentation, verify security controls through hands-on evaluation.
- Use structured audit data for long-term analysis. Move away from spreadsheet-based tracking and adopt structured reporting formats.
- Prioritize audit findings based on business impact. Use a risk-based approach to remediation planning.
Conclusion
Cybersecurity audits are essential for measuring security effectiveness and ensuring organizations are properly managing risk. The CRF Audit Framework offers a structured approach to safeguard validation, audit planning, and risk prioritization.
By implementing long-term audit strategies, direct observations, and structured reporting, organizations can elevate their audit programs beyond compliance—ensuring continuous security improvement and stronger risk management.
For more insights on this topic, watch the full webcast here.