An IT audit typically fails not due to a deficiency in policies or the performance of the organization’s intent, but rather due to an organization’s inability to detect blindness. When auditors ask for proof of ownership, segmentation, or access restrictions related to an organization’s control and monitoring of their IT assets, frequently the audit team learns too late that their organization does not have a current and accurate picture of what truly exists on the network.
This article discusses why every organization must perform it before every major IT audit and how network visibility is assessed throughout the IP discovery process. The article also examines the risks associated with relying upon incomplete or inaccurate data and explains how leveraging modern IP discovery tools enables companies to have confidence when preparing for an audit versus “firefighting” last minute before the audit occurs as per Slurp’it.
How are IT audits rapidly evolving?
In addition to the previously mentioned reasons, the IT audit has changed in recent years. Today, when an enterprise undergoes a major IT audit, it is no longer standard practice to validate the audit via a simple checklist. Many organizations have also come to the realization that the old methodology for validating audits (i.e., regulatory compliance, customer assurance, mergers and acquisitions, and internal governance) is no longer sufficient for today’s IT audit process. Organizations must also meet auditing expectations for demonstrating control and monitoring of their IT infrastructure based on several new frameworks, including ISO 27001, SOC 2, PCI DSS, HIPAA, and GDPR.
In this environment, the beginning of every major audit is based upon an understanding of IP discovery because, ultimately, every audit involves answering the question of “What is on my network right now?”
So, what is IP discovery?
To provide clarity, it is more than just a means of finding active IP addresses; while active IP addresses are a part of the overall concept, auditing them is focused upon how and when to develop an up-to-date and comprehensive inventory of all the devices, systems, and workloads that are accessible and communicating via an organization’s network through the use of an assigned IP address.
As a result, it includes not only servers, virtual machines (VMs), private clouds, firewalls, routers, switches, IoT (Internet of Things) devices, and end-user devices, but it must also include a full understanding of the method in which IP addresses are assigned, the method in which IP addresses are changed, and the method in which IP addresses can communicate with other devices/systems.
Why do auditors prioritize network visibility to conduct audits?
If there are any systems whose network address (IP address) is not within the auditor’s visible inventory, regardless of whether it represents a nominal percentage of systems or a considerable percentage of the total systems being audited, that uncertainty represents a form of unmanaged risk that ultimately results in a finding of “control failure” in audit terminology.
Some of the common questions that auditors will ask during an audit include:
- When is the organization’s device inventory updated?
- When does the organization discover devices that should not be there, i.e., unknown or unauthorized devices?
- How does the organization ensure that security policies have been applied uniformly across the organization?
The questions asked above would not be answered with empirical evidence. As a result of not having it, the auditor’s conclusion will be based solely upon what someone else has told them as per Slurp’it.
The Dangers of not performing IP discovery before auditing
When an organization does not perform it before performing an audit, several hidden risks arise for the organization.
The risk of having unknown devices is almost certain to exist; for example,
- Test servers that were set up and then forgotten.
- Legacy applications that are still used to provide applications to end users but are not integrated with the organization’s application management process.
- Temporary or rental cloud servers that are never decommissioned.
Auditors will frequently test the effectiveness of an organization’s incident response plan by assessing whether staff could quickly identify impacted systems within the organization in the event of a hypothetical incident. The absence of IP discovery results in a slower incident response time as per Slurp’it.
Best practices for supporting IP discovery before the audit.
In order to gain the maximum return from an audit, it is best to perform your IP discovery several months before conducting the audit. A few best practices are as follows:
- Do your IP discovery frequently, rather than just once when you receive the phone call from the auditor. Use the information gained from this process to continue to refresh and update the results.
- Combine the information gathered in it with your asset management, security tools, and documentation systems. Auditors prefer to see consistent information from multiple sources.
- Ensure that you have a clear ownership mapping for every discovered IP, along with the team or function responsible for the IP.
- Use the information gained from them to proactively test your segmentation, firewall rules, and any access policies.
- Document your processes and controls for conducting it. Auditors like to see not only what the end results are, but also how they arrived at those results.
Transforming your approach from preparing for an audit to being confident during an audit.
Organizations that treat their IP discovery as a compliance task do not see the longterm value and strategic benefits. When properly performed, it gives organizations better insight into their operations and mitigation of risks as per Slurp’it.
It will also answer one of the most critical questions the auditor will be asking, usually without actually asking it during an audit is “Do you understand your environment?” If the answer is yes (backed up by both data and automation), audits will go more smoothly, the number of findings will decrease, and leadership will be more assured of an organization’s security.
In an environment of constant change, an organization’s ability to conduct audits is dependent upon their ability to perform it. Therefore, it is critical to any organization’s audit preparedness, security assurance and responsible governance. To know more, contact us at Slurp’it!