Top IT Audit Findings
Posted by Robbie Forkish on Mon, Aug 24, 2009
In my previous post I referred to the 2008 Deloitte survey which reported that excessive access rights have been the top audit finding for each of the past two years. Here's a chart showing the top 8 internal/external audit findings for 2007 and 2008, ranked by percentage of respondents citing findings in each category:
Excessive access rights. Note that despite the improvement from 2007, excessive access rights remained the top audit finding in 2008 as reported in an earlier post. Part of the reason that excessive access rights has been the top finding for the past two years is that auditors have raised the standard, from evidence of the existence of a process to evidence that the process is effective. Due to the urgency of this issue, and the lack of effective solutions available, this is an initial focus of Cloud Compliance.
Segregation of duties. Segregation of duties, also referred to as separation of duties and abbreviated SoD, is one of the most fundamental concepts of security and control, and also one of the most difficult to achieve. Cloud Compliance's innovative 3-layer rights model enables definition of benchmark rights, where SoD concepts are embodied. Our analytics can report on inconsistencies between benchmark rights, provisioned rights and actual rights as detected by access activity in order to assure continued compliance with key segregation of duty principles.
Access control compliance with procedures. This audit issue is closely related to excessive access rights; access control is required to prevent users without appropriate rights from accessing audited resources. Cloud Compliance's Identity and Access Assessment (IdAA) solution can determine if access control is effective.
Lack of audit trails/logging, lack of documentation of controls, and lack of review of audit trails. I'm grouping these three top findings together because they represent the facet of access audit where technology and process come together. Application logs, which represent the most effective way to determine user access activity, are an essential tool for ensuring that access controls are compliant. And reports that list who has access to what, along with who should have access to what, become critical components of how access controls are documented.
Excessive developers' access to production systems and data. This audit finding is challenging to address, because it's unrealistic in most operating environments to completely block developers from accessing production systems for troubleshooting and critical maintenance operations. The objective, then, is not to prevent such access but to note when it's risen to an "excessive" level. Cloud Compliance addresses this by allowing a policy to be defined where a reasonable max level of developer access to production systems can be specified, along with a lower threshold for an early warning system. Access levels can be compared to historical equivalents for trend analysis as well.
Lack of clean-up of access rules following a transfer or termination. There's a clever vendor that claims to "take the SH out of IT". One of the reasons that there's an SH in IT in the first place is the typical IT department's need to manage rights and access rules in a real-world environment with re-org, restructurings, layoffs, role re-definitions and transfers. Especially transfers. Because transfers are not a discrete event so much as a process where an employee has overlapping responsibilities between new job and old job-and therefore must maintain access rights for both jobs. And the duration of the overlap can't be determined in advance. Cloud Compliance's advanced analytics examine user activity to determine when a user's rights to resources required for a previous role can be de-provisioned-before an auditor happens to discover excessive access rights.
Cloud Compliance is developing an Identity and Access Assessment (IdAA) solution to address the top IT audit findings as reported by Deloitte. Our initial solution helps organizations eliminate excess entitlements (also called privileges, or access rights). We identify users with excess entitlements, and provide tools for isolating high levels of over-entitlement by group, business unit or by application. Such tools enable root cause identification, and provide the necessary insight for remediation and process improvement. Furthermore, due to our global visibility as a cloud-based SaaS solution, we capture statistics industry-wide that our customers can access for setting their own policy benchmarks. Finally, the Cloud Compliance SaaS solution requires no software to install, maintain and operate, no appliances to deploy, no consultants, advisors or professional services to deploy, and no huge upfront capital expense to incur.