Organizations like yours are under tremendous pressure to meet compliance directives from a growing number of regulatory and industry mandates, while maintaining a secure environment and staying in alignment with business objectives.
Too often, the audit is seen as a chore to be disposed of quickly. Such a "check-box" mentality can lead to costly breaches because compliance alone will not make your environment secure. By implementing sound security principles and controls compliance should become a natural by-product.
5 Insider Tips: Using IT Audits to Maximize Security with featured speaker Mike Chapple, who oversees information security at the University of Notre Dame, reveals how to:
- Understand your auditor
- Embrace audit findings
- Use an audit to your advantage
- Maximize the audit off-season
- Know when to bring in the auditors
On demand webcast also available at: http://bit.ly/jeBkYU
5 insider tips for using it audits to maximize security
1. 5 Insider Tips: Using IT Audits to Maximize Security Mike Chapple – Senior Director for Enterprise Support Services at the University of Notre Dame Renee Bradshaw – Senior Product Marketing Manager, NetIQ
2. An Insider’s Guide to Effective Audits Treat audits as a lifecycle process. Understand the scope. You shouldn’t learn anything! Don’t be afraid to speak up! Embrace findings. Aligning Compliance, Security, and Business Goals Q and A Agenda
26. 5 Insider Tips Using IT Audits to Maximize Security Mike Chapple, Ph.D Senior Director, Enterprise Support Services University of Notre Dame mchapple@nd.edu
28. Plan for Good Security Direct compliance efforts towards risk mitigation Compliance should be a “by-product” of security efforts. Compliance mandates only provide minimum standard Focus first on minimizing risk and improving security. Leverage your audit findings Define tools and controls which align to risk tolerance and business objectives Realize improvement in overall security posture 24
29. Ease the Compliance Burden Create an adaptable compliance program Implement a common set of controls Encompasses regulatory, industry, and internal corporate mandates Simplifies audits; provides reporting framework Avoids conflicting controls and unnecessary expense Adds controls as the regulatory environment changes Improve security and efficiency of IT environment Automates routine, labor-intensive tasks Reduces the cost of compliance Avoids “audit panic” 25
30. Back to Basics Good security makes compliance easier The best way to achieve compliance is to get the security basics right. Realize positive, long-term business impact. Reduce breach risk Avoid non-compliance penalties Operational efficiencies Improve security posture 26
31. Complete our survey. Enter for a chance to win an Apple iPad! Access informative white papers; gain insight. “Achieving ROI from your PCI DSS Investment” “Sustainable Compliance: How to Align Compliance, Security and Business Goals” Learn More at NetIQ.com 27 tinyurl.com/ROIfromPCI tinyurl.com/sustainable-compliance
Editor's Notes
Good afternoon! My name is Renee Bradshaw and it is my pleasure to welcome you to our webinar, “5 Insider Tips: Using IT Audits to Maximize Security.”Today we are very excited to have as our guest speaker: Mr. Mike Chapple, Senior Director for Enterprise Support Services at theUniversity of Notre DameToday, Mike will identify and discuss 5 Key Tips to help you get the most out of your next audit. You’ll leave here today with a clear idea of how to leverage your IT audit process to achieve your compliance objectives and improve your organization’s security posture. Before getting into the Agenda and introducing Mike formally, I have a few housekeeping notes:At the end of the presentation, we have set aside time for Q and A. We’re looking forward to hearing from you, so please join us for that section of the presentation. Finally, shortly before we end the Q and A session, you will have the opportunity to complete a survey and enter for a chance to win an Apple iPad. You won’t want to miss this opportunity, so please stick around!
First on the Agenda today, will be our Guest Speaker. Mike will present to us “An Insider’s Guide to Effective Audits.” Too often, IT auditors are seen as a hindrance, and the audit itself as a chore to be disposed of quickly. Such a “check-box” mentality can lead to costly breaches, because compliance alone will not keep your environment secure. Sound security principles and controls, implemented in an effective and lasting manner are the key to an improved security posture. And compliance should result as a by-product of good security. Today, Mike will demonstrate how you can develop sound security controls and IT practices, as well as streamline your compliance efforts, by following a few simple steps to increase the effectiveness of your IT audit process.Then, I will wrap up with a short summary and discussion on how to leverage your audit findings to identify the right security controls, tools, and frameworks to improve the efficiency and security of your computing environment, while easing your compliance burden and meeting your business objectives.Finally, we will end today’s session with an informative Q&A and your chance to win an Apple iPad!
And with that, it’s my great pleasure to introduce you to Mike Chapple!Mike is Senior Director for Enterprise Support Services at the University of Notre Dame. In this role, he oversees the information security, IT architecture, project management, strategic planning and communications functions for the Office of Information technology. Mike also serves as a concurrent assistant professor in the University's Computer Applications Department where he teaches an undergraduate course on Information Security.Mike previously served as Senior Advisor to the Executive Vice President at Notre Dame and was Program Manager of the University’s Information Security Program. Prior to these engagements, Mike served as Executive Vice President and Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. Mike also spent four years in the information security research group at the National Security Agency and served as an active duty intelligence officer in the U.S. Air Force. He is a technical editor for Information Security Magazine and has written several books, including the best-selling CISSP: Certified Information Systems Security Professional Study Guide, Microsoft SQL Server 2008 For Dummies, and Information Security Illuminated.Mike is also a regular contributor to SearchSecurity.com and About.com Guide to Databases. Mike earned both his bachelor’s and doctoral degrees from Notre Dame in computer science & engineering. He also holds a MS in computer science from the University of Idaho and an MBA from Auburn University. An information security professional with over 10 years of experience in government, the private sector and higher education, Mike is a recognized thought leader in the field of information security management. We are very happy to have him here with us today, and we hope you find your time with him just as valuable as we have here at NetIQ.And without any further delay, I will now turn it over to Mike.
Renee’s notes: Mike will speak to value of auditing here which is to help assess security controls; he will share “comments” he hears about auditors and the audit itself .
Renee’s notes: Mike will share examples of clients who were constantly rushing to prepare, esp. military example; comparisons to other events, such as tax-day.
Renee’s notes: But Mike’s point is that efforts to achieve crash compliance fall apart, should treat it as a doctor visit.
Renee’s notes: Mike will here tell a story about the client that had a misalignment between what they thought was being audited, and what was actually being audited. Really bad outcome!
Renee’s notes: Mike will talk here about PCI DSS at Notre Dame.
Renee’s notes: Mike will talk about the different types of standards and how it is important to make sure in advance what standards are being used in the IT audit process.
Renee’s notes: Mike will share story about a company where the audit uncovered huge vulnerabilities. Whole team got let go.
Renee’s notes: You are the expert!
Renee’s notes: Mike will relate that no matter how well prepped you are, expect at least one finding. Use the management response and view this as an opportunity to improve your security program.
Thank you, Mike, for that insightful presentation. I especially appreciated the stories you related about organizations who were not following the “audit as a lifecycle model” – and what were their results. I’m curious now about the IT audit processes of our listening audience…so, we’ve got a quick poll to assess that. Please push the poll. While waiting 30 seconds for results…Mike: Based on your experience, what would you expect to see in the results we’ll see in a moment?Thank audience for participation, then move on: Now, I want to wrap up with a few words about our thoughts on how to improve the efficiency and security of your computing environment, while easing your compliance burden and meeting your business objectives.
Link to Mike’s preso: You heard Mike discuss the governmental agency that did not follow a lifecycle approach to audits. Instead, they scrambled to rush preparations for each audit two weeks before the auditors showed up. This obviously did not work out well for them, as the auditors always had some embarrassing findings and management was always quite disappointed.The sad fact is, many compliance efforts tend to focus solely on meeting audit criteria rather than on minimizing risk and improving overall security. Compliance as a By-Product of Good Security The mandatory nature of regulatory compliance, combined with specific and quantifiable penalties for non-compliance, has directed a large portion of overall security spending toward compliance efforts, on the premise that this will improve security and reduce breach risk. But compliance mandates provide only a minimum standard. Case in point: Both Heartland Payment Systems and T.J. Maxx had achieved or were achieving PCI compliance when their systems were breached by a global identity theft ring, resulting in two of the largest breaches of credit card data in history.Ask yourself: Does compliance drive your security program without always improving security? Focus first on Good Security When security projects are focused solely on meeting a minimal set of audit criteria rather than minimizing risk, much of the potential benefit of this funding is wasted. Allowing the “accredit and forget it” approach (much like the governmental agency) to drive security priorities is like cramming for an exam. You may pass the exam (or the audit), but you are unlikely to retain the benefits you would have gained from careful study and planning.Case in point: An astounding 86 percent of data breach victims had evidence in their log files prior to being breached, according to the 2010 Data Breach Investigations Report. By not reviewing the logs, these organizations left themselves open to a breach. This behavior exemplifies the danger of a “check-the-box” approach to compliance.A highly effective security team will direct compliance efforts toward a comprehensive risk mitigation program that is aligned with the risk tolerance and business objectives of the organization. By focusing on “security first”, the overall security posture of the organization is improved and compliance is achieved as a by-product of security efforts.
Link to Mike’s preso: You heard Mike discuss the case he was involved in where the auditors and auditees did not explicitly agree on a standard before the audit began. Instead, they had a general conversation about the principles that would be covered and everyone felt good going into the audit. When the report came out, it was a disaster. Management was expecting a clean bill of health while the auditors had several extremely critical findings. This could have been avoided if both parties had agreed upon an objective standard in advance.The best way to achieve and sustain compliance with PCI DSS and other regulations is to implement and manage to a harmonized set of controls that meet your evolving regulatory and corporate mandates. Leveraging a common set of controls simplifies audits and provides a framework for audit reporting based on how the controls map to a given mandate. As the regulatory environment evolves, controls can be added to this common set, allowing the organization to quickly adapt their compliance program. Achieving Harmonized Controls Encompass regulatory, industry, and internal corporate mandates Internal mandates that are aligned to business objectives Appropriate controls must safeguard critical information and infrastructure wherever it may beCase in point: Cloud computing, enables both large and small organizations to reduce cost and increase flexibility within IT. Case in point:“Insiders” who have access to this critical information may not be who they seem, and as a result, all activity must be monitored and no one can be completely trusted. Improve Security and Efficiency of the IT environment with Workflow Automation Benefits of automating routine, labor-intensive, or highly volatile tasks include: Reduced human errorDecreased training costs for new employees Decreased risk in highly volatile processes Helps ensure reliable, repeatable processes and strict adherence to policy Value-add Improved security, reduced costs, and streamlined compliance Better able to demonstrate compliance Reduce costly audit findings Case in point:Automated attestation of group rights saved the AD administrators at one large, US-based energy company about 1 weeks’ worth of man-effort (1 day for every 400 users), removing room for error and leaving them time to do more interesting things. Case in point: Automated user account provisioning at the same large energy company helped them to manage the risk associated with new user account creation and modification for employees and contractors in their call centers (100% annual turnover.) Helped the company to accurately and rapidly create and modify user accounts, significantly reducing the ability of any one employee to abuse his or her privileges. Make sure that the solutions you select provide the level of automation your organization needsNote for speaker only: The Unified Compliance Framework harmonizes controls across hundreds of different regulations, allowing your organization to comply once and attest to many different requirements, including PCI, SOX, HIPAA/HITECH, CobiT, NIST and hundreds more. The Unified Compliance Framework approach to compliance is effective, sustainable, and scalable – enabling your to achieve your compliance objectives (aside: will make auditing and reporting easier) and improve the overall security posture of your organization.
What we know today is that data security is a critical or high priority for 89% of organizations, according to Jonathan Penn at Forrester Research. Organizations are concerned about the evolving nature of threats both from the inside and the outside. They wonder where their critical data resides, who is accessing it, and is it being changed in any way? They are concerned about the damaging affects of a data breach on their organization, both in the short-term with fines and mandated disclosure laws, and in the long-term, with loss of brand, competitiveness, consumer confidence – leading to lost revenues and profitability. Their concerns about data breach costs is warranted: According to Ponemon’s “2010 Annual Study: U.S. Cost of a Data Breach,” the average organizational cost of a data breach is approximately $7.2 million dollars, up 7% from last year. And while compliance mandates are designed to provide a minimum standard of security controls to protect your critical data, compliance in itself won’t keep you safe from these damaging breaches. What we’ve learned from the Verizon “Data Breach Investigations” and Ponemon “Cost of a Data Breach” Reports is that basic controls and monitoring can prevent most data breaches. Rather than focusing on compliance, organizations should start with strong data protection and get the security basics right. Rather than being the end-game, compliance should be a “by-product” of good security controls. Only an integrated, automated approach to compliance rooted in sound security principles is effective, sustainable, and scalable. This type of approach can help your organization to realize positive, long-term business impact in terms of reduced breach risk, avoidance of penalties associated with noncompliance, operational efficiencies, and an improved security posture.This concludes our presentation for today.