How to Recover from a Failed Security Audit
In November, the Department of the Interior failed a security audit, whi
In November, the Department of the Interior failed a security audit, which resulted in two things: It spurred changes in the Department's approach to security and it shows that a company or organization can recover from a failed audit.
A security audit, as described by consultant Kevin Coleman writing at TMCnet.com is: "a systematic evaluation of the security of a company's information system accomplished by measuring how well it conforms to an established set of criteria that results in a factual record. The audit activities typically focus on assessing the security of the system's operations, configuration and environment, software, information handling processes, as well as user practices.”
The audits can be done through independent observations or monitoring of systems, scrutinizing historical information, or having data investigated through forensic means.
If the failure comes through software or hardware applications, a white paper from Netcontinuum, "How to Rapidly Recover from a Failed Application Security Audit," (free registration required) presents two options: rewriting code or adding another layer of defense.
The better bet is the extra defense:
"The option of adding a new protective layer to the infrastructure is much simpler. The solution is deployed as a device in the data stream and is immediate. Typical deployments only take a day to install and configure. The cost, particularly when compared with code rewrite, is quite reasonable.”
For other audit recoveries, it is a matter of understanding where the failures occurred and coming up with a company-wide game plan to correct the problem. This includes prioritizing recovery efforts based on the risk level on each piece of the audit (and an audit will generate a lot of information), designating individuals or teams to be responsible for different areas of the recovery who provide regular status reports, and scheduling another audit to make sure you've made the corrections. Scheduling this new audit also provides a deadline that will keep the recovery moving forward, rather than stagnating.