Audit Seeding

Management may spend considerable time and energy making sure that personnel understand one thing when dealing with auditors: specifically answer the question that the auditor asked, not the question the auditor should have asked; and do not volunteer any information.

There is, however, a useful technique that management (and only management) sometimes uses when working with auditors. I prefer to call this seeding the audit results.  Similar to the technique of cloud seeding, where rain clouds are seeded with substances to cause them to release rain, management can use audit seeding as a way of ensuring that auditors are aware of specific situations that they are willing to include in their audit report. The purpose of audit seeding is generally the creation of an audit issue that will permit management to prioritize an initiative to improve the business.

For example, external auditors are examining access controls, an area where a security manager has had difficulty obtaining funds to make key improvements. While in a discussion with auditors, the security manager may choose to illuminate particular actions, inactions, or other situations in access control processes or technology that the auditor might not have otherwise noticed.

Persons who are considering audit seeding must have a thorough understanding of the subject matter, the controls being tested, the procedures and technologies in play, the auditing methodology in use, and a bit of grit. Audit seeding may be considered a daring move that may have unforeseen results. Finally, persons considering audit seeding must not make auditors feel they are being manipulated, as this could have greater consequences. Instead, management is simply making auditors aware of an important aspect of a control they are auditing.

— excerpt from CISM All-In-One Study Guide

A solution for accumulation of privileges

Enterprises are beginning to master the task of provisioning access rights to new employees, and terminating those rights when employees are terminated from employment.  And when employees advance or are transferred into new positions, enterprises are becoming more effective at granting new access privileges in support of advancing / transferring employees’ new duties.

But enterprises are mostly failing to remove the privileges associated with the positions they have left behind when transferring or advancing.  This results in the problem known as “accumulation of privileges.”

Accumulation of privileges is the result of employees who are granted access rights in their first position, and more rights as they advance, transfer, or are given additional responsibilities.  The real problem is that employees fail to shed unneeded privileges when they move into new positions.  Given enough time, an employee who moves around to different positions in an organization can amass an array of privileges.

It’s not altogether simple.  Often, transferred employees need to retain their former privileges until some projects or tasks are completed, or to support cross-training their successors.  But rarely will an employee, nor his old or new manager, request that those old and no longer needed privileges be revoked.

Most enterprises simply lack the discipline to set up a process for eventually revoking unneeded privileges.  The result is that employees with more tenure can amass a wealth of privileges that would turn an auditor pale.

There is no easy answer to this.  But probably the best answer that I can come up with is this:

When an employee has transferred to a new position, all privileges associated with the specifics of the old position should be immediately revoked.  Policy should reflect and require this.  But reality can accomodate a compromise, where the transferring employee may retain the old privileges for a maximum of, say, two to four weeks, after which the old privileges must be revoked.  If an extension is required, it must be approved by a senior manager or executive, with another time limit of, say, 30 days.  The same executive must approve every 30 day extension.

Regular audits of employee access rights should be taking place.  The list of employees who should have access privileges needs to be carefully matched to the userids that actually do.  All exceptions must be noted and remedied, to eliminate any forgotten accumulations.  The regular audit is the only way that an access privilege – that should have been revoked – will be caught and remedied.  If regular audits do not catch these, then they will continue unfettered until an external auditor finds it or an incident – made possible by the accumulated privileges – occurs.

Example 1: A systems support engineer is promoted to software test engineer.  This requires that she be given privileges to development systems, test systems, and source code.  However, after she transitions to her new job, she still has access to production databases.  This is a blatant violation of the requirement that personnel in development have no access to production systems or data.

Example 2: An accounts payable clerk is promoted to accounts payable supervisor.  This results in the employee having access to functions that a single individual must never have: approving payments and printing checks.  This will cause an audit exception if an auditor is careful to examine each employee’s privileges.

Multiple, overlapping audits

Are any of you on this group in organizations that are subject to multiple sets of internal or external audits that overlap? If so, how do you handle the duplication of work?

In my organization, we have external PCI audits, external ISO27001 audits, external SAS70 audits, external Sarbanes Oxley audits, plus we are required to do internal audits for ISO 27001 and Sarbanes Oxley – most of which concentrate on the same things: general computing controls, the protection of sensitive data, and the integrity of our applications.

What is particularly frustrating to control owners/operators is having to answer the same questions and produce the same evidence time after time for these different audits. One thing that is helping is automation of many of these audited tasks (or automating the recordkeeping), which makes evidence collection easier.

Are any of you experiencing this? Please share.