3.5 Compliance Audits

Formulating policy is not enough by itself. It is important to determine regularly if the policy is being applied correctly, and if the policy is correct and sufficient. This is normally done with a compliance audit. The term "audit" is overloaded; it is often used to mean (at least), a financial audit, an audit trail (log), a security audit of a system, and a compliance audit for policy.

A compliance audit is a set of actions carried out to measure whether standards set by policies are being met and, if not, why. Standards normally imply metrics and evaluation criteria that can be used by an auditor to measure this compliance. When standards are not met, it can be because of any of the following:[8]

[8] This is not an exhaustive list.

Personnel shortcomings
  • Insufficient training or lack of appropriate skills

  • Overwork

  • Malfeasance

  • Lack of motivation

Material shortcomings
  • Insufficient or inadequate resources

  • Inadequate maintenance

  • Overload/overuse

Organizational shortcomings
  • Lack of authority/responsibility

  • Conflicting responsibilities

  • Unclear/inconsistent/confusing tasking

Policy shortcomings
  • Unforseen risks

  • Missing or incomplete policies

  • Conflicting policies

  • Mismatch between policy and environment

What is key to note about this list is that the vast majority of causes of policy problems cannot be blamed on the operator or administrator. Even inadequate training and overwork are generally not the administrator's choice. Thus, a compliance audit should not be viewed (nor conducted) as an adversarial process. Instead, it should be conducted as a collaborative effort to identify problems, obtain and reallocate resources, refine policies and standards, and raise awareness of security needs. As with all security, a team approach is almost always the most effective.

One of the authors conducted a compliance and discovery audit at a major computing site. Identifying information was purposely omitted from the report when possible. The resulting report identified a number of problems that management addressed with new resources, classes, and a revision of a number of outmoded standards. The results were so well-accepted that the staff requested another audit a year later! When managed properly, your personnel can embrace good security. The key is to help them do their tasks rather than being "on the other side."

    Part VI: Appendixes