Audit Preparation: Around and Around We Go, When We’ll Stop We’ll Never Know

Too often we react to tasks by simply doing them.  We do them over and over again, perhaps without looking for a bit of optimization…because that could be more work in itself.   Eons ago, we physically carried everything from A to B. Then we domesticated certain animals and trained them to carry the load. Then the wheel was invented. The point here is to look at the methodology of when to aspire towards increasing efficiency – to get two things done at once.  At what point does it make economic sense?

Audits push our behavior towards tactical response.  Working hard long hours does not always mean better overall results if the activity focuses on point solutions. Defining a unified approach towards compliance is a strategic task.  Especially where reuse or automation for repetitive tasks might allow more time to get other higher priority things done that can make a material difference to the organization.

During a great talk from Josh Corman (@joshcorman) at last year’s RSA, he compared auditors to the zombie apocalypse.  As an adversary group, they keep coming and coming, wave after wave. Their apparent motivation is the individual checklists they want completed – checklists that your organization must prepare for and complete.  PCI DSS 2.0 is 27 pages alone.  The audit preparation challenge is that the PCI DSS scales out recursively in direct relationship to the size of the network.

Using David Etue and Josh Corman’s Adversary based threat models, the attack patterns and the information targeted don’t line up with the work we do to prepare for an audit. PCI auditors focus on controls to safeguard credit card information, yet State sponsored groups don’t need to chase after credit cards  – they want to remain resident and exfiltrate as much intellectual property as possible.  Chaos actors (such as Anonymous) focus on SQL-injection to harvest names and contact information with a little defacement thrown in for good measure. Card thieves are more likely to go after individuals than companies, and even so, using the PCI DSS document, attackers who might be going after credit cards have a checklist of what is probably already hardened (or not.)  In other words, credit cards are “protected” using a readily available template for what to (or not to) attack depending on the size of the target.

The amount of effort required to deliver organization-wide PCI DSS compliance is immense. It distracts us in both time and resources that could be applied to developing a unified strategy to protect the Intellectual Property that is targeted.

So how can we deal with this?  How can we deliver tactical corporate compliance by adhering to the compliance process, and still have time at the end of the day to protect our organization?  I can answer this with one word: efficiency. Look at the various different audit requirements and identify common unifying threads.  Content that is requested in most reports.  Address these points, and develop a single report that can document it without a huge effort each time.  Focus on pro-actively engaging with auditors to get them to accept a common document or a document that gets 85% done.  The real value is the time spent developing a sustainable strategic framework, demonstrates internally and externally that the organization is as secure as it can be.

This is essentially inventing the wheel.  You have just created your own baseline compliance report… modify as necessary to get more auditors onboard so that you can re-use it. They understand the problem that they are not the only ones who are trying to schedule an onsite, and they are no strangers to the idea of a Unified Compliance Framework.