The management of these proofs or evidences is an activity that is time-consuming because it is necessary to refresh the evidences on a regular basis, and thus demonstrate that with recent evidences, we have there the perfect testimony of our diligence to be compliant.
One of the problems is that there are two types of verification: verification of the design of a control, and verification of the effectiveness of a control. For example, the auditor wants to verify that there is a process to deactivate the accesses of employees who have left the organization. And ideally that the deactivation is done quickly (eg: at most 24 hours after the departure of the employee).
Design verification implies that the verifier will settle for just about any proof. For example, provide a sample of logs proving the prompt deactivation of 10 employees. In itself, this is valid evidence. But if we are dealing with an organization that has only managed to deactivate these 10 employees through the process, then the evidence is worthless and the organization is in fact not compliant but the auditor does not know it.
The second type of verification is more demanding and for example, in the above case, the verifier could himself select a sample of employees who have left the organization and request proof of the rapid deactivation of the selected employees. As it is a random sample, the idea is that if they are all compliant, the process is working well and the control is effective.
These checks that are made against a known standard are an activity whose value is widely recognized.
Sometimes, however, auditors come forward and want to check “the security of the organization”. They are sometimes mandated by a client, a bank that finances the organization, a strategic partner, etc. The problem with these checks is that they are rarely done against known or accepted standards. These verifications are therefore entirely or partially based on the individual skills of the auditor.
For example, here is an anecdote.
While I was carrying out a cybersecurity consulting mandate, an auditor commissioned by a client was putting the final touches to his recommendations. One of them required that the organization install cameras with microphones in all conference rooms and that the audio/video recordings be reviewed on a daily basis.
This was apparently intended to prevent outsiders such as consultants from going to isolate themselves in conference rooms and exfiltrate information from the organization. We are talking here about hiring 6 people, including 3 full-time, for each of the organization’s conference rooms, solely for the purpose of reviewing video recordings.
The problem (in addition to the fact that it would entail enormous costs for the organization and that it is contrary to privacy laws) is that such a requirement is not found in any standard and one wonders in what are the standards used by these private auditors. Still, the probability that the organization would implement this requirement was approximatively 0%.
What then, in the view that failure to implement the requirement could lead to termination of the contract with a customer?
This is where creative thinking comes in. The intent of the requirement is to prevent the use of conference rooms for data exfiltration by third parties. The organization resolved this dilemma by respecting the intent but deploying a compensating control: it issued a directive banning access to conference rooms to all consultants, with immediate disabling of such access. The cost of this control is almost nil, and the verifier had no choice but to accept it since the intention is respected
There are a lot of controls that are assumed to be expensive when reading the description. An example is the PR-PT-2 control of the cybersecurity framework from the NIST in the United States (National Institute of Standards and Technology). The control stipulates that removable media (USB keys, portable hard drives, CDs, DVDs, etc.) must be protected and their use must be restricted in accordance with the policy.
Attempting to deploy a control as depicted is sure to be a bumpy ride. Who has the right to use removable media? Why ? Are these people less at risk? Why ? How do we prohibit some and allow others? What does NIST mean by “protected”? Do we encrypt them? How do we make encryption mandatory and unavoidable?
Instead, let’s ask ourselves what the intent of the control is: It’s most likely to prevent an attacker from copying corporate data to a removable media and taking it outside. Such things happen on a regular basis even today. Thinking creatively, we could deduce that by deactivating the function of the USB ports allowing to connect storage units, we solve the problem. It is deployed with a GPO (Group Policy Object) in a Windows environment and it has a low cost. Exceptions can be made for people who need them to perform their duties. And this compensating control respects the intent of the control.
Good auditing standards not only list controls, but they also list control objectives. These objectives are, in fact, the intention of the control. If in doubt, do not hesitate to discuss these objectives with the auditor. This will allow you to think creatively, and avoid situations in which an auditor tries to impose a solution on you, without even knowing your organization. Personally, I recognize the right of auditors to point out my cybersecurity weaknesses, but I do not recognize their right to tell me how to remedy them. The remediation will be done in line with the culture of the company, the legal and normative frameworks in which it evolves, its technological and architectural foundations, its employees, etc.
Don’t underestimate the power of creative thinking. At Sémafor Conseil, we strive to always make this way of thinking available to you, so that the solutions offered to you are affordable, pragmatic and effective.