We tend to get pretty busy around here. Sometimes, it almost feels like even I have a hard time keeping up with all of the new releases and updates. Almost. To that end, I will be periodically posting new Solutionary news and updates to make sure you, our valued readers and customers, are on the same page. 

To start with, here are a bunch of product updates I want to share:

- We have launched a new Visibility Services page for all our clients of the Visibility Service. You can now search, filter and review all your service alerts in a nice graphical interface. This is available via the Services -> Policy Management navigation bar.

- Visibility Service clients also now get a new "Open Services" report in the report generator - giving clients instant snapshots to their visibility service. To find this go to The Report Generator and select "Open Visibility Alert Summary" in the General section!

- We've added new Log Management audit reports for clients who need Log Management reports for compliance purposes. These reports snapshot the archive record, log date, File size and signature date and in the next two weeks a signature verification date will be added as well. These reports can be found under General reports in the report generator titled "Log Archive Report".

- New ActiveGuard Auto ticket rules are in final beta testing and should be ready in the next release! We've listened to those clients wanting this feature, and your wait is coming to an end! For all our SIEM clients you'll be able to leverage remote notifications now of security events in your environment.

- We're also in final beta testing of our new next generation vulnerability handling engine. The new engine allows clients much more functionality and more refined control, along with the added benefit of a having a more simple interface, as well as SOC integrated PCI lifecycle integration. More on that coming soon!

- And last but not least, we have a super slick Qualys API interface allowing clients the ability to view, and manually select which Qualys reports they want to load into the Solutionary ActiveGuard system for enhanced Threat Intelligence Correlation as well as for use in our own Vulnerability Lifecycle Management system.

Ok. Thats enough teasers and updates for now. Have a great week, everyone! 

Time. It is our most valuable commodity. We always need more time, but how do you manage time? It is probably more about managing your use of the limited time you have. If you are in IT, and have a security job, you are probably constantly scrambling to get everything done that you need to. There is probably always more work to do at the end of your day, regardless of whether you are working a 40 hour week, a 60 hour week, or more.

So what do you do? You manage your work, since time just passes, and there is really not much you can do about that.

1. Prioritize. Realistically, this is dynamic in IT, and even more so in the security world. You work on the most important tasks first. Yes, we all know that EVERYTHING is priority 1, but we also all know that is not really true. So, first of all, maintain a genuine prioritization process in your workflow, and USE IT. Beyond that, hopefully you've done a Business Impact Analysis, ("Know Thyself") or used some other means to identify critical systems and or information in your world. Things that are most critical should automatically get a higher priority. This definitely requires discipline, but can work wonders.

2. Automate. Some tasks can be automated. A report can be canned and scheduled. Batch jobs can run nightly. If you have a repetitive task, especially one that takes serious time, see if it can be automated. Automation can speed up repetitive tasks, as well as make them more consistent and predictable. If Job X takes you 15 hours to do normally, it might take 8 hours if you had nothing else to do, or 30 hours with interruptions or other dynamic prioritization. If you automate Job X, it may take 3 minutes to run, but it will probably take 3 minutes to run every time.

The three most repetitive tasks I can think of off-hand are back-ups, log management and compliance/audit reporting.

Backups are usually easily understood - just schedule them with whatever system and or backup solution you are using. Even the most rudimentary backup software will have a scheduling process. Use those scheduling capabilities instead of manually copying files to backup media.

Log management is a little more complicated. Gather the logs you need from your systems to help identify outages and issues, to assist in troubleshooting and diagnostics, and to help track down system and security issues. Why manage all of those logs manually when in a fraction of the time you can have an automated system (or a managed system) do everything for you, including protecting the logs from tampering, as well as long-term log archival?

Compliance/audit reporting is not so obviously automated. But, when you look at what happens in an audit, solutions should be more apparent. You know auditors will always request a certain amount of information. If you are been audited against a particular standard or audit requirement, you know that you are going to be asked for proof that you are meeting those requirements. So, you identify those requirements, then you use audit reporting to check the managed logs, and proactively gather the logs and information that supports your compliance. You need to prove that you are changing scanning your external website every 30 days? Include your scanning schedule in your managed logs, then associate your scan results with the scheduled scans. If you are getting it right, your systems will see the scan and that will be visible in the logs as well. Reporting against the requirement then reports that you schedule automated scans on the 25th of every month (because it is in the scheduler), that the automated scan ran (because you can see the scan detection in the system, firewall, and IDS logs), and scan results (because they are included in reporting). You have just saved weeks worth of manual log and information gathering, and have a predictable, consistent package for the auditor, that, honestly, they are going to love, since you made their job easier as well (and by the way, that probably means the audit costs less).

We will all still scramble for time, but with reasonable prioritization and some appropriate automation, perhaps it becomes a little easier?

In my last post, I discussed two key elements of my morning - coffee and audit preparedness. Today, I continue the theme with additional tips to help your SAS-70 Type II Audit run smoothly (other than a hefty cup of coffee or two).

Mix up your coffee selection - don't just drink the same old Columbian morning blend, try some blueberry or raspberry for a change. Ok, but seriously:

1. Keep answers to auditors short and direct - don't provide a bunch of extra details when presenting your controls or answering questions for the auditors, this is like standing up in a goose blind and waving a giant, bright orange flag, they are going to notice. Auditors will naturally ask questions about anything you say, which is not documented in the controls.

2. Keep auditors focused - Auditors love to dig deeper and investigate details, which sometimes are beyond the scope of the audit. I sit in on many of the presentations as the project manager to ensure the auditors are not asking for documentation or procedures that are not part of our controls. Typically, if you politely mention to them, that what they are asking about is "out of scope" for the audit, they will quickly agree and move along. If the auditor asks about another owner's controls, simple answer "that's John's control, he'd be able to answer that question for you". The auditors like to do this to see if the answers "sync-up". Oh those tricky auditors!

3. Keep executive team informed - The project manager should provide daily updates to the management team on the audit's progress. The auditors meet with select members of the executive team to ensure management understands the controls and how your company addresses them at a high level. If you provide them with ammo prior to these meetings, they go quickly and can stay on-course.

4. Map your controls to other standards - You'd be surprised how many of the CobiT controls map directly to other standards and regulations (e.g., ISO/IEC, PCI, NIST, GLBA, HIPAA, etc). Many organizations have different groups or committees to handle each set of standards or regulations separately. If your company structure affords you the luxury to do so, it's a good idea to get with your counterparts to ensure the controls sync-up and you are not reinventing the wheel. It's a lot easier to utilize something already in place, rather than create a new set of procedures and controls. It's also helpful to get another perspective on your controls, because (let's face it) there's always room for improvement.

If you follow the high level suggestions above, and in my earlier post, there is little doubt your audit will go more smoothly and faster than previous audits. Good luck!

 

The first thing I do each morning is check my e-mail. This morning, I was greeted with my typical 38 reminders (not the best way to start the day). One popped up saying "Reminder the next annual SAS-70 Type II audit begins in July." Ugh! Really? Already? Why me? I cannot even start thinking about this until I've had my coffee. I wear three hats where SAS-70 is concerned (i.e., compliance manager, project manager, control objective owner), so I must be fully prepared, and caffeinated, to dive into this.

Deep breath, cup one of coffee consumed. After glancing through the controls and owners again, maybe it's not so bad. We have a great team of people, most of which have been involved since the Type I audit. I have to remind myself that upon completion of the audit the previous year, the auditors stated they had never been through an audit that went as quickly and was so well organized. How did we do it? There are a few main reasons why it went so smoothly:

1. Control objective owner reminders - I send out quarterly reminders to all control objective owners about ensuring affected department(s) are following the procedures documented in the SAS-70 controls. During the final quarter, I send them out monthly and the last month, I send weekly reminders.

2. Everything is online - Yep, all the documentation (including the proof) about each control is dedicated to its own page, with its own section on our Intranet. The various types of information provided for each control includes:

* Controls - description
* Key Control Tests of Design (Type I Audit)
* Documentation Inventory (list of all documents presented to the auditors with a correlation to the affect control numbers)
* Understanding Process - pictorial representation in the form of a flow chart to document each control
* Audit Guidelines - right out of the CobiT handbook
* Key Controls Tests of Operating Effectiveness - auditor's tests performed

This allows the control objective owner to run through the controls, documentation, etc. as part of a presentation to the auditors. The auditors then ask questions and select certain tests to perform, for which you have to show the proof. We even linked the folders and directories where the proof resided (except HR stuff with PHI of course), so the auditors could quickly select items to test. We always have a couple things pop up every year that we have to present via hardcopy (e.g., HR stuff again), but those are few and far between.

I'm pressing pause on this topic for now, but keep an eye out for part 2 on streamlining a SAS-70 Type II audit. I will continue to outline tips to make the audit process go smoothly, and hope that it will help change your response to "YAY" when you see your own audit reminder.

In today's world, especially among folks dealing with information security, it seems that the security provisions put in place to protect "information" are just not enough. This too often appears true whether the information is Personal Health Information (PHI), or Personal Identification Information (PII), or Credit Card Holder data (CCH) or even just information about where you shop.

In response to these inadequacies, governments and private organizations have created myriad standards and regulations with which businesses must comply. In the last decade alone, we've seen the creation of SOX, PCI, a number of state regulations, and now HITECH for protecting sensitive information. Regardless of whether yours is a public or a private company, local, regional, national, or multinational, you probably have to go through at least a few audits every year.

One common thread when undergoing an audit is the scramble to collect - and on most occasions, generate - documentation and evidence required to prove compliance. The audit team gathers whatever they can and somehow submits it to the auditors/assessors. The most challenging part is that this happens during the next audit and the next audit after that - it really is a never-ending cycle.

Compliance management is a well known problem; there is no silver bullet. An effective and efficient compliance management solution requires the following three components to work harmoniously: process, people, and technology.

Process: To change an audit from an unpleasant experience to something that's part of "normal" operations, create a business process for compliance management. With senior management support as its key prerequisite, a compliance management program that is aligned with clearly defined objectives can be very effective, especially when the right combination of people and technology is deployed to execute the program.

People: Regardless of whether you have qualified (and available) internal staff, or if you choose to partner with consulting firms, you need resources that have established expertise in the area. In the short term you can get help performing pre-assessment and associated remediation, and in the long term you are able to integrate the requirements into the compliance management and information security programs, or create one if one doesn't exist. Which ever way you decide to proceed, the end result should be to have a competent team of individuals responsible for managing and maintaining compliance.

Technology: It's a shame that there really aren't enough solutions in the market that can help organizations with their overall compliance management programs. Those that are available are limited to some parts of technical compliance, or not as widely known; hence, many companies are still using Excel spreadsheets. Simply stated, organizations need a central point or portal that can be used to collect status responses for all applicable requirements, along with required documents and evidence needed to prove compliance. It would be even better if the tool included a mapping of requirements across all applicable regulations and standards. The idea is to automate as much of this process as possible so that the audit team can obtain all required information from one location during an audit.

Bottom line - if an organization wants to get away from the chaos that an audit creates, they must commit to putting together a compliance management program built on a process with clear objectives, a competent team with expert support, and the right automation tool with comprehensive and flexible coverage.