Audit & Compliance
MS CyRIGo follows NIST SP 800-171 which focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations and recommends specific security requirements to achieve that objective.
The security objective of confidentiality, the objectives of integrity and availability remain a high priority for organizations that are concerned with establishing and maintaining a comprehensive information security program.
While the primary purpose of SP 800-171 is to define requirements to protect the confidentiality of CUI, there is a close relationship between confidentiality and integrity since many of the underlying security mechanisms at the system level support both security objectives.
NIST recommends audit records be generated at various levels of abstraction, including at the packet level as information traverses the network. Selecting the appropriate level of abstraction is a critical aspect of an audit logging capability and can facilitate the identification of root causes to problems. Organizations consider in the definition of event types, the logging necessary to cover related events such as the steps in distributed, transaction-based processes (e.g., processes that are distributed across multiple organizations) and actions that occur in service-oriented or cloudbased architectures.
Audit record content that may be necessary to satisfy this requirement includes time stamps, source and destination addresses, user or process identifiers, event descriptions, success or fail indications, filenames involved, and access control or flow control rules invoked. Event outcomes can include indicators of event success or failure and event-specific results (e.g., the security state of the system after the event occurred). Detailed information that organizations may consider in audit records includes full text recording of privileged commands or the individual identities of group account users. Organizations consider limiting the additional audit log information to only that information explicitly needed for specific audit requirements.
This facilitates the use of audit trails and audit logs by not including information that could potentially be misleading or could make it more difficult to locate information of interest. Audit logs are reviewed and analyzed as often as needed to provide valuable information to organizations to facilitate risk-based decision making.
NIST considers ISACA's IT Audit Plan to be a valuable source for audit managers. Understanding the Enterprise Context and Strategy is the ability of determining the goals that are structured along the balanced scorecard (BSC) dimensions, an example being business service continuity and availability. A risk profile identifies the sort of IT-related risk to which the enterprise is currently exposed and indicates which areas of risk are exceeding the risk appetite.
Closely related to IT risk are information and technology (I&T)-related issues—also called pain points—from which the enterprise is suffering. These could be considered risk that have materialized. An example might be service delivery problems by the IT outsourcer(s).
At the end of this step, it is important to have a clear and consistent view of the enterprise strategy, the enterprise goals, IT-related risk and current I&T issues. The design guide provides concrete examples of these. An appropriate perspective to keep in mind is that technology only exists to support and further the organization’s objectives and is a risk to the organization if its failure results in the inability to achieve the business objective.
Ensuring that the contents of the audit record include the information needed to link the audit event to the actions of an individual to the extent feasible. Organizations consider logging for traceability including results from monitoring of account usage, remote access, wireless connectivity, mobile device connection, communications at system boundaries, configuration settings, physical access, nonlocal maintenance, use of maintenance tools, temperature and humidity, equipment delivery and removal, system component inventory, use of mobile code, and use of Voice over Internet Protocol (VoIP).
Correlating audit record review, analysis, and reporting processes helps to ensure that they do not operate independently, but rather collectively. Regarding the assessment of a given organizational system, the requirement is agnostic as to whether this correlation is applied at the system level or at the organization level across all systems.
Audit information includes all information (e.g., audit records, audit log settings, and audit reports) needed to successfully audit system activity. Audit logging tools are those programs and devices used to conduct audit and logging activities. This requirement focuses on the technical protection of audit information and limits the ability to access and execute audit logging tools to authorized individuals. Physical protection of audit information is addressed by media protection and physical and environmental protection requirements
Figure 3 - Sample Internal Audit Action Plan
When developing your IT audit plan, the basic rules of an audit is following an audit strategy that has design and risk factors evaluation properties. Compliance audits for different regulations will require alternate compliance criteria that will provide the comprehensive guide needed to meet the requirements. Common security frameworks such as NIST 800-53, NIST 800-171, ISO 27001/27002, ISO 27018, CIS, CCPA, or GDPR, etc. will demand and overwhelming review of distinctive security controls and regulatory legal requirements.