Why do companies fail their security audits?

Lately, I’ve been doing a lot of compliance audits (internal and external), mainly for PCIDSS and ISO standards. (22301, 27001, 27017, 27018, 27035, 27701)

I love this job, but I’ve noticed that many companies fail to manage their security programs for various reasons.

The main reason I see is that companies haven’t realized the extent of the work required and the degree of involvement they need to make this project a success.

Of course, I’m talking about compliance with a standard, but that includes the security of the organization to achieve its business objectives – in such a case, when nothing happens to information security, that’s good news, that’s the ultimate goal. Security experts want business operations to be calm, predictable and carried out as planned.

But corporate life isn’t always calm, and managers have business objectives that don’t always include information security.

Some companies are growing fast, which is a great problem, but brings with it its own set of stresses to manage this growth, either through new products or increased system capacity, and sometimes urgently.

Other companies face difficulties at other levels, whether in terms of human or financial resources, or in operationalizing their game plan. It’s easy to see why information security shouldn’t stand in the way of their growth efforts.

For auditors, it’s important to take account of the company’s reality and adapt to it. On the other hand, conformity assessment work has to be carried out in spite of everything.

Top non-conformities discovered

So I took a look at my audit reports over the last few months, and here are the main non-conformities observed for various standards.

• The organization doesn’t know its internal and external challenges, or they are not clearly defined;
• As far as governance is concerned, there is no correlation between the objectives of the security program and the security measures taken by the teams. If it’s not written down, it doesn’t exist.
• Network diagrams are often lacking for a complete view of the network;
• System maintenance is not planned, and there is no schedule of periodic activities to anticipate and organize maintenance work;
• Internal audits lack details of what has been assessed and the result of the auditors’ evaluation;
• File management is uncontrolled, and the documents you need to protect can be found anywhere in the organization, unprotected. Do you know where your confidential documents are?
• The scope is poorly understood by stakeholders, and which systems are included or excluded is left to everyone’s discretion. As a result, some systems do not have the same safety levels for random reasons. Scope ensures management visibility of the security posture. Garbage-in, garbage-out” would be the accepted expression, since management has no real view of the situation.
• An encryption policy is missing; what is encryption or key management again?

Why these non-conformities, what are the causes?

• Companies are not ready, and operations are carried out at the last minute;
• The management system has not been active during the year, the records are all over the place in e-mails and various ticket systems.
• Management is not involved, and documents are reviewed and approved quickly and without any real ownership.
• Misunderstanding the objectives of safety measures.

So how do you make a success of your audit every time?

For successful audits, simply take the standard you wish to comply with, then break it down by item or safety measure.

Answer each safety measure with 3 items:

• The documents and procedures that apply to the security measure, so you won’t be looking for them when the time comes for the audit.
• Your company’s situation with regard to this safety measure, and your interpretation and understanding of the safety measure as it relates to your business.
• Current and future improvement plans.

Remember that an auditor’s objective is to obtain reasonable assurance as to whether or not the security measure has been and continues to be in place.

It assesses whether you have the maturity, skills and capacity to maintain a security measure in place.

For example, a security measure such as having a malware protection application in place should be met by the company presenting a dashboard of this protection application. Without such a dashboard, how can it be confirmed that all workstations are adequately protected?

In conclusion, do as you say! Create your security policies and guidelines based on your operations. Don’t create policies that are more solid/binding than your reality. Especially in the case of templates obtained from the Internet, since these often aim for perfection, which is rarely your reality.