{"id":1681,"date":"2020-02-11T01:00:00","date_gmt":"2020-02-11T01:00:00","guid":{"rendered":"http:\/\/inswwdev.azurewebsites.net\/au\/insights\/uncategorized\/recovering-from-a-failed-audit-and-preparing-for-re-audit\/"},"modified":"2022-04-29T02:30:26","modified_gmt":"2022-04-29T02:30:26","slug":"recovering-from-a-failed-audit-and-preparing-for-re-audit","status":"publish","type":"post","link":"https:\/\/www.insentragroup.com\/au\/insights\/geek-speak\/secure-workplace\/recovering-from-a-failed-audit-and-preparing-for-re-audit\/","title":{"rendered":"Recovering from a Failed Audit and Preparing for Re-audit"},"content":{"rendered":"\n

If we are to accept the now common statement \u201cInformation is your most valuable asset\u201d then it is fair to say this information must be protected and have controlled access. Any risks associated with data loss, IP theft, sharing of information or compliance breaches should be fully understood, together with any potential financial or reputational damage resulting from a data loss or breach event.<\/p>\n\n\n\n

Like all high value assets, control over who has access, and more importantly why, is critical. Failure to have controls in place, may limit the ability to recover from an event, and\/or a be the reason for a failed information governance audit. If the information retained in your business is of high value, then naturally it becomes a target, the audit process is part of your protection strategy and undergoing, or worst case, failing an audit can be a daunting process<\/p>\n\n\n\n

I understand, but tell me more about why I should care<\/h3>\n\n\n\n

Many businesses are audited every year and preparation for these audits often involves a mad scramble by IT departments to ensure they can prove the right people have access to the right information.  Access reports are created, carved up and sent to managers, seeking confirmation the right people have access.  This process works OK for the traditional file shares however, with data sharing made so simple with OneDrive, SharePoint and particularly Teams, who really knows who has access to what? Can you remember everyone who you have shared a file with?<\/p>\n\n\n\n

Information governance audits can be the reputational make or break for a business. Being prepared for an audit or recovering from a failed audit and preparing for “Re-Audit<\/strong>” is critical and should not be underestimated. Costs to a business of a failed audit can spiral as teams within the organisation “rally” to resolve failed audit controls, often leading to the implementation of unnecessary tools or products. If you had the ability to quickly see who has access to what data and, importantly the reason why, audits can become a walk in the park.<\/p>\n\n\n\n

I am in the \u201cRe-Audit\u201d category due to a recent \u201cuncomfortable\u201d experience and need to move to the Pre-Audit level of readiness<\/h3>\n\n\n\n

The image below portrays an all too familiar outcome for organisations in the \u201cRe-Audit\u201d<\/strong> category where some new audit areas are identified, or worst case, there are repeat control items highlighting potential gaps in ability to resolve items or incomplete actions.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

\u200bHere are the top 8 common audit findings<\/strong> across a group of government<\/p>\n\n\n\n

(NSW, 2019) <\/p>\n\n\n\n

  1. User access administration deficiencies at 58% of clients related to granting, review and removal of user access<\/li>
  2. An absence of privileged user activity reviews at 35% of clients<\/li>
  3. Password controls which did not align to password policies at 20 per cent of agencies<\/li>
  4. Out of date policies or an absence of policies to guide appropriate access decisions<\/li>
  5. Poor record keeping and document retention<\/li>
  6. Incomplete or inaccurate centralised registers or gaps in these registers<\/li>
  7. Policies, procedures or controls no longer suited to the current organisational structure or business activities<\/li>
  8. 68% of clients maintain an inventory of their sensitive data and where it resides. However, these inventories are not always complete, and risks may be overlooked<\/li><\/ol>\n\n\n\n

    Failing to prepare, is preparing to fail \u2013 Get set for success<\/h3>\n\n\n\n

    One of the most prevalent reasons for audit failure is related to the control of user access. To address this, there needs to be a mechanism to understand not just who has access, but equally or more importantly, why<\/em> they have access.  If we can do this in an automated fashion, we can then satisfy the audit control robustly and simply.<\/p>\n\n\n\n

    How can Torsion help?<\/h3>\n\n\n\n

    By continually tracking access in the background and monitoring who has access to what, Torsion will intelligently detect anomalies and vulnerabilities, flagging any issues to the right people. Using advanced machine learning, Torsion will automatically determine who has access to information and bring any potential vulnerability to the attention of the file\/directory\/SharePoint site owner for review.  If they agree there is a problem, Torsion fixes it.<\/p>\n\n\n\n

    Rather than manually compiled groups to control access, Torsion can have a simple rule such as \u201cAnyone in Marketing or Sales in Boston or Sydney and a Director\u201d can have access.  Then, as people change roles and move around, who has access to important files, folders, Teams and sites is updated automatically and accurately.  Access doesn\u2019t have to be immediately revoked, it can also be decayed over time to give time for handovers and the like.<\/p>\n\n\n\n

    By creating simple rules and policies such as these to control who is permitted access to different types of information, Torsion will identify if a user attempts to share information with someone inappropriate and actively prevent the share. Integrating seamlessly into SharePoint, Teams and more, when someone shares a file or site, \u2013 could be their job role or department, the account they are working on or even covering for a colleague on leave.<\/p>\n\n\n\n

    Example \u2013 Re-audit without Torsion, Steve in finance shared a file with Erika in Payroll, which at the time of sharing the information was a fair and reasonable thing to do. However, Erika now leaves Payroll and moves into Marketing to do something \u201ca little more exciting\u201d. Erika\u2019s access to Finance remained. At the time of the audit, processes for managing staff moves were not in place and\/or had not been executed. As a result, the business had no idea of the resulting risk or no way of knowing why the access was granted (Oxygen for an Auditor).  <\/p>\n\n\n\n

    The problems identified in this scenario, are at a minimum, 1. The reason for sharing the file was not captured, and 2. Once Erika changed roles, no notification of the role change and or management of the resulting stale access was provided and therefore her access was not revoked.<\/p>\n\n\n\n

    Let\u2019s add Torsion to the equation<\/h3>\n\n\n\n

    With Torsion in place, prior to Steve sharing the file, or location, he asked Torsion to create a rule which only allowed individuals in the Payroll team to have access and to revoke all other access. Now, when Steve attempts to share the file with Erika, he is asked for a \u201creason for sharing\u201d and provided with an option to set a \u201ctime period\u201d for which access will be available. All the time Erika remains in Payroll her access is valid for the time period granted. However, when Erika moves to Marketing, the business rule created by Steve is broken because her role is no longer in Payroll, and immediately, Steve is notified of the change as the data or site owner, and can choose how he wants to manage access to the file (decay over time or revoke immediately). \u200b<\/p>\n\n\n\n

    Now Steve is aware of the issue, he can get even more creative and go beyond just Payroll and ask Torsion \u201cShow me all users in \u201cmy office location\u201d,<\/strong> with \u201cfinance\u201d<\/strong> in their job description or title, who have access to this file location. Steve will then be provided with a list of users who meet the criteria, together with those who have access, but do NOT<\/strong> meet the criteria. This is where is gets interesting, as control is now very much in Steve\u2019s hands. With this new level of visibility, access control and information governance become very manageable and with the power in the hands of the business units who own the content, Steve becomes very well equipped to deal with the Re-audit<\/strong> process and can solve for the number 1 problem (granting, review and removal of user access) very .<\/p>\n\n\n\n

    In Summary<\/h3>\n\n\n\n

    Moving from \u201cRe-Audit\u201d to \u201cPre-Audit\u201d can be achieved in an effective and controlled manner, without the typical \u201cflurry of activity\u201d and poor decisions made post audit. Adding Torsion to your arsenal can help you get grounded with Information governance. Getting into this position of power is rewarding both personally, and professionally as you now have one less thing to worry about and can be confident in your ability to respond to audit requests both internally and when forced upon by external parties. Furthermore, once Torsion is in place, the \u201cOh my g-d we have an audit coming up\u201d disappears from your vocabulary. You can be confident in knowing the right people have access to the right files for the right timeframe. No longer does IT need to be held accountable for what really is a business decision.<\/p>\n\n\n\n

    Want to see this in action?<\/h3>\n\n\n\n