As a Network Administrator, you may be tasked with keeping audit trails and providing reports based on the request of a compliance auditor or a member of management that is undergoing an audit. Here are some best practices that should help you ALWAYS be prepared for future audits.
DOCUMENT, DOCUMENT, DOCUMENT!!! Documentation is hands down the most tedious part of preparing for an audit. However, if you are diligent in documenting everything, you will reap rewards well beyond passing an audit. If you have been tasked with collecting logs from your network devices and preparing for audits, organizing your policies and procedures and documenting EVERYTHING is critical. Always approach documentation with a mindset of “If I am not here, can anyone follow these procedures?" Finally, always remember that audits are an on-going process. It’s best to schedule review sessions and regularly revise your documentation throughout the year. Typically, I have seen a minimum of once per quarter; however, I highly recommend a monthly or even weekly review.
Clearly understand your compliance requirements and DON'T SKIP ANYTHING. Every regulated industry is different. Understanding what is required for your specific industry can be a challenge. Some compliance requirements are clearly defined while others provide only vague details. Be proactive when it comes to finding out new compliance requirements. If at all possible, either talk to a QSA (Qualified Security Assessor) or review online guidance from a QSA. They are trained in the compliance requirements for specific industries. Industries like PCI, HIPAA, and DISA have specific guidelines surrounding network devices. For example, PCI provides a security standards document that discusses network segmentation, wireless, auditing, and more https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf. ISO also provides an audit checklist specifically for routers https://ocio.osu.edu/sites/default/files/assets/IT-Security/ITsec-router-audit-checklist.pdf. SANS provides a good general audit checklist for firewalls https://www.sans.org/media/score/checklists/FirewallChecklist.pdf.
Identify network devices. Now that you have documented everything and have a clear understanding of your requirements, identify which devices must be monitored for compliance. Because security touches everything in your network, I recommend working with stakeholders, managers, and IT staff to conduct a review and diagram your network architecture to make sure you don’t miss any network devices. Another important part of compliance is identifying potential threats outside your network. The approach I take when it comes to the network is that if a device falls within the path of the data you are trying to protect, it will almost always fall under the scope of compliance.
Schedule or automate reports. Unless you have a dedicated internal compliance auditor, it can be difficult to manage the data collected from all of your devices. Once you identify what you need to collect, in most cases, you can create and schedule reports that provide the data an auditor needs to review. Store the reports in a secure compliance folder somewhere and make sure they are date/time stamped. Many industries like HIPAA, PCI, and SOX require ongoing reviews of audit trails. Most of the Log Management and SIEM tools have compliance reporting as an embedded feature so it is important to take advantage of it. This will prevent a ton of excess work come audit time.
Review policies and procedures. If you consistently review your procedures and compare them with the most updated requirements, you should always be prepared for an audit. I strongly recommend a review every quarter at a minimum—monthly is ideal. The security landscape changes rapidly so you will see regulated industries like PCI frequently update their requirements. This means you could be surprised with a new request for data that you haven't been collecting and possibly fail an audit.
Meeting compliance regulations can be challenging when it comes to collecting the necessary audit trails. Hopefully, these suggestions give you some ideas or jog your memory and motivate you to start that compliance review!
This post is part of our Best Practices for Compliance Series. For more best practices, check out the index post here: Best Practices for Compliance