We’ve been talking about simplified security processes a lot at Pivot Point the last six months and I would like to use this space to discuss simplified security auditing. IT security is inherently complex but I think people need simple solutions to help them manage the security risks that complexity causes. I’m going to discuss two different ways to simplify security auditing – scope and rigor.
One way to simplify a security audit is to limit the scope of controls the audit will cover. For example, the CobiT framework includes 34 processes with 210 control objectives. The IT Governance Institute (ITGI) has provided tools to simplify an audit using the CobiT framework by identifying control processes of High, Medium and Low Importance. There are only nine CobiT processes with 66 control objectives labeled High Importance, which reduces the scope of the audit by 69%. Additionally, the ITGI published CobiT Quickstart which provides another method for organizations to reduce the scope and complexity of an IT audit by 72% to 59 control objectives.
“Simplified rigor” sounds like an oxymoron but rigor describes the extent of testing required for an audit. The Open Source Security Testing Methodology Manual (OSSTMM) provides auditors the flexibility to conduct every test imaginable or no test at all in order to complete a Security Testing Audit Report. An OSSTMM audit can be simplified by only conducting the tests necessary to count the visibility, trust and access in the scope. OSSTMM identifies this calculation as “porosity”, which is the number of holes in the scope that allow interaction with people, processes and technology. According to OSSTMM, the porosity calculation establishes the Operational Security of the scope which is different from the Actual Security. The Actual Security includes controls and any limitations they may have. While Actual Security would be preferred in most cases, identifying Operational Security can also provide value because it illustrates what needs to be controlled – a valuable starting point for any security discussion.
Hopefully, CobiT and OSSTMM can help you simplify your next IT security assessment and begin to manage your IT risks with more confidence moving forward. If not, then maybe some of the methods that I’ll be discussing next month will help simplify your next security audit.