Technical Briefing: IT auditing on a budget

As if public organisations aren’t under enough pressure to ensure their IT systems are safe, secure and appropriately audited and managed, their problems are further compounded by the introduction of CESG’s Good Practice Guide no.13 (GPG13), which outlines 12 key controls for protective monitoring.

While GPG13 is not mandated yet, IT and security managers of HMG organisations know they have to prepare for the specific requirements for monitoring, including the need to do it in real-time. But they are also under equal pressure to curb spending.

Knowing what’s going on in your IT Infrastructure underpins many of these challenges. But if you ask most organisations in the public or private sector how they currently audit and monitor their IT infrastructures, a majority will tell you it’s through an array of crude native auditing tools and is a time consuming manual process. It seems the standard for auditing is a reactive process carried out either post incident or pre-auditor visit.

So a recent study from research and analysis firm Quocirca confirmed this ‘fire fighting’ approach to auditing and found that 70% of those surveyed admitted that changes were often made immediately prior to audits for compliance, which are then allowed to lapse. The group also found that less than 20% of organisations fully-automate the gathering of data for audits.

Why the disconnect?
This research demonstrates clearly that most organisations rarely know what is going on in their IT infrastructures – a simple matter of who did what, where and when. So why is auditing not being taken seriously? Given the implications of a failed compliance audit, security breach, data theft or just a system configuration change made in error, why are they taking such risks?

One reason is the apparent disconnect between IT/security teams and the audit and compliance departments. There is a strong argument for IT audit to be the full responsibility of the IT department and integrated into their policies and day-to-day processes.

When it comes to IT auditing technology, there is no shortage of vendors offering tools to automate IT auditing so whyare organisations still taking such a manual approach? Not surprisingly, cost is the biggest reason. This is particularly poignant in the public sector; while there is a clear need most products are not within reach of the stretched public sector budgets. Their price points versus the problems they are solving are at odds.

Suppliers need to get back to basics and have sensible conversations with their prospects to identify the critical needs and define the point at which a change auditing solution is able to deliver ROI.

let me give you a real-world example that happens to be one I’m familiar with as my firm helped out. With 250 sites and 110,000 users, Warwickshire County Council LEA has replaced its time consuming IT auditing processes with a NetWrix solution to track and control changes, prevent security breaches and meet compliance requirements across all of its IT platforms.

“With thousands of IT people across our schools and no effective means of auditing who changed what and when, NetWrix now provides a simple and automated means of auditing all our users across a broad range of systems,” said Chris Page, Technical Development Manager at Warwickshire.

The LEA now has complete visibility of its whole infrastructure and gets real-time alerts of potentially unauthorised changes. Detailed compliance ready reports and archived event logs show not only the changes made but what they were changed from, with the ability to roll back changes made in error. It also provides additional security and accountability by being able to track the activities of consultants, temporary staff and contractors.

Pain and complexity – can they be avoided?
IT auditing and compliance vendors need to learn from the public sector pricing strategies of companies such as Microsoft and Sophos if they are to have any chance of gaining widespread adoption. And in many cases, vendors need to offer scaled down versions of their products to meet specific IT audit needs instead of offering everything but the kitchen sink! What most organisations actually need is something affordable and simple to deploy that can quickly show them ‘who, what, where and when’ changes are made, alert them of critical changes and give them compliance ready reports.

After all – the whole purpose of buying such a solution is to take the pain and complexity of auditing and monitoring away and not to add another level or require additional investment in training and professional service. If widespread adoption of automated auditing is going to happen, it needs to be affordable, simple and deliver real time and cost savings.