This month the theme is technology, and when it comes to information security, there is a whole lot of that around. From firewalls to switches, IDS to SIEM, to a lot of other hardware and software with 3 and 4-letter acronyms, technology is at the heart of information security. But how does an enterprise ensure that the huge amounts they spend are implementing good security. That is where an information security audit comes to play.
It’s not clear if Benjamin Franklin really it said this, but it is a fact nonetheless: if you fail to plan, you are planning to fail.
When it comes to information technology or information security audits, far too many organizations don’t really plan for them. They repeat the mistake Fred Brooks identified in his groundbreaking 1975 book The Mythical Man-Month, that throwing more people at a problem, counterintuitively, will not make the project finish faster. Out of that came Brooks's law: adding manpower to a late software project makes it later.
In IT Security Risk Control Management: An Audit Preparation Plan (Apress 978-1484221396), author Raymond Pompon takes the approach that metaphorically speaking, every day is camera day. Rather than dressing up the IT department for audit week, ensure the department is audit ready the enter year.
Pompon notes that an audit is meant to show the effectiveness of a good information security program. Rather than focus on the audit, focus on what needs to be done to put good security controls and business processes in place, and a successful audit will follow.
For those looking to build a good security program, the book is quite helpful in that it shows how to implement real security, not audit check-box security.
The book provides a good mix of technical and business known how, and he also details a number of tools that can be used to a new or existing security program.
The mistake that using a check-box approach engenders, is that it is narrowly focuses to the specific audit at hand. Be it HIPAA, Sarbanes-Oxley, PCI and the like. Pompon encourages the reader to take a much broader approach. By doing that, they will implement good security controls, to with a passing audit is much more likely.
As under 300 pages, the book is deep enough to cover all of the core areas of information security. It provides the reader with a very good start in creating their infosec program. The goal of an audit is to pass it. And to pass it take good security. The best way is to build that in from the start. And if you want to do that; IT Security Risk Control Management: An Audit Preparation Plan is an excellent resource to get you there.