From Chaos To Calm: Mastering InfoSec Audits

Welcome everyone. Um I know a few of you had been waiting outside in this crisp winter morning. So thank you for your patience. Um my name is Sadikmia. Um I'm head of security and compliance for a company called Blue Prism. Blueprism provides intelligent automation solutions to companies all over the world. We actually have a lot of NHS customers automating their processes and my responsibility is security incident management, vulnerability management as well as compliance and it's the compliance area I'll be focusing on uh here today and I've got quite a few years five years now I think I started this role in July 2020 um and over that time I've led multiple audits Um, so both ISO 27,01 as

well as sock audits and on the road map we have Fed ramp next year which I'm not particularly looking forward to but we'll see how that goes. Um, so yeah, I've got some experience. Just a caveat. I know it says mastering infosc a is a catchy title to get you all in. Um I'm not going to claim to be a master of audits but I feel I have some good experience uh which I'd like to share and I want to share that knowledge and experience and um also get rid get rid of some nerves. So that's the objective for today. Now you first of all we need to know our why. Why what is the goal of information

security audits? And a question an auditor will ask is what are you trying to achieve with this certification whether it's an ISO 27,0001 or a sock audit the auditor will know why do you want this certification and this is where the leadership and those involved in the audit need to be clear and there are various reasons it could be to gain new business it could be to prove the controls etc and I'm going to touch on a few of these uh for me personally ly first and foremost is to improve the organization security um as a security professional. You know that's uh a clear objective that we need to have. Now there are a few domains if you're not familiar that

are usually covered. Uh they they known as the CIA triad nothing to do with the um US intelligent agency. That's confidentiality, integrity and availability. And there are other um categories uh for depending on the audit you're going through which includes privacy and authenticity etc. But the c confidentiality, integrity and availability usually covers most of it. And there are u multiple controls depending on the certification uh that these fall under. Um and as part part of your preparation uh you'll be assessed on these controls. So the audit is an opportunity to validate the controls that you have the the controls that you say uh you've implemented and it's an opportunity for you to confirm or via an

external body that these controls are are strong controls. Uh so when you go into an audit it's an opportunity have have this mindset of opportunity to externally validate uh the controls that that have been implemented not necessarily just by yourself but other team that you're relying on. Sometimes they say oh we've implemented this we're all good you don't need to bother us but then third party comes in they interview other teams or request for evidence that really tests those controls. The audit also identifies gaps and sometimes depending on the culture of the organization you're working in, you may find you not you don't get the support you need because of this particular area because they don't want

an auditor or anyone to know about the gaps you have within your organization or the security controls. But depending on the mindset you have, this is an opportunity to identify those gaps and address them. And the uh during the audit period, you're given opportunity to remediate things. The audit can also identify vulnerabilities you may have. For example, you'll be assessed on your patch management um and your vulnerability management processes. Uh by reviewing these processes, the audit can see if you have any gaps. So, and again, an opportunity to improve those particular areas. And finally, risk management is a key part of information scripture audits. they'll see the process that have your documentation um etc and risk management is key and if

there are gaps in your risk management process the auditor will be able to give you some guidelines on those to improve. Next is uh general compliance. So depending on the type of business or organization uh you're involved in there are different regulations that you need to adhere to and there also industry standards. uh there are standards such as NIST or CIS uh that often companies adhere to. So by conducting an audit you're able to see how you're performing against these standards you profess to align to. Uh again opportunity to see where you can improve from a compliance perspective and by comp going through this whole process it's an opportunity to provide asurances to third parties. You may work

with partners. You may have customers or suppliers which want to want asurances that you do have good security controls in place here. the by going through the the audit process and having a certification at the end of it, you're able to provide the asurances of people are often looking for and this assurance can also um assist you in gaining new business. So um for example with the company I work for I often face customers whether it's security teams uh or so um I even sees so they be asking okay what security controls do you have by having gone through a certification it does make that conversation easier you can talk to the controls that you have

implemented and you can say yes we have had a third party assess it independent body assess the controls that we have um and there are some questionnaires that you may get faced with depending on the role you have uh you know and I'm talking about you know hundreds of questions that you have to answer um it's not a fun part of my job but it needs to be done but by going through uh these certifications allows you to answer many of those uh questionnaires one particular one that comes to mind is the NHS toolkit and in that many of the items you can are automatically ticked off by saying that you have ISO 27,01. So just to give you an example, uh it

does make uh that due diligence process you have to go through with um third parties such as uh customers that much easier and it's a business case to gain new business and retain existing business because during renewals you need to provide proof that you still have the certification in place. I just want to talk about the whole audit process. Um the three key stages I'd like to cover planning, preparing and presenting. As as you probably know, uh in the professional world, if you don't if you what's that phrase, if you um don't if you plan to remember it now, if you fail to plan, you plan to fail. That's it. Thank you. Um so planning is extremely

key and planning well in advance will make your life easier and as as the talk is about uh reducing stress will hopefully make the audit process less stressful. What do what do I mean by planning? So anur during audit the auditor will want to see your policies your procedures um and ultimately the controls that have been implemented should align to those policies and procedures. Doing that planning is an opportunity for you to do an internal assessment to see okay are we actually aligning to those policies. Do we uh do we do what we say we do? And you want to be assessing that before you come to the audit. Part of the planning I would say is to

get that leadership buy in. So if you don't have that sponsorship that support will really make things difficult. And I'll give you an example. By having that support, leadership support, you're able to engage teams that you need because when it comes to audit, you need to provide evidence. And if you don't have the relevant experts or teams on board, it really makes that um providing that evidence difficult. Whereas if you have that leadership buying, they hope hopefully they will be able to instruct the team say okay this is important to the business, everyone needs to support this. And in my experience, that has paid dividends because all the teams have supported the audit process. So

when we've needed someone um we we've hadn't had excuses. Oh, I've got something more important to do. The the individuals have come forward. Um part of of the planning is to review your policies and procedures, make sure they're up to date. The auditors will go through them. Depending on the auditor, uh they may scrutinize particular policies and they they'll want to see that they have been re re reviewed regularly and kept up to date. And you have to ensure that uh you're you are reviewing them and you're implementing what you say you you are cuz they especially technical control they want to see uh the evidence. part of the planning you need to uh send

out clear communication what the audit is about what's expected especially those team that will be directly involved if they don't know what they'll be asked about what what's expected uh it's unfair on them so communicating clearly what's expected from them uh will make it easier for them and you eventually yourself uh when you're involved in in the audit process um and announcing the audits as well um I've I've actually had auditors ask um have you communicated this um and you know I can show an email yes we've communicated uh this to the to the business and finally um sorry next is uh into preparing oops that wasn't meant to happen uh the preparation stage uh

understanding and mapping control so depending on the certification that you're working towards the um you need to see which is relevant. So sometimes some controls are relevant for your business and others aren't. So that by going through that the process identify what's relevant then implementing those controls again starting well in advance you're able to implement as much of that as possible and going through that process you'll you'll also see where there are gaps and when you identify these gaps you can say oh what we going to do about it. So you engage those teams and the auditor want to see that you've thought about uh any gaps and what you're trying to do cuz the auditor knows you're not going to

have everything perfect. So if you can demonstrate yes we know about this and this is what we're trying to do. we have a plan then um it'll make your life easier and get you um bonus points from the auditor and as part of the prep preparation um gathering the evidence and organizing the evidence so it's in one central place so you know running around like like a headless chicken looking for things um and if you're inviting people um I was speaking to someone earlier on uh you know sometimes you invite a technical person on a call and they're talking about all sorts of things and you're just thinking, "Oh my god, why did I bring this person?" So, if you're

going to invite teams or individuals, I would suggest uh you know, have a coaching session, brief them um and be specific or this is what you're going to be asked about. Talk about these things. You don't to talk about all these other things. Again, that's not necessarily to cover things up. It's just so uh it's controlled. Um yeah and sometimes uh people bring up and I've seen this irrelevant uh matters that the audit is not interested in and just that it causes confusion. And the last part is the presenting as I said you need to engage the relevant people. So if you have the correctmemes it just makes it smoother. Otherwise going back and forth trying to

write find the right people. Um it doesn't give the best of impressions. Having the res the uh leadership allocate the right resources will mean you have the right people to support you in that audit process. So there's uh times where you need to share evidence. There's walkthroughs in sock audits. I've just completed a sock that we went over 5 months 5 months of audits. Um the amount of walkroughs we had is is unbelievable. It was a relentless period. I had I took some time off after that. But just to give you an idea but um by preparing having people lined up the auditors were very impressed with what we did but that came down to that

preparation. So the audit is also an opportunity to showcase what you do as a business and the good controls that you have an opportunity to uh learn uh on areas of improvement. The auditor has seen many businesses and organizations. So it's an opportunity to uh find areas of improvement. And if the auditor asks something that you don't understand, you can defer to someone else or let them know that you come back to it. So to recap, to reduce stress when leading audits, ensure you plan and prepare well in advance, updating policies and procedures, ensuring controls are aligned to those policies and procedures. Obtain the leadership support uh and provide so they provide the resources that you need. I quickly

share a audit hack. If you have an analyst or a project manager to organize documentation, schedule calls, bring people in, that will uh make your life that much easier. And go in with the mindset that it's an opportunity to learn and improve your security. Because when the auditor sees that you're not there to cover things up, uh then you build that rapport, gain that trust and uh from my experience uh make makes the process that much easier. Thank you very much for for listening and hopefully this has been useful.