I want to cover an interesting question I saw on a recent cybersecurity audit. The audit came from one of the largest commercial insurance firms in the world, and the law firm who represents this firm is Onward’s client.
- Does your organization conduct continuous monitoring, and/or use systems on an ongoing basis to detect changes in information systems that may create or indicate vulnerabilities?
Answers (check all that apply):
- Our organization schedules manual vulnerability assessment engagements on at least an annual basis, or upon significant system change
- Vulnerability scanning tools are implemented, and the results are analyzed and reviewed
- Risk assessments are conducted, reviewed and approved, and new and emerging risks are considered
- Our organization scans for vulnerabilities in our information systems and applications
Depending on the definitions of these terms, some firms may find their answers changing. These audits can also incur a lot of cost for a firm, depending on the definition.
The question asks about “continuous monitoring” and uses the word “ongoing.” At Onward, clients who need continuous monitoring use OnwardSIEM with Autowatch, which provides 24/7 Security Incident & Event Monitoring services. However, the available responses don’t even discuss real-time or continuous monitoring in a technical sense.
Instead, the listed responses ask about scheduled, manual vulnerability assessments (many organizations conduct them quarterly or annually) (Onward offers this service, too) which are vulnerability snapshots – a list of vulnerabilities found at a point in time from a vulnerability scanner or network of scanners. Quite different from continuous monitoring.
Firms can also respond that they conduct risk assessments – anyone who has ever conducted a risk assessment knows this is a lengthy process with weigh-in from various departments (legal, finance, HR, operations) to determine how risky something is and what weight it should have relative to other risks from other departments.
Finally, firms can respond that they do conduct a scan for vulnerabilities without providing any evidence or validation. According to this language, a technician could take a walk around the office and report that nothing looks unlocked or vulnerable and pass this audit.
WHAT’S THE RISK?
Firms are at risk of both overreacting and underreacting to this audit question, depending on how the terms are defined at the next audit cycle. If a firm reads this audit question as requiring only a quarterly vulnerability scan and annual risk assessment, their budget will be out of alignment next year if the term is changed to require SIEM services.
I always recommend to my clients to start by assessing the risks, and address the risks up to their comfort level. Passing the audit is important, but many firms find they need the increased security and responsiveness of a SIEM even if it’s not mandatory in a cybersecurity audit.
I also tell firms not to twist their existing security policy or product definitions to meet the audit requirement. If a firm is responding to this audit and hasn’t had a proper penetration test/vulnerability scan in the last quarter, I always tell them to have that done before responding to the audit, rather than trying to use some free scan results as a workaround.
Above all – I tell clients to read the language as cautiously as possible. If the data our client is supposed to protect is highly sensitive (patient data or financial data, for example), firms must be prepared to over-protect that data rather than under-protect. If the worst happens and we have to defend our responses in the audit, we need to be sure we did our best to protect the data and the customers, rather than simply passing an audit.
WHAT IS A CYBERSECURITY AUDIT?
Many of Onward’s customers have large companies as their customers or clients. For example, our client may be a law firm who represents a large insurance company or hospital network. Those large insurance companies have cybersecurity policies they follow and frameworks they require their vendors (law firms, IT providers, custodial services vendors, logistics companies, etc.) to follow, and a department who puts the vendors through audits to make sure.
Audits can be a simple Excel spreadsheet with questions and answers, an onsite vulnerability scan, in-person or virtual interviews, or anything in between.
Many of our clients have limited time to respond to these audits, much less time to draft cybersecurity policy and maintain detailed technical documentation required for these audits. Fortunately, Onward’s Managed Services Gold Plan includes these services.