The only way to survive the audit process is with automation

There's nothing more unpleasant than a root canal, except maybe an audit of your IT operations. Yet with regular audits being a component of regulations such as PCI and SOX, there's no escaping them. They won't be so painful, though, with the right automation in place. What's more, automation can provide serious benefits in reducing business risks and improving governance of your IT operations.

When I was an IT auditor some 15 to 20 years ago, I would initiate an engagement with a client by sending a letter that outlined what systems were to be audited and what supporting data or documentation I would need. That client would have a month or two to pull together the information before I really dug in to begin the actual audit engagement. As the audit progressed, invariably I'd need more detailed information, and it would come to me in every format possible: on paper, in email strings, in log files or spreadsheets. The information was disparate, and it was difficult and time-consuming for both the client and for me as the auditor to bring it together and find meaning in it.

This process could never fly today. IT organizations have the pressure of running daily operations, and there's little time to search for and assemble data for audits. Worse, the audits are becoming more frequent as well as more urgent as companies are forced to produce reports validating compliance with mandates like PCI, SOX, GLBA and others. The only way an IT department can efficiently support the numerous and detailed audits is with automation.

REPORT: Why IT operations teams need automation technology now?

But automation can support more than just audits. Companies need to have a comprehensive real-time view of their entire operations in order to assess risks and demonstrate good governance of the business and its assets. The data that hints at or outright proves that a company's IT systems are at risk is there, hidden away in some log file or obscure security policy. The key is to bring that data forward and to correlate it with other data points such as assets and policies to get a clear view of what's going on, and to assess what it all means.

One vendor that brings automation to the entire process is Agiliance Inc. with its RiskVision product suite. The RiskVision governance, risk and compliance (GRC) suite enables organizations to have a 360 degree view into their internal control/risk landscape. As a result, they can more effectively view and manage their risks and compliance requirements in a proactive instead of a reactive manner.

Agiliance RiskVision is a series of integrated modules, including Enterprise Risk Manager, Policy Manager, Compliance Manager, Vendor Risk Manager, Threat and Vulnerability Manager and Incident Manager. RiskVision gathers siloed data from multiple security solutions, scanners and SIEM products and aggregates this data for use in risk and compliance modeling. This provides the organization with a continuous link between compliance and risk objectives and the security threats in today's dynamic cloud, mobile and on-premise environments.

RiskVision is built upon an open approach to allow the source data to transparently come from numerous third party products and tools. This is key to the Agiliance strategy of  OpenGRC, where Agiliance is partnering with a consortium of service, technology and content providers to provide APIs and data maps to proprietary solutions. This ultimately gives RiskVision customers a centralized window into their various point security solutions. With OpenGRC, organizations have top-down and bottom-up GRC manageability across three levels of the RiskVision integrated risk framework -- the "risk universe."

At the top level is process automation for policy and governance that drives an organization's actionable risk where an organization uses knowledge of risk to optimize performance and make better investment decisions thereby making risk actionable. In the middle is controls automation which maps policies and requirements to people, processes, assets and security related data for continuous compliance monitoring and reporting. And at the bottom level is security automation that monitors assets and security related data in real time, providing business users a view into risk-based security. This approach allows a user to start at any tier and pivot in any direction using risk as the common framework.

RiskVision utilizes a Common Control Framework (CCF) that allows organizations to manage risk based on recognized standard risk frameworks -- including ISO, NIST and COBIT -- to manage multi-regulatory programs with a "test once, comply many times" approach. Assets and other entities can be classified, profiled, grouped and dynamically assigned business criticality risk levels, thus automating the processes of scoping and monitoring, which is required for most regulatory guidelines.

RiskVision enables a risk-based approach to security that has four dimensions:

• the identification of vulnerable assets based on a live connection to threat intelligence sources;

• the normalization and active correlation of data from common security solutions such as scanners, configuration checkers and patch managers;

• the assessment and prioritization of threats and incidents using standard and proprietary risk scoring engines; 

• the intelligent prioritization and mitigation of threats and incidents based on their risk level and the business impact they are likely to have.

I talked to Anthony Johnson, director of IT security and compliance at Advance Auto Parts, who is responsible for IT security and compliance processes for corporate systems and more than 3,500 retail locations. Advance Auto Parts is using Agiliance RiskVision to support its PCI and SOX compliance requirements. Johnson recalled the days before his company implemented RiskVision. 

"With so many locations with essentially small pockets of IT, we really had no clear view into our company's overall risk posture," says Johnson. "We were chasing a cumbersome and inefficient series of manual and semi-automated processes of emails and spreadsheets to support our audit and compliance assessments. We got to the point where the manual processes wouldn't cut it anymore." 

Advance chose RiskVision to automate its processes because of its ease of use, streamlined deployment and integration with security tools the company already had in place.

RiskVision allows an organization to streamline the audit support process by having all audit-related questions and support documentation in a central location instead of in an email or file store. All of the audit request/questions and the document management is performed within RiskVision by allowing users to just answers the questions on RiskVision and upload any support they may have. Then when someone wants to validate the status of supporting documentation, that query goes to one place: RiskVision.

"We have improved the efficiency of both our internal and external audits since we now centralize our data," says Johnson. "The auditors have saved time by not having to track down supporting documentation, and the audit respondents are now able to focus on just supplying the correct deliverables."

Aside from the effectiveness gained in audit support, Johnson says that RiskVision has given his company "a single pane of glass to view our assets, controls, risks and compliance posture within the organization at a glance in relation to IT for SOX, PCI and our internal best practices." This insight allows Advance Auto Parts to take the notion of criticality and apply that to an actionable set of reports and dashboards to show all levels of management. "We tell them, 'Here is how you are doing and here is a set of actions that you can take with a prioritization of your risks,'" says Johnson.

RiskVision provides Advance Auto Parts with other benefits as well. According to Johnson, "We are able to assess the organization much more frequently, so instead of doing one IT assessment a year, we can now generate the requisite surveys and interact with the supporting teams on a much more frequent basis. This will allow us to better predict audit results and not get sidelined by audit support activities. Now we have better control of our environment by having a risk based approach with insight into our assets, controls and policies and how they are operating on a daily basis."

Too bad such applications didn't exist in the time of my many years in IT audit. This level of insight and automation would have made my job a breeze.

Brian Musthaler is a principal consultant with Essential Solutions Corporation. You can write to him at


About Essential Solutions Corp:

Essential Solutions researches the practical value of information technology, and how it can make individual workers and entire organizations more productive. Essential Solutions offers consulting services to computer industry and corporate clients to help define and fulfill the potential of IT.

Learn more about this topic

IT automation technology dominates Vegas conferences

RPath wants to simplify IT automation with new UI

VMware CEO: Future of IT is automation

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022