"I just got a minor NC for not showing compliance with review of user access rights control. At present, a report containing leavers [is] reviewed by servicedesk to ensure removal of access. This process supplements the leaver process owned by department managers. But [an] auditor has insisted that we should retrieve all access reports and review them. So question is how do demonstrate compliance with this control in your organisation? Appreciate your guidance"
Some respondents duly mentioned typical controls in this area, while some of us spotted an issue with the issue as described. Why did the auditor raise a minor non-compliance? On what basis did the auditor insist that they should ‘retrieve and review all access reports’ - if in fact he/she did?
With a little creative/lateral thinking, it turns out there are several intriguing possibilities in the situation described by PS aside from the obvious:
- The
organization had instituted and mandated a formal policy stating that ‘All
access reports will be reviewed’ – a bad move unless they truly expected precisely that to happen. They are committed to
doing whatever their policy says. If they don’t do so, it is a valid
noncompliance finding;
- The
organization had [perhaps unwisely or inadvertently] instituted a formal
policy stating something vaguely similar to ‘all access reports will be
reviewed’, which the auditor interpreted to mean just that, whether
correctly or incorrectly. This is always a possibility if policies
are poorly/vaguely worded, or if the supporting procedures, guidelines, help text,
advisories, course notes, management instructions etc. are similarly worded
or simply missing (leaving it to workers to interpret things as they see
fit … which may not be the same as the auditors, or management, or lawyers
and judges if incidents escalate);
- The
organization had a procedure or guideline stating [something similar to]
‘all access reports will be reviewed’, in support of a formal policy on
information access or whatever, and again the auditor was right to raise
an issue;
- The
organization had a policy or whatever outside the information
security arena (e.g. tucked away in an IT or HR policy, procedure, work
instruction etc.) stating that ‘All access reports will be reviewed’ ... which in turn begs a bunch of questions about the scope of the Information Security Management System and the audit, plus the organization's policy management practices;
- An old,
deprecated, withdrawn, draft or proposed policy had the words ‘all access
reports will be reviewed’, and somehow the auditor got hold of it and (due
to flaws in the organization’s policy controls) believed it might be, or
could not exclude the possibility that it was, current, valid and
applicable in this situation - another valid finding;
- A
stakeholder such as a manager verbally informed the auditor that it was
his/her belief or wish that ‘All access reports must be reviewed’,
inventing policy on the spot. This kind of thing is more likely to happen if the actual policy is unclear or unwritten, or if individual workers don't know about and understand it. It could also have been a simple error by the manager, or a misunderstanding by the auditor ... which possibility emphasizes the value of audit evidence and the process of systematically reviewing and confirming anything that ends up in the audit report (plus potentially reportable issues that are not, in fact, reported for various reasons);
- The
organization had formally stated that some or all of the controls
summarized in section A.9 of ISO/IEC 27001:2013 were applicable without
clarifying the details, which the auditor further [mis?]interpreted to
mean that they were committed to ‘retrieve and review all access reports’;
- For
some reason, the auditor asserted that the organization ought to be
‘retrieving and reviewing all access reports’ without any formal basis in
fact: he/she [perhaps unintentionally] imagined or misinterpreted a
compliance obligation and hence inaccurately identified non-compliance
when none exists;
- The
auditor may have sniffed out a genuine information risk, using the minor
non-compliance as a mechanism to raise it with management in the hope of
getting it addressed, whether by achieving compliance or by amending the
control;
- The auditor may have made the whole thing up, perhaps confusing matters that he/she didn't understand, or under pressure to generate findings in order to justify his/her existence and charges;
- The
auditor simply had a bad day and made a mistake (yes, even auditors are human beings!);
- PS had a bad day e.g. the minor non-compliance was not actually
reported as stated in his question to the forum, but was [mis]interpreted
as such. Perhaps someone spuriously injected the word “all” into the
finding (Chinese whispers?);
- PS wasn't actually posing a genuine question, but invented the scenario to fish for more information on the way forum members tackle this issue, or was hoping for answers to a homework assignment;
- The auditor was trying it on: was this a competent, experienced, qualified, independent, accredited compliance auditor, in fact? Was it someone pretending/claiming to be such - someone in a suit with an assertive manner maybe? Was it just someone with “auditor” scribbled on their business card? Was it a social engineer or fraudster at play?!;
- It
wasn’t a minor non-compliance, after all. Maybe I have misinterpreted “NC”
in the original forum question;
- etc. ...
... Compiling and discussing
lists like this makes an excellent exercise in awareness sessions or courses – including auditor training by the way. In this
particular case, the sheer variety of possibilities is a warning for
information security and other professionals re policies, compliance, auditing
etc. In practice, “policy” is a more nebulous, tricky, important and
far-reaching concept than implied by the typical dictionary definition of the
word. Just consider the myriad implications of "government policy" or speak to a tame lawyer for a glimpse into the complexities.
No comments:
Post a Comment