By: Mike Detrow, CISSP, and Brian Kienzle, CISSP, OSCP
Written records are generally more trustworthy than human memory. Examiners and auditors typically take the following stance: if it isn’t formally documented, it didn’t happen. It is usually not possible to accurately recall all the details from an activity that we performed six months to a year ago. That is why it is important to formally document your monitoring activities to ensure that the specific details about any work performed is available for your reference and for examiners and auditors to review.
Common Documentation Gaps
Proper documentation has generally improved in recent years; however, there are still some areas where we commonly see documentation gaps. Some of these areas where we continue to note weaknesses in documentation during our IT Audit engagements include:
User Access Reviews
We commonly see a checklist or spreadsheet that identifies various systems/applications and the date(s) that the user access was reviewed. While this format can help to provide a summary of the dates when system/application user access was reviewed, it does not allow an examiner/auditor to understand what was reviewed, any exceptions that were found, nor any changes that were made because of the review. A better approach is to document the review on the actual system reports or screenshots, or to document the review process in a write-up that identifies the review process and any noted exceptions or changes made as a result of the review.
We still see some instances where ongoing vendor reviews are not formally documented using a checklist or a formal write-up of the details associated with the review and any exceptions that were noted. In these cases, the institution may only have a spreadsheet where they indicate that various vendor documents were reviewed on a specific date. However, this does not allow an examiner/auditor to understand the details about the review, nor does it identify any exceptions that were noted. This same issue occurs with the review of the complementary user entity controls that are identified in vendor SOC reports. Institutions should ensure that they formally document their implementation of each complementary user entity control.
Often we see a simple statement in minutes or in an email chain that indicates that a firewall audit was performed. However, this isn’t enough information to know if the firewall audit was comprehensive enough to know if the firewall is properly configured. At a bare minimum, a firewall audit should include a review of all firewall access rules for appropriateness and a review of security services, such as intrusion prevention, and web content filtering. Documentation of this review, showing all areas of the firewall configuration that were reviewed is an essential piece of documentation.
Voice over IP (VoIP) telephone systems communicate with emergency services differently than traditional phone lines. If an IP phone is moved to a different physical location, but the corresponding address information is not updated, then incorrect address information could be seen by emergency responders when that phone is used to dial 911. E911 testing ensures that proper address information is seen by emergency responders. We check that this testing is occurring during our IT audits, and documentation of this testing is the primary method we use to verify this.
While it can sometimes seem like the time spent to formally document your activities is unproductive, especially when some institutions are working with limited staffing, it is critical to maintain this documentation to allow examiners/auditors and the board to have confidence that the institution’s information systems are being managed and monitored appropriately.
Young & Associates offers a variety of IT consulting services to help your financial institution comply with regulations, protect against vulnerabilities, and provide seamless IT service to your customers For more information on this article, or to learn more about how Young & Associates can assist you with your IT needs, visit our website at www.younginc.com or contact us at firstname.lastname@example.org.