Many executives expect IT staff to find new operational efficiencies while simultaneously reducing downtime, improving service, and providing adequate security. Meanwhile, industry and government regulators require IT to comply with new or expanded sets of controls. Despite the increased demand for solid IT controls and policy enforcement, many companies still use manual processes, such as spreadsheets and paper-based systems, to monitor and enforce IT controls. Consequently, many of these companies have not achieved the degree of effectiveness they need to be successful.
Using an automated continuous monitoring approach can help organizations enforce IT controls more efficiently and make meaningful IT control improvements while bringing costs down. Automated continuous monitoring solutions also help internal auditors monitor IT controls more effectively and efficiently. To maximize their use, internal auditors can help companies understand what features and functionality are required for an effective automated continuous monitoring environment.
Manual Processes and the Requirements of Continuous Monitoring
Even when properly executed, manual processes may not detect user actions taking place in the IT infrastructure effectively and or in a timely manner. It also may be unpractical or expensive to collect and review all the data required to test an IT control — there are simply too many operating systems, applications, directories, processes, configuration files, and database events to monitor. As a result, organizations may conduct sporadic reviews that rely on random data samples in system and database logs. Although these reviews can provide historical insight, they may not give organizations timely and accurate IT control information on actions such as unauthorized changes to production systems or access attempts to restricted data.
The shortcomings of manual processes become evident in the area of change management, where discovery of unauthorized activities helps organizations monitor adherence to standardized change management policies. Validating changes to the IT infrastructure against planned change requests to identify unapproved actions can be a difficult process without automation. Just like IT controls testing, the volume of changes to review can overwhelm IT staff quickly. Furthermore, the change ticket validation process is more detailed than the process used for testing IT controls and requires labor intensive comparisons to verify the following questions:
- Does an approved change request exist for the change?
- Did the change occur on the appropriate device(s)?
- Was the change made during the approved timeframe?
- Did the appropriate individual make the change?
If the answer to any of these questions is no, the change may not be compliant with the organization's control policies. Because unauthorized, unplanned, and untested changes are the leading causes of downtime, discovering change management control deficiencies and resolving them are important for IT controls to be effective and compliant.
Furthermore, when manual processes are implemented, they may not instill the discipline or communication needed to enforce IT policies. For instance, in large organizations, IT governance and compliance is distributed among application administrators, security managers, and compliance specialists. Therefore, it might be hard to identify who is responsible for investigating a specific IT control violation and whether this person has been notified when a violation occurs. And, even when the right person has been contacted and is taking the necessary steps to resolve the issue, the status of these efforts might be unclear to other interested parties.
Finally, manual processes generally store policy-related data in spreadsheets, documents, e-mail messages, and post-it notes — anywhere other than in a central, consolidated data repository. Because there is no single, authoritative record source for audit and forensic analysis, users responsible for IT governance and compliance may not know where to get the answers they need, in addition to being unsure on the data's accuracy. Further, without a centralized database, it is difficult to consolidate and aggregate data for enterprise reporting needs and to track historical events. Lacking an enterprise and historical perspective puts organizations in a poor position to improve operational activities. One of the best ways for organizations to resolve these issues is by automating manual monitoring processes.
Automation and Continuous Monitoring
Manual processes may not deliver the level of in-depth visibility and control IT departments need to support effective operations. On the other hand, automated continuous monitoring is a better approach that allows companies to more efficiently and effectively:
- Detect user actions in the IT infrastructure.
- Validate actual changes to the IT infrastructure against planned change requests.
- Identify changes that occur without an approval.
- Enforce policies that limit unauthorized activity in the IT infrastructure.
- Provide reports on IT infrastructure policies to highlight best practices and control violations.
Automation through technology is essential to achieve continuous monitoring. (Refer to "Automated Continuous Monitoring," at right, for a description of the four elements needed for an effective automated monitoring process.) However, internal auditors need to pay close attention to the degree of functionality that a solution offers to determine if it can meet the organization's continuous monitoring requirements. Below is a description of each of the automated processes auditors should pay close attention to and why.
Detect User Actions
An automated continuous monitoring solution should detect user actions within the IT infrastructure through real-time, event-driven data collections performed on all desired user activity and IT components 24 hours a day, seven days a week. For instance, the system should collect data on events such as who conducted the change, as well as what, where, and when changes were conducted that did not conform to IT policies.
Even though some continuous monitoring systems are automated, their scope is often too narrow or their data collection features are not performed in real time. This prevents the monitoring system from providing the necessary level of IT control. Because some automated systems only cover a narrow set of controls or components, organizations may be deficient in some controls, forcing them to maintain and administer multiple systems. However, auditors should note that under the right circumstances, this kind of monitoring system can provide a reasonable level of control, especially if the cost for a more encompassing automated solution is too prohibitive or the business need doesn't require this kind of surveillance.
Also, instead of true continuous monitoring, some automated solutions use older snapshot models that make comparisons between two different points in time. As a result, they might miss important events, because they can only report one change during the snapshot interval. Although taking snapshots more frequently reduces the likelihood of missed events, they have negative performance implications for production systems. For instance, regardless of the snapshot frequency, all the user has to do is make more than one change for the last change to mask previous activity. Therefore, a continuous monitoring system should offer real-time policy review and validation of all events across IT components (i.e., files, processes, applications, databases, directories, and operating systems).
Although some automated monitoring systems are integrated with change management systems, they may take different approaches to change validation. For example, some use exact matching to validate a change, which requires every activity associated with a change to be documented from the beginning. Using exact matching, any detected action not appearing on the pre-configured list triggers an unauthorized change alert. This makes exact matching impractical for most organizations because of the large number of false positives that occur with this method.
An effective and efficient way to validate changes is to use attribute matching, which provides a sufficient level of control for audit purposes without over burdening review staff. Attribute matching helps to make sure there is an approved change request and identifies whether the change was made on the appropriate device. In addition, attribute matching enables companies to identify whether the change was made during the appropriate time window and the appropriate user made the change. If a change is made that does not meet any of these four conditions, attribute matching enables the automated monitoring system to flag the change as not being in compliance with the organization's change control policies.
Continuous monitoring requires more than identifying problems — delegation, notification, and remediation also are needed to enforce policies adequately. Complete continuous monitoring systems assign who is responsible for a control policy automatically, while immediately sending policy violation notifications to the right people so that issues are addressed in a timely manner.
To enforce accountability, continuous monitoring systems must require acknowledgment of notifications and use rules to reroute the notification to another individual if an acknowledgment does not take place within a specified time frame. For example, if a change does not have an approved change request, the continuous monitoring system immediately sends an alert to the change manager. If the change manager does not provide an acknowledgment within the specified time frame, the system sends the request to a secondary contact responsible for policy enforcement.
Report on Policies
An integrated data repository for centralized policy reporting and analysis is a necessary backbone for continuous monitoring, because it provides a single authoritative source or record for an audit or forensic analysis. A centralized system also provides an integrated perspective across the entire IT infrastructure that details policy violations for all IT components (e.g., files, processes, applications, databases, directories, and operating systems) rather than just a single policy violation for a single IT component. Furthermore, the data repository provides historical context rather than small-time windows of user activity within the IT infrastructure.
Reports on policies highlight best practices and control violations so that organizations can focus on the areas that should receive the highest priority. To verify if control improvements are working properly, a trend analysis should be conducted. Because trend analysis is an ongoing endeavor, it is essential for determining if policy control violations are improving or getting worse over time and is a key feature of process improvement.
Change history reports provide insights on what was changed, who made the change, and when the change took place. Often, a series of actions rather than a single action is the culprit. Therefore, capturing and providing a change's historical context is useful when a root-cause analysis requires a consideration of events that have occurred over time. This information also is helpful to determine the last "good" configuration rather than restoring to the previous configuration before the incident, which may or may not be the appropriate restoration point. When an incident occurs, the continuous monitoring system should pinpoint the exact change, the individual responsible for the change, and the nature of the change for immediate rollback.
Any organization that is spending too much time and effort on monitoring the effectiveness of their IT controls should consider automating its manual processes to detect policy violations, validate change activity, enforce policies, and report any out-of-compliance actions that took place within the IT infrastructure. Technical requirements for automating continuous monitoring include detecting user actions, validating actual changes, enforcing policies, and reporting on policies.
Although having an automated IT control environment will help organizations maximize the benefit of effective IT operations, companies need to keep in mind that an automated system for monitoring IT controls is only as good as the people who implement, maintain, and update the system. Internal auditors need to remind organizations that implementing an automated, continuous monitoring solution requires the organization's commitment and that these systems are a tool, not the ultimate compliance solution.