For most students, one of the most stressful experiences of their educational career are exam days. Exams are a semi-public declaration of your ability to learn, absorb, and regurgitate the curriculum, and while the rewards for passing are rather mundane, the ramifications of failure are tremendous. My anecdotal educational experience indicates that exam success is primarily due to preparation, with a fair bit of luck thrown in. If you were like me in school, my exam preparation plan consisted mostly of cramming, with a heavy reliance on luck that the hours spent jamming material into my brain would cover at least 70% of the exam contents.
After I left my education career behind me and started down a new path in business technology, I was rather dismayed to find out that the anxiety of testing and exams continued, but in the form of audits! So much for the “we will never use this stuff in real life” refrain that we students expressed Calculus 3 class – exams and tests continue even when you’re all grown up. Oddly enough, the recipe for audit success was remarkably similar: a heavy dose of preparation with a fair bit of luck thrown in. Additionally, it seemed that many businesses also adhered to my cram-for-the-exam pattern. Despite full knowledge and disclosure of the due dates and subject material, audit preparation largely consisted of ignoring it until the last minute, followed by a flurry of activity, stress, anxiety, and panic, with a fair bit of hoping and wishing-upon-a-star that the auditors won’t dig too deeply. There must be a better way to be prepared and execute (hint: there is)!
There are some key differences between school exams and business audits:
- Audits are open-book: the subject matter details and success criteria are well-defined and well-known to everyone
- Audits have subject matter and success criteria that remains largely unchanged from one audit to the next
Given these differences, it would seem logical that preparation for audits should be easy. We know exactly what the audit will cover, we know when it will happen, and we know what is required to pass. If only it was that easy. Why, then, do we still cram-for-the-exam and wait to the last minute? I think it comes down to these things:
- Audits are important, just like everything else
- The scope of the material seems too large
- Our business memory is short
Let’s look at that last one first. Audits tend to be infrequent, often with months or years going by before they come around again. Like exam cramming, it seems that our main goal is to get over the finish line. Once we are over that finish line, we tend to forget all about what we learned and did, and our focus turns to other things. Additionally, the last-minute cram seems to be the only way to deal with the task at hand, given the first two points above. Just get it done, and hope.
What if our annual audits were more frequent, like once a week? The method of cramming is not sustainable or realistic. How could we possibly achieve this?
Iteration is, by definition, a repetitive process that intends to produce a series of outcomes. Both simple and complex problems can often be attacked and solved by iteration:
- Painting a dark-colored room in a lighter color
- Digging a hole with a shovel
- Building a suspension bridge
- Attempting to crack an encrypted string
- Achieving a defined compliance level in complex IT systems
Note that last one: achieving audit compliance within your IT ecosystem can be an iterative process, and it doesn’t have to be compressed into the 5 days before the audit is due.
The iteration (repetitive process) is simple:
The scope and execution of the iteration is where things tend to break down. The key to successful iterations starts with defining and setting realistic goals. When in doubt, keep the goals small! The idea here is being able to achieve the goal repeatedly and quickly, with the ability to refine the process to improve the results.
We need to clearly define what we are trying to achieve. Start big-picture and then drill down into something much smaller and achievable. This will accomplish two things: 1) build some confidence that we can do this, and 2) using what we will do here, we can “drill up” and tackle a similar problem using the same pattern. Here is a basic example of starting big-picture and drilling down to an achievable goal:
Identify and Recognize
Given that we are going to monitor failed user logons, we need a way to do this. There are manual ways to achieve this, but, given that we will be doing this over and over, it’s obvious that this needs to be automated. Here is where tooling comes into play. Spend some time identifying tools that can help with log aggregation and management, and then find a way to automate the monitoring of failed network user authentication logs.
Notify and Remediate
Now that we have an automated way to aggregate and manage failed network user authentication logs, we need to look at our (small and manageable) defined goal and perform the necessary notifications and remediations to meet the requirement. Again, this will need to be repeated over and over, so spend some time identifying automated tools that can help with this process.
Analyze and Report
Now that we are meeting the notification and remediation requirements in a repeatable and automated fashion, we need to analyze and report on the effectiveness of our remedy and, based on the analysis, make necessary improvements to the process, and then repeat!
Now that we have one iterative and automated process in place that meets and remedies an audit requirement, there is one less thing that needs to be addressed and handled when the audit comes around. We know that this one requirement is satisfied, and we have the process, analysis, and reports to prove it. No more cramming for this particular compliance requirement, we are now handling it continuously.
Now, what about the other 1,000 audit requirements? As the saying goes, “How do you eat an elephant (or a Buick)? One bite at a time.” You need the courage to start, and from there every bite gets you one step closer to the goal.
Keys to achieving Continuous Compliance include:
- You must start somewhere. Pick something!
- Start big-picture, then drill down to something small and achievable.
- Automation is a must!
For help getting started on the road to continuous compliance, contact us.
-Jonathan Eropkin, Cloud Consultant