Gathering Evidence Across the Enterprise
‘Pics, or it didn’t happen.’ You’ve likely heard some form of this statement from friends joking about a road trip, vacation, or extreme…
‘Pics, or it didn’t happen.’ You’ve likely heard some form of this statement from friends joking about a road trip, vacation, or extreme sport, but it’s nothing to laugh about in the compliance world. As you are well aware, the goal of an audit is to collect and convey information that proves past and current activity related to internal and external control objectives. Some examples might include logs files of backup operations or meeting minutes to prove that risk factors or vendor service level agreements were reviewed periodically.
Evidence proves that the organization is following procedures as written. Procedures provide a narrative explaining how policy is carried out and policy is tied to controls. We can follow this logical path: Evidence -> Procedures -> Policy -> Controls to ensure that the evidence gathered is related to the correct controls.
Evidence is generally expensive to gather. By expensive, I’m referring to the level of expertise and security clearance required to know how to access the organization's appropriate (oftentimes sensitive) systems. This can include AWS dashboards, IAM permissions, AD user lists, backup logs, and all areas where, in general, skilled professionals live. This means that your most highly paid technical staff are usually the ones doing the work. Some tasks may require screenshots or PDF downloads, while others may be text files generated from simple scripts reaching out to well-defined API’s like those with AWS, Azure, and GCP.
Once evidence is captured, there is oftentimes no accepted place to store this information, so it’s typically placed on a file share, in email as an attachment, or in a ticketing system like Jira, etc. This presents several problems:
Different kinds of evidence are stored in different places based on a user’s own personal preference/workflow. For example, Sue may keep evidence in an email folder while John may use Jira to track evidence as “Issues.” Mark may put evidence into a SharePoint directory. This lack of structure leads to confusion, especially in larger enterprises.
When this evidence is stored, it fails to maintain a relationship with procedures, articles, and controls. It requires experts to know where each piece of evidence is stored and how that evidence relates to, ultimately, the control objectives within the organization.
This haphazard approach to gathering evidence often means that evidence is gathered but not reviewed. This creates the potential for evidence being gathered that does not satisfy the procedure or control objective. Oftentimes, this is discovered during the audit process requiring last-minute remediation efforts.
Having a system in place for gathering evidence is a critical first step. There are several roles responsible for ensuring coverage and accountability:
Author — The author is responsible for defining the nature of the evidence to be gathered. This person in the organization works closely with your information security team to define each piece of evidence gathered and at what interval. The author is also responsible for reevaluating the requirements over time as the organization grows or the auditor needs change.
Assignee — The assignee gathers the evidence. It would be best to choose the assignee based on their skill level and role in the organization. The assignee is held accountable for each piece of information gathered throughout the year.
Reviewer — The reviewer can double as the author in smaller organizations or independent of the author, but the reviewer should never be the assignee. It would clearly be a conflict of interest for the assignee to verify their own work as a reviewer.
In many organizations, this evidence has no direct relationship to the procedures, policies, or controls designed to prove. This adds overhead to all organizations, with one person placing the information into accepted temporary locations and a second person gathering it up and handing it to the auditor. Furthermore, the auditor is in the position of trying to interpret how things are related. This is known as double-handling in the logistics business, and going straight from the rack to the truck is a much more efficient process.
The good news is that PolicyCo treats evidence in precisely this way. We allow you to capture evidence and maintain relationships to your enterprise's policies, procedures, and control objectives.
Originally published at https://policyco.io on November 2, 2021.