One of the earliest contacts many people have with the looming frustrations of adult life is the mention of a dreaded audit, be it a tax audit, a performance audit, or (most pertinently) the IAM audit. Every IAM solution needs regular audits, yet no one wants to perform this vital and painful process. And so excuses are made, half-hearted measures attempted, and the problems an audit would catch continue to fester.
By coming to terms with the best intervals for conducting your IAM audit, the best practices for conducting it, and how to handle its difficulties, you’ll make your audits work for you. So don’t subject yourself to needless stress through ignorance, willing or unintended. Instead, by demystifying the audit and understanding it as a thorough review, and you stand to make much better decisions.
Symptoms of Needing an IAM Audit
IAM audits, and a refresh of your identity strategy, should be executed a minimum of once every three years. If not the consequences include regulatory fines and fees, erosion of investor and market confidence, and avoidable security breaches. The symptoms of being overdue for an audit are just as varied and easily ignored, ranging from poor user-experience to financial wastes to security risks.
Your users might start reporting long lead time to get the access they need, ranging from both your customers to your employees. Analytics likewise indicate if your identity fabric needs review. Rampant generic account usage and improperly managed privileged accounts point to the need for review. Similarly, financial symptoms raise red flags of their own as operational costs become higher than they should be or when identity spending shows no ROI. Lastly, enterprises live on users and metrics, but the die from matters of security. Therefore, multiple policy violations or exceptions, entitlement sprawl, and no real segregation of duties portend coming disaster.
Unfortunately, though cybersecurity recognizes the importance of IAM, no universal standardization of IAM audits remains uninitiated outside of private identity organizations. Even in the greater fabric of cybersecurity, in which IAM plays a monumental role, IAM standardization takes up an exceptionally narrow certification bandwidth. Randall Fields, Vice President, Simeio, says that “there is no pure identity audit. There should be, and in the future there no doubt will be. It took 10 years to come up with standards like NIST.” Thus, the onus falls onto the provider to take the initiative and initiate the audit on their own judgement.
Executing your IAM Audit
Once you’ve determined that you need an audit, make certain to do the job right the first time. A well-conducted IAM audit builds confidence in your controls, trust from investors and the market, and provable ROIs. Conversely, late audit filings give a clear indicator to your investors and the market that your enterprise has major weaknesses in its internal controls. Any delay raises a red flag and prompts questions as to “why” it was late. How much normalcy and consistency shows through your audit? How many anomalies? Did you act on the audit results? Don’t delay in revealing unflattering findings.
One of the best ways to make sure an audit goes smoothly is to follow your IAM program plan and enforce your policies. Violations always happen and all auditors know it. However, your identity maturity depends on how many violations you admit to and resolve. If you’ve had to reprimand or even fire an employee for violating policy in the past few years, that’s a good sign to auditors as it shows you take enforcement seriously. Make the IAM audit easier on yourself by sticking to the policy you took the time to implement.
Auditors must consider the enterprise with a critical eye. This proves a stumbling block to any attempts at an internal-only audit. With no governing body around identity, most internal auditors do not know what ‘good’ looks like. They become accustomed to their own enterprise and have no clear vision of comparative practices. Thus internal audits must report to someone other than the CISO to remove the chance of internal collusion, hence the value of third-party auditors. Investigations cause more investigations, a grim prospect if you knew about a problem and nothing was done. Stop that before it starts by keeping the auditors separate from the audited.
Reach out to an Audit Service
Your efforts on an internal audit often prove a waste. The lack of dedicated auditors, expertise, and proper demarcation renders the endeavor a sink in time and money. For example, auditors are usually entry level employees and look to get out as soon as they can. Handing a checklist to a glorified intern wanting to move onto a “real” role won’t produce meaningful results. Furthermore, even a pre-existing employee, tested and proven, suffers from a siloed and isolated experience in the context of an audit.
Outside auditors take pressure off internal staff, prove more cost effective, and provide expert advisement on corrections. Such experts bring real experience and long-sought standardization to your IAM audit. They know firsthand what good and bad metrics look like for your enterprise. Randall Fields claims an auditing firm “can typically reduce spending by 20% overall and improve time to value on projects.” A proper audit will cost you less in the long run, especially with an identity expert advising on identity maturity, tagging inefficiencies, redundancies, and integration opportunities. If corrections are implemented based on this data, the ROI can be immediate and sweeping.
The best option is to go in for a full IAM Assessment through an end-to-end service provider. This leaves no gaps in service, coverage, management, or monitoring. By opting for a full suite of advisory and assessment, you ensure your Identity fabric is tight and on the road to standardization, galvanizing better practices across the board.
IAM Maturity assessments are offered by Simeio through NIST, Revivify 5, ISO 27000, the Gartner IAM maturity model, and our own experience. Talk to an identity advisor and learn how to start your IAM assessment today.