We've reached the final frontier in our blog series on simplifying firewall audits and ensuring continuous compliance. A quick recap of the previous steps examined:
- Step 1: Gathering Pertinent Information Before You Undergo an Audit
- Step 2: Review Your Firewall Change Management Process
- Step 3: Audit Your Firewalls' Physical and OS Security
- Step 4: Cleanup and Optimize Your Rule Base
- Step 5: Conduct a Risk Assessment and Remediate Issues
What's possibly left to do from here? Make sure that all of the above is part of a continuous process. While a specific audit may be a once a year or twice a year type of event, you most likely must undergo multiple audits from different regulations, industry standards or internal requirements. As a best practice, you should always have a view of your risk and compliance posture as opposed to a point-in-time view.
Step 6: Ensure Ongoing Audit-Readiness
This final blog focuses on how to ensure the proper steps are in place to ensure continuous compliance when it comes to your firewall configurations. This means building audit-readiness into a business process that must be maintained over time. It can't be just a checklist that is reviewed once or twice a year. Here are several things you should consider in terms of attaining "continuous compliance":
- Replace error-prone manual tasks with automated analysis and reporting. "Manual" and "audits" are a a nightmare combination… anyone who has had to manually gather all of the information and help prepare for an audit can speak to pain that the IT team feels trying to pull everything together, the impact to the business (the audit is taking time away from more strategic initiatives), and in terms of human error. I've personally spoken to folks who before automation solutions spent 2-3 weeks to perform an audit of just ONE firewall, whereas with automation, that painstaking audit process was under a minute or as one customer told me "a push of a button".
- Ensure all audit procedures are properly documented, providing a complete audit trail of all firewall management activities. Documentation usually falls by the wayside when the IT organization is in a react mode as opposed to strategically viewing its audit process because it takes time and patience to properly document the who, what, when and why a rule was put in place or why one was removed, changed, etc.
- Make sure that solid firewall change workflow is in place to sustain compliance over time. Without change management, you won’t be able to ensure continuous compliance – you will go through the cleanup and optimization or risk checks at a point in time, but a month later you may no longer be compliant. As part of this process, ensure there is an alerting system in place for significant events or activities, such as changes in certain rules or the discovery of a new, high severity risk in the policy.
A final consideration is that while this series has focused on firewalls, there are different types of firewalls (traditional, next-generation, etc.) as well as secure web gateways, VPNs and other security devices typically found within an organization's network. Make sure that your audit process covers all of these devices as well. For a deeper examination of firewall audit best practices, you can download our whitepaper The Firewall Audit Checklist. Good luck on your next audit!