Leveraging big data for monitoring and auditing (Part 2)

Undertaking a cyclical audit is better than no audit at all, however risks still remain in that problems identified during audits could have existed for a significant length of time. If for example user accounts are not deactivated in a timely manner once a member of staff has left the company, the account could be used by someone else.  Monitoring and auditing on a continuous basis allows problems to be identified and corrective action to be taken quickly.

Continuous auditing and monitoring have benefits across a multitude of business and technology functions. A combination of the following will allow the data to be used efficiently and effectively to improve the business and the audit function.

  • With known controls which need to be audited, investigate the data sources needed for monitoring and auditing, and how the data can be gathered and processed on a continuous basis to provide the required level of assurance
  • Investigate and analyse available data sources, determine what insights can be gained from the data, and feed the options back to auditors

Here are some example data sources associated with Identity and Access Management (IAM) and Software Asset Management (SAM) along with examples of insight which can be gained through data analysis.

Identity and Access Management
With access to the following data sources:

  • Master list of user accounts (authoritative data source)
  • Individual application user accounts
  • Application level permissions (entitlements)
  • Current staff list
  • Application access log files
  • Business roles

Examination and data analysis will allow you to:

  • Identify active user accounts belonging to staff members no longer with the company
  • Identify where application permissions exceed those required for the user to perform their role within the company
  • Identify unusual or suspicious application and data access
  • Identify toxic access combinations
  • Use the data to identify where access management processes have failed

Software Asset Management
With access to the following data sources:

  • Software licences purchased
  • Authorised devices on the network
  • User accounts
  • Software applications on individual devices
  • Application files on individual devices

Examination and data analysis will allow you to:

  • Identify immediately when the number of software installations exceeds the number of purchased software licences
  • Identify immediately when unauthorised software is installed on devices
  • Identify where software is installed but is not being used