Audits is a word that evokes even more emotion than one of our latest posts around logs. Shrouded in secrecy, an IT audit can be a resource-intensive exercise. IT audits touch people, process, and technology [similar to the DevOps mantra]. There are certainly many flavors of IT audits, ranging from capability assessments to compliance/regulatory based audits.
IT audits are intended to make sure our controls are effective. Depending upon when we come into a project, the ever-pending IT audit would be going through technology and control decisions made before our time on the project. As we learn about the systems and platforms, we have to develop features on a new project, and explaining how the systems and platforms are put together can be challenging. All that said, IT audits are not all bad. In fact, they are important to fulfilling compliance in regulatory mandates. Even if your organization is not under regulation, IT audits can still be in your future.
You don’t have to be a healthcare provider providing services to the Federal Government to get audited. Pretty much any organization has some sort of audit requirement to satisfy. Even if you are a small startup, eventually you will come across a client who will want a copy of an audit. Also, as your startup grows, it may just a good practice to have some sort of baseline.
Regulation can also be a driving force of an audit for your organization, and if your organization has the presence of one of the below acronyms, most likely a regulatory audit is in your future. These types of audits can range in frequency of yearly to multiple times a year.
PCI: Payment Card Industry Data Security Standard [PCI DSS]: If you take credit card payments depending on how many you process in a month, PCI DSS dictates security standards that are needed.
HIPAA: Health Insurance Portability and Accountability Act: More focus on the accountability part, patient privacy and protection especially as we move towards electronic health records [EHR].
FISMA: Federal Information Security Management Act: If you are touching anything federal, FISMA will have an impact on you.
Another common type of IT audit is called a SOC 2. Stemming from the American Institute of CPAs [AICPA], a SOC 2 measures security, availability, and integrity of data stored in the cloud. For most companies that have a SaaS model, going through a SOC 2 audit is par for the course at some point in their maturity.
IT audits can also be used to gauge the capability and maturity of your organization’s IT landscape. Most likely the capability audits will be carried out by a consulting firm or analyst firm specializing in your particular industry. Unlike a regulatory/compliance audit, a capability-based IT audit is more ad-hoc and triggered by a business decision.
IT audits as time-consuming as they can be are comprised of a few basic components of information gathering and finding sharing.
Usually in an audit depending on the auditor need to answer questions with proof of a compensating control. It's sort of like showing your work in math. There needs to be a set scope (though can feel can be very wide) in terms of the audit.
For example, an audit requirement might be for passwords to be secure in customer-facing systems. The compensating control is a password to be at least six characters long. An auditor might request a copy of the password standard and proof of the policy and potentially would want to run the policy. You can see how time consuming this can be.
Having an ongoing relationship with the auditors also helps because there is a due-diligence period as the auditors to get ramped on understanding the business and why which controls are in place.
The remediation period can be as an audit is going on and some point after if there are negative findings giving you some time to make the recommended changes. Regulatory wise, if your organization is really off, the mark can be a mad scramble.
By leveraging a Continuous Delivery solution, you can have a program system of record allowing for shorter due-diligence periods and potentially more time to prove/remediate with the auditor and have less of a mad scramble.
I was working at bank under Dodd-Frank regulation and we had an odd requirement. We were required to go back five years on automated/programmatic decisions around credit approvals or declinations we made. Basically, we did a replay of the data points and business rules we used.
The database for the datapoints was fine, but the application/business rules were the trouble spot. In short, we we had to redeploy the application based on a date if a request came in for additional details. Now there is a good bit more than the JAVA distributions [aka the WAR].
Since your Continuous Delivery solution should be the nexus of your release/deployment, the confidence-building steps and the composition of the application and artifacts are easy to extrapolate. Going back in time might be one use case for a Continuous Delivery solution; the Harness Platform allows for programmatic access to create an audit trail.
We have been busy building capabilities with our GraphQL API in the Harness Platform. A great way to take the API out for a spin is the Harness API Explorer. In the Harness API Explorer, you too can have programmatic access to what is happening inside your organization. We provide an example query producing a quintessential audit trail inside the Harness Platform.
In one of our HarnessU training environments, I am getting the environment ready for the next set of students and we can see below what I have been doing in the environment.
To leverage the visual API Explorer, navigate to Setup -> API Explorer.
By running an Audit Query, we can see all the deletes I have been running getting the environment ready for the next set of students.
Focusing in on the delete:
Just like that, you have a pretty comprehensive systemic record on what is occurring on the platform aka your audit trail.
Harness is certainly geared to be a system of record for your releases and deployments. Harness is the orchestrator of the confidence-building steps such as approvals and test coverage; when a Harness Workflow / Pipeline is executed, the confidence-building steps are captured. Back at the bank I worked at, Harness would have been a godsend. Don’t fear the IT audit - help supercharge your experience with Harness today!
Enjoyed reading this blog post or have questions or feedback?
Share your thoughts by creating a new topic in the Harness community forum.