Chapter 7: Security Auditor

In this chapter, you will learn what a security auditor is and the average salary range for this career in the US. You will also learn about the career progression options and common interview questions for the role.

The following topics will be covered in this chapter:

• What is a security auditor?
• How much can you make in this career?
• What other careers can you do?
• Common interview questions for a security auditor career

What is a security auditor?

A security auditor is an individual who helps to provide an independent systematic review of an organization's information security system. Sometimes they work as individuals. Other times, they can perform as part of a team or department providing audit services inside an organization. Security auditors can also be external consultants that provide an independent systematic review of their client's information security system or scoped parts of it per their contract.

Security auditors conduct their audits based on the organizational policies and any applicable government compliance and regulations. They work with information technology (IT) personnel, security, managers, executives, and other business stakeholders to validate the business's industry best practices versus any applicable policy regulation or best practice. Auditors achieve this by using questionnaires, interviews, monitoring their work, samples of past work, or validation that controls and procedures work the way they are expected to work.

How much can you make in this career?

The salary range of a security auditor ranges from $60,000 to $120,000. It can be higher or lower depending on the location of the candidate, years of experience, and demand for the other areas of specialization that they might have, for example, cloud security or application security experience.

What other careers can you do?

Having a career as a security auditor prepares you for various other occupations. The combination of experiences you gain as a security auditor allows you to gain the expertise needed to provide consulting engagements. For example, as a security auditor, you regularly look at best practices and make recommendations for testing and control programs. Security auditors often go on to help lead governance, risk, and compliance (GRC) programs for organizations, using their auditor experience to highlight and remediate deficiencies in making laws and regulations and internal requirements. Another potentially exciting career pivot for an auditor would be as a penetration and vulnerability tester.

Other subspecialties include secure software assessor or security control assessor, which might be more prominent in the government or government contractor space.

Common interview questions

The following is a list of interview questions that could prove useful in preparing for a security auditor interview:

• What frameworks are you familiar with or have you performed assessments against?

In addition to the internal policies and procedures of the hiring company, auditors will need to be familiar with federal regulations such as the Health Insurance Portability and Accountability Act (HIPAA) (https://www.cdc.gov/phlp/publications/topic/hipaa.html) and Sarbanes-Oxley Act (SOX) (https://www.law.cornell.edu/wex/sarbanes-oxley_act), or standards set by the International Organization for Standardization (ISO) (https://www.iso.org/isoiec-27001-information-security.html) or the National Institute for Standards in Technology (NIST) (https://www.nist.gov/).

• What are the standard certifications that a security auditor might have?

Some of the standard certifications that a security auditor might have are as follows:

• Certified Information Systems Auditor (CISA) from ISACA (https://www.isaca.org/credentialing/cisa). CRISC is helpful for those focusing on risk and system controls.
• CompTIA Security+ from CompTIA (https://www.comptia.org/certifications/security). CySA+ is another helpful certification from this provider.
• IT Infrastructure Library (ITIL) certification (https://niccs.cisa.gov/training/search/standard-technology-incorporated/it-infrastructure-library-itil-foundation).
• Certifications for specific cloud service providers (CSPs) or systems providers.

While there are a host of other certification providers and certificates, I would recommend that you consider how a specific certificate is focused on your career and its trajectory.

• What are the differences between general controls and system and application controls?

As an organization develops its internal policies and guidelines, they form the basis of general controls to which all the people and processes must adhere. Controls then become more granular at the system level; this can be at the CSP level or the virtual machine or operating system layer. To achieve even more granularity, each system might have specific controls to ensure that the internal policies and procedures are met.

• How would you approach an audit for an organization?

When coming into a new organization for an audit engagement, the lead must schedule a meeting with all the stakeholders to define the audit objectives and understand the organization's context. Work with the stakeholders to develop a preliminary schedule for the audit and all the potential individuals involved. Create a specific budget (even if you are not responsible for the financials, budget in time using hours) and define the scope of the engagement. Then, based on the budget or time and scope, you will list the audit team members, specify tasks for each individual, and determine the deadlines.

With the plan in place, you will start the audit. An audit generally has the following eight phases:

1. Risk assessment

2. Audit plan

3. Preliminary review

4. Design audit procedures

5. Test controls

6. Substantive testing

7. Document results

8. Communications

More information on assessments and auditing can be found at https://www.nist.gov/cyberframework/assessment-auditing-resources. When working with or for the government, it is essential to follow the NIST RMF (https://csrc.nist.gov/projects/risk-management) and the federal controls (https://csrc.nist.gov/Projects/risk-management/sp800-53-controls/release-search#!/800-53?version=4.0).

• Can you name some of the different types of audits?

Some different types of audits are information system audits, compliance audits, financial audits, operational audits, integrated audits, specialized audits, computer forensic audits, and functional audits:

• Information system (IS) audits are used to determine whether ISs and their related infrastructure are protected to maintain confidentiality, integrity, and availability.
• Compliance audits are used to determine whether specific regulatory requirements are being complied with.
• Financial audits are used to determine the accuracy of financial reports.
• Operational audits are used to determine the accuracy of internal control systems and help identify issues related to the efficiency of operational productivity within the organization.
• Integrated audits can be performed by internal or external auditors and are a blend of the other audit types used to assess the overall efficiency and compliance of an asset.
• Specialized audits can include fraud audits, forensic audits, and third-party service audits.
• Computer forensic audits are used to ensure compliance with the system during an investigation.
• Functional audits are conducted prior to the implementation of new software to determine whether the software is functioning accurately.

• What does the audit charter typically include?

The audit charter normally includes the purpose and objective of the audit team, the audit team's scope, the team members, and the responsibilities of each team member.

• What are some of the risks associated with point of sale (POS)?

Some of the risks include skimming and the unauthorized disclosure of PINs.

• During an e-commerce IS audit, what are some of the responsibilities of the auditor?

An auditor should review the overall security architecture, review the continuous monitoring and alerting processes of the organization for e-commerce transactions, review the organization's incident management program, review business service-level agreements (SLAs) for business continuity, and review security controls for privacy.

• Can you describe the phases of an audit?

There are three main phases to an audit, which are the planning phase, the execution phase, and the reporting phase:

• The planning phase contains the following steps:

  1. Risk assessment and determining the physical location that will be audited

  2. Determining the objective of the audit

  3. Determining the scope of the audit

  4. Pre-audit planning

  5. Determining the audit procedures that will be followed

• The execution phase contains the following steps:

  1. Gathering relevant data and documents to conduct the audit

  2. Evaluating existing controls to determine their effectiveness and efficiency

  3. Validating and documenting your observations during the audit and providing evidence

• The reporting phase contains the following steps:

  1. Creating a draft report and discussing it with management Alignment

  2. Issuing a final audit report that contains the findings of the audit, evidence, recommendations, comments from management, and the expected date of closure of the audit findings

  3. Conducting a follow-up to determine whether the audit findings are now closed and issuing a follow-up report

• What outlines the overall authority to conduct an IS audit?

The audit charter outlines the overall authority to conduct an IS audit and it also includes the objectives of the audit and the audit's responsibility.

• Describe the difference between a vulnerability and a threat.

A vulnerability is a weakness in a system, which could be insecure code, weak security controls implemented, or a human factor. A threat is something that exploits this weakness, so this could be criminal hackers, ransomware or other malware, or something else such as a hurricane.

• Describe the term "assumed breach."

As technology systems (hardware/software) are created by humans, and humans are subject to error, we can assume that a particular system might have some vulnerability to it. If we can all agree on that assumption, we should also all agree that there is the potential that your systems have already been breached. This means that, as part of daily operations, you are ensuring that all secrets are protected, identities are verified to only be granted the needed access, and that you are looking for potential indicators of compromise (IOCs) or indicators of attack (IOAs). In this type of environment, there is little to zero inherited trust between people and systems. An example of an IOC is a workstation doing a callout to an unknown IP address, and an example of an IOA could be a PowerShell script being run on a user workstation where that user typically would not be running PowerShell scripts.

• What is the difference between residual and inherent risk?

Inherent risk is the risk before any security controls are applied. This concept is often hard to understand for some, especially as there are so many controls that might come into play before a particular application or risk situation. It is important to talk through the nuances of this with your stakeholders before proceeding with the impending risk-based conversation.

Residual risk is the risk left over after applying security controls. Once you have arrived at this stage, it is important to consider the likelihood/frequency of the risk situations and the varying levels of potential impact when thinking about the residual risk and trying to quantify it.

• What are the common steps in conducting a risk-based audit?

The steps in a risk-based audit are as follows:

1. The first step is to obtain the pre-audit requirements, which include knowledge of the client's industry and regulatory requirements, knowledge of applicable risks to the client, and knowledge from prior audits.

2. The second step is to gain knowledge about the internal security controls in use, which includes knowledge of the client's control environment and procedures, understanding the risks of the controls, and understanding detection risks.

3. The next step is to conduct compliance testing, which includes identifying the security controls to be tested and determining their effectiveness.

4. The last step is to conduct a substantive test and ensure that it includes appropriate analytical procedures and detailed testing of account balances and procedures.

• What do you do if your client fails to implement the recommendations you made in your audit report?

The most important thing to do is relate your audit findings to real-world examples showing how correcting the issue can help the team and organization. For example, a manager of a department may ignore your audit findings because they don't see the value and think of correcting the issue as a burden on their already-reduced available time and budget. Showing them how another department implemented changes that helped reduce cost and/or improved productivity can help. The other thing you should do is ensure you are providing the process to the client for how you suggest they fix the issue. As an example, if your audit discovers that employee user accounts were not properly terminated when the employees left, the client might just remove those accounts. This does not fix the problem for the client in the future when other employees are terminated. Instead, recommend the client implements a process for identifying when employees leave the organization and how user account access is then removed.

• When should you recommend the use of compensating security controls?

Compensating security controls are alternate security controls that organizations can use to fulfill a compliance standard, such as the Payment Card Industry Data Security Standard (PCI DSS) (https://www.pcisecuritystandards.org/pci_security/).

The alternate security controls must meet the intent and the same level of rigor as the original compliance requirement, provide an equivalent level of defense, and be comparable in the level of risk.

Compensating security controls are typically used when the organization has some type of constraint that prevents the implementation of the original security control in the compliance standard.

An example of compensating security controls would be a small company that does not have enough staff in their financial department to have two or more people complete separate parts of a task. In this case, the small company might just use monitoring and analysis of logs and audit trails to track suspicious behavior in financial transactions.

• What are some of the risks associated with using third-party security services?

A third party could be compromised to launch a cyber attack against the client's organization, such as in the Target data breach (https://www.nbcnews.com/business/business-news/target-settles-2013-hacked-customer-data-breach-18-5-million-n764031). The third party may also limit the visibility of the client into logs and auditing data that might be required for the client to maintain compliance.

Having an effective mechanism for ensuring that your third parties are prioritized based on risk and that the level of controls in place are also based on that risk will lead to a great risk-informed third-party management program.

• What are some of the challenges when working with an environment that is based in the cloud or has a hybrid cloud/on-premises approach?

As a security auditor, your role is often to ensure that an organization has the right controls in place or that the controls in place are functioning in an effective manner as intended. Where controls tend to have a blurred line is when it comes to working in a third-party environment such as a CSP. When working with a CSP, there is often a reliance on them to implement certain controls and you would inherit them from the CSP in your controls catalog. For example, when working with a CSP, you are no longer responsible for things such as the physical safety, power requirements, and physical maintenance of the machines, so if you have controls like that for your own physical environment, they would be inherited from the CSP.

Here is an example of the AWS shared responsibility model so that you can see which type of controls might have a customer or AWS responsibility:

Figure 7.1 – AWS shared responsibility model

Here is the Azure shared responsibility model:

Figure 7.2 – Microsoft Azure shared responsibility model

Here is an example of the shared responsibility model from Google Cloud Platform (GCP):

Figure 7.3 – Google Cloud Platform shared responsibility model

As you can see, where the shared responsibility line is drawn is slightly different depending on the CSP, and it is your job to ensure that the organization is considering the right controls and that they are functioning effectively.

During an interview, you may experience a broad set of questions about auditing. Use the questions in this section as a guide and also provide examples to the interviewer using your real-life experience with clients.

Summary

In this chapter, you learned what a security auditor is, the average salaries in the United States for a security auditor, and common questions you might be asked during an interview. Careers in auditing can be rewarding and lucrative, and since there is typically a shortage of auditors in many organizations, auditing can be a good career selection for someone newer to IT and cybersecurity.

In the next chapter, you will learn some of the most common interview questions asked for a career as a malware analyst.