Common Auditor Requests


Overview

What to do when you get a request from an auditor

This playbook provides examples of common requests you may get from auditors, the corresponding FFIEC statements & GRID features, and exactly what action is required by you to prove and maintain compliance. 

  • Document Requests
  • Ticket Review
  • Incident Response Plan Review
  • VPN Connectivity
  • Hardware inventory
  • New Assets

Also verify that your audit settings are properly set up through our FAQ article,  Windows Audit Log Recommendations.  Audit settings allow us to track and gather data on all important aspects of your network. If it is not setup properly, we can't see the necessary log data from the Windows systems.

Document Requests

Internal Audit: Document Requests

Part of your internal audit may be a substantial list of requested documents. Below is an example for a recommended process to help keep the documents organized within the GRID while providing an easily accessible audit document. 

FFIEC Statements Met: D1.RM.Au.B.1    /   D1.RM.Au.B.2   /    D1.RM.Au.B.3

GRID Features:  Tasks, Policy Reporting

Action, what do you do in the GRID? 

  1. Create a task with the title of your audit. For example, 'Internal Audit June 2018'. 
  2. Attach the FFIEC CAT policies to the task.
  3. Create a new task for each document request.
              Name the task exactly as shown on the request.
              Link the task to the master task, Internal Audit June 2018.
              Add FFIEC Policy D1.RM.Au.B.1
  4. Once you have finished creating the new tasks, your master task looks something like this,
  5. Upload the requested document into each task. Close it.
  6. Generate an FFIEC Evidence Report for a zip file of all documents.
            Go to Policy > Generate FFIEC CAT Evidence Report
            Check boxes to include Answer, Comments, Tasks, and Attachments
            Drill-down and only check the box for D1.RM.Au.B.1 
  7. Download FFIEC Evidence Report.
            Go to Reports > find the newly generated Evidence Report > download.
            This downloads a zip file that can be sent directly to auditors.

Ticket Review 

Ticket Review (Weekly)

Please note that while changing the timeframes is allowed, it may also change the compliance with FFIEC.

FFIEC Statements Met: D3.DC.Ev.B.2 / D2.MA.Ma.B.1 / D2.MA.Ma.B.2 / D5.ER.Es.B.4  /  D5.ER.Es.B.1

GRID Features: Tickets, Task Schedule, Reports

Query:  app_name:"DefenseStorm Audit" category:ticket

Action, what do you do in the GRID?

  1. Create a task schedule as a weekly reminder to run a report showing all tickets.
           Include the query.
           Link the Task Schedules to the appropriate FFIEC Policies.
           Create a chart using the query.  Below is an example chart showing tickets from the last 7 days.
  2. Add the chart to a template.
    1. This template could also include other cybersecurity metrics you need to run on a weekly basis. For example,  Tickets closed, Total Events, Suspicious Event Spikes, etc, and name it Weekly Cybersecurity Metrics. 
  3. Generate the Weekly Cybersecurity Metrics template. *If you wish to view the log data of these events in addition to the statistical chart data, proceed to step 5.
  4. Go to the Events page, use the same query and timeframe; in this case, last 7 days. From here you can download the CSV list of the log data


Incident Response Plan Review

Incident Response Plan Review (Annually)

Please note that while changing the timeframes is allowed, it may also change the compliance with FFIEC.

FFIEC Statements Met: D2.MA.Ma.B.2  /  D5.IR.Pl.B.1   /  D5.IR.Pl.B.2   /   D5.IR.Pl.B.3    /  D5.IR.Pl.B.4

GRID Features: Task Schedule, Reports

Action, what do you do in the GRID?

  1. Create a task schedule with a 12 month frequency to review and update your Incident Response Plan.
  2. Link the Task Schedule to the listed FFIEC statements above.
  3. When the annual task is generated from the task schedule, upload the most recent version of the Incident Response Plan and assign it to the appropriate person for review.


VPN Connectivity 

VPN Connectivity (Weekly)

Please note that while changing the timeframes is allowed, it may also change the compliance with FFIEC.

FFIEC Statements Met:  D3.DC.Ev.B.3  /  D3.PC.Im.B.1  /  D3.PC.Im.B.2

GRID Features: Task Schedule, Reports

Query: app_name:fortigate subtype:vpn -category:alert taken_action:tunnel-up tunnel_type:ssl-tunnel

Action, what do you do in the GRID?

  1. Create a task schedule with the frequency of every 1 week.
           Include the query.
           Link FFIEC Policies to the schedule. 
  2. Create a chart with the query listed above. Just by creating the chart you can view the data in graphical format. To have a downloadable copy, you must add it to a template and generate the report. 
  3. Add the chart to a template. 
  4. Generate report.
  5. To view all associate log data, go to the Events page, search using the query above.


Hardware Inventory 

Hardware Inventory (Monthly)

Please note that while changing the timeframes is allowed, it may also change the compliance with FFIEC.

FFIEC Statement(s) Met: D1.G.Ov.B.3

GRID Features:  Task Schedule, Assets

Action, what do you do in the GRID?

  1. Make sure Assets in the UI are up to date.
  2. Create a task schedule as a reminder to generate a CSV of all Assets once a month.
           Link the schedule to the appropriate FFIEC statement(s).
  3.  When the task generates, go to the Assets page and download a CSV of all Assets.  
  4. Insert the generated CSV Excel into the task to verify completion and keep track of each monthly CSV.  
    Make sure you have it linked to the appropriate policy so that when you generate an FFIEC Evidence report, it shows all information and documents added to each task.


New Assets

New Assets (Weekly)

Please note that while changing the timeframes is allowed, it may also change the compliance with FFIEC.

FFIEC Statements Met: D1.G.IT.B.1   /  D1.G.IT.B.4  /    D3.DC.Ev.B.3

GRID Features: Assets, Task Schedule, Reports

Query:  app_name:"defensestorm audit" category:asset

Action, what do you do in the GRID?

  1. Make sure your Asset list within the GRID is up to date. That includes either listing all assets as tracked, or removing them.
  2. Create a task schedule as a weekly reminder to run a report showing the new assets.
         Include the query.
         Link the schedule to the FFIEC policies.
  3. Create a chart using the query.  Below is an example chart showing what assets have been added in the last 7 days. 
  4. Add the chart to a template. This template could also include other metrics you need to run on a weekly basis. For example, new users added, account lockouts, etc, and we can name it Weekly Metrics. 
  5. Generate the Weekly Metrics template.
    *If you wish to view the log data of these events in addition to the statistical chart data, proceed to step 6. 
  6. Go to the Events page, use the same query and timeframe; in this case, last 7 days. From here you can download the CSV list of the log data.