As we come to the year’s end, it’s a good time to perform a first audit of the OT Security Patching Program you put in place in Weeks 36 – 37. If you have other OT cyber maintenance activities defined, audit these too. Is the team doing what they committed to do?
A few comments on first audits:
- Expect a high level of non-compliance. People often view security requirements as guidance not mandatory actions; shoulds not shalls. The audit is a key tool to correct this view. Also, people don’t often understand what or how to do the cyber maintenance tasks or how they will be audited. This is as much of an awareness and training exercise as an audit. It’s important that they understand there will be another audit, provide them the date or timeframe, and that not meeting security requirements in the second audit will have consequences.
- You will identify cyber maintenance requirements that are unclear or not possible to audit. You will likely update your cyber maintenance requirements.
- The first audit is also a chance to test your audit plan. Come in with a specific method to audit each must or shall cyber maintenance requirement. Determine if it is effective and efficient in the first audit, and change the audit plan if it can be improved for subsequent audits.
- You may identify one or more cyber maintenance requirements that take more time or money than expected to achieve. Remember the driving principle is efficient risk reduction. Don’t be afraid to modify a cyber maintenance requirement if the risk reduction achieved doesn’t warrant the cost of the requirement.
Sampling for audits is common. For example, if you are checking the cyber maintenance requirements for security patching you may choose to audit 50% in the Priority category and 5% in the Maintenance category. Sampling strategy should be adjusted for future audits based on what audit tests passed and what audit tests failed. Failed audit tests should be sampled at a higher level and more frequently until the cyber maintenance requirement is consistently met.
Given the large expected non-compliance in this first audit, try to have a broad rather than deep sampling strategy. For example, try to audit the security patching in one of each type of OT cyber asset in the Priority and Maintenance categories.
_________
Identify your OT cyber maintenance audit plan strategy below. Perform the audit and document the results.
Cyber Maintenance Category | Audit Plan Strategy