Washington State Auditor’s Office uses CIS Controls to Perform Effective Security Audits

CIS_Controls_LogoGovernment IT systems are tempting targets for malicious hackers and data breaches. In Washington, the State Auditor’s Office (SAO) uses the CIS Controls to perform security audits that help to improve the security posture of both state agencies and local governments.

Erin Laska, IT Security Audit Manager, and Alex Hamilton, IT Security Specialist Manager, work with their respective teams at the SAO to perform cybersecurity audits. Both teams work closely with the Assistant Director of IT Audit, Peg Bodin. The Washington State teams take their role as partners in accountability seriously by providing valuable recommendations to state and local governments to improve IT security through an extensive audit program. In their Performance Audit, Report Number: 1022918, Continuing Opportunities to Improve State Information Technology – 2018, Washington’s SAO cited that agencies can enhance their overall cybersecurity posture by adopting the CIS Controls.

Using the CIS Controls as Security Audit Criteria

Looking for a way to increase the value of their audits and remediate issues identified in those audits, Laska, Hamilton, and Bodin began studying various IT security best practices. Their goal was to improve IT security at both the state and local government levels, and to protect confidential information within Washington State’s networks and systems. Using the CIS Controls as their audit criteria allows them to do both. The CIS Controls are unique; they are prioritized and prescriptive, and provide a clear path for organizations to achieve the goals and objectives described by legal, regulatory, and policy frameworks. They also emphasize automation. The CIS Controls are continuously updated, ensuring audits coming out of the State Auditor’s Office are relevant.

The Washington SAO began using the CIS Controls as their audit criteria in 2016 as a way for state government and local government to prioritize their security efforts.

“We get buy-in from our clients with the Controls. They like us using it, they understand it, and they expect those types of Controls to be important,” said IT Security Audit Manager, Erin Laska. “Even if they are implementing or trying to comply with another framework, they know this can be useful to them.”

By the end of 2020, Washington’s SAO will have completed 16 audits with state agencies and 17 audits with local governments.

Using the CIS Controls in Practice

The SAO’s cybersecurity audits provide actionable recommendations to both state and local governments that will help them improve their overall IT security. Laska and Hamilton are performance auditors and IT security specialists by trade. This dual role gives their teams the ability to determine what criteria is needed to do the assessments; their office is not required to use the basic criteria that state and local governments are required to comply with. They can expand their scope and criteria with the CIS Controls. For their performance audits, the SAO focuses on CIS Controls 1-6 and their respective Sub-Controls (safeguards), although audits have also included Controls 1-8 and 11 and their safeguards. During the audit, the team asks specific questions about the Controls that are in place and how each is implemented, as well as questions about policies, procedures, automation, and reporting.

Laska noted that in the evaluation results the auditee can see how they align with leading practices and determine what else they can do to become more aligned with the CIS Controls. Using these evaluations, the auditees can do their own risk assessment and determine the level to strive towards based on their organization’s size and resources.

Mappings from the CIS Controls have been defined for many regulatory frameworks to give a starting point for action.

You can see all of the mappings with the CIS Controls Navigator tool on the CIS website.

“The fact that the CIS Controls crosswalks to the other frameworks is very helpful to us,” said Laska.

“If we go into an entity that has to comply with another framework, we’re often able to show them how our evaluation crosses over with whatever they’re required to comply with.”

One of the SAO’s IT specialists actually compared the CIS Controls to a Swiss army knife, as they accomplish so much to help ensure their audits are relevant and useful to their clients.

“We don’t have to become specialists in eight different control frameworks,” Laska added. “We can be specialists in this one framework and then help our audit clients understand how they are related.”

While other frameworks emphasize “what to do” to achieve cybersecurity compliance, the CIS Controls go a step beyond that, showing an organization “how” to achieve an effective cybersecurity program.

“Our state and local governments don’t have an unlimited budget. This helps us say, here are the top Controls and here is where to start.”

An Ongoing Process

By using the CIS Controls, the SAO provides valuable recommendations to state and local governments to improve IT security and protect the confidential information within their networks and systems. The CIS Controls will continue to help Washington’s state and local governments address issues identified in performance audits, remediating gaps between agency IT security implementations, policies and procedures, and the state’s IT standards. While periodically assessing IT needs and resources, including personnel and technology, to develop and maintain sufficient IT security, Washington’s state and local governments can consider further aligning agency IT security controls with leading practices recommended in the CIS Controls.

About Erin Laska

Erin Laska, MPA, CIA, IT Security Audit Manager – Erin joined the Office of the Washington State Auditor in 2008 as a Performance Audit Supervisor and currently oversees all state and local cybersecurity audits as the IT Security Audit Manager. Before joining the State Auditor’s Office Erin spent seven years working on performance audits with the New Hampshire State Legislative Budget and Audit Division and one year completing performance audits with the federal government of Canada.

About Alex Hamilton

Alex Hamilton, IT Security Specialist Manager – Alex joined the Office of the Washington State Auditor in June 2017. He currently manages a team of experienced information security experts that lend experience and support the office’s cybersecurity audit efforts. Alex came to the Office from the Washington Military Department where he served as Chief Information Security Officer. He has more than 14 years of experience in the IT security field. Alex was also a member of the Washington Army National Guard for 12 years, focusing on cybersecurity and IT operations.

About Peg Bodin

Peg Bodin, CISA, Assistant Director of IT Audit – Peg joined the Office of the Washington State Auditor in 1987 and currently oversees the teams that perform data analysis, system reviews, cybersecurity performance audits, security attestation audits, and forensics for state and local governments.