A Business Technology Place

How to use SharePoint to create audit trails

Show me the evidence.

I think auditors chuckle inside when they say “show me the evidence.” It’s part of their craft to seek and inspect. Over the past several years I’ve been giving documentation and evidence to auditors for various IT controls. With regard to policies, procedures, and standard practices auditors want to see more than a one-time pieces of evidence. They want to see proof that the behavior is happening on a regular basis. It’s the classic audit trail.

SharePoint – Love it. Hate it.

I’ve had my moments with SharePoint on a few items related to workflow. But one valuable attribute I’ve found with the tool is the ability to version documents and lists. This capability creates the perfect audit trail and evidence proof.

Example 1 – Annual Policy Updates

I keep version information in two places for policy documents. The first is in the document header. This shows the date of the policy, the last review date, and a version number. You can do this part without SharePoint.

 

 

The second place is in the version of the SharePoint document. First make sure that versioning is turned on for the document repository (one-time setup). Go to the library settings and select versioning settings. Then fill-in the specifics for how you want the versions to be incremented and how many versions to keep.

 

 

Each time I edit a document I use the check-out for editing feature. Then I apply my changes and when I check the document back-in SharePoint prompts for a summary of the updates. Each time this happens a new version of the document is created and logged.

 

To see the previous versions and comments select the version history from the document selection menu.

 

Example 2 – Production Change Updates

I use a SharePoint list to track requests and approvals for production change updates. As with documents, make sure the list has version control turned on by going to the list settings and enabling versioning.

 

The version history for a list shows the dates of the field updates and which specific fields were updated. It also keeps the name of the person who updated the fields (redacted in my example).

 

 

This is a simple way to keep history of policies, procedures, and updates. Having this available and ready to show an auditor makes the audit process a little easier.

Onward and upward!

 

Becoming desensitized to security breaches

Are you there yet?

Does news of the latest corporate data breach resulting in thousands of stolen identity records no longer shock or distress you? Today when I looked my news feed I found not one, not two, but three reports of hackers breaking through corporate firewalls to steal data. No offense to Scottrade, Patreon, and Experian, but when I glanced through the list of breaches my first thought was that this was just a normal week. It wasn’t too long ago that I felt both outrage and worry after personal information was stolen from Target, Home Depot, and Anthem. But now it feels like this is the new norm. I don’t like the new normal. Why can’t all these thieves channel their energy and intelligence to do good for the world?

Invisible theft.

Stealing data is not your father’s crime drama. It’s invisible theft. Maybe that’s the paradox of cyber-theft. Data that is stolen still resides where it was stolen from. The game is played by looking for evidence that someone was in data store room. Combine this with the fact that most high tech theft takes place through methods and procedures that the vast majority of people don’t understand (and don’t care to understand). In a word, it’s highly sophisticated and complicated. Breaches often involve complex mathematical calculations used in cryptography and coding algorithms. Intelligent criminals, but not smart criminals.

The data breach economy.

Look around. An entire economy exists to establish, audit, monitor, and teach security standards and best practices. In 2013 Forbes reported that the IT security industry traded around $60 billion dollars in products and services. It was expected to grow tenfold in ten years. I see the effect of this industry every day in my seat managing an IT group. We are expected to comply with a dizzying-array of security controls. We buy software and hardware appliances that will protect us from theft or at least make it more difficult. Salesmen cold call me each week selling security products. “The cloud” is touted by marketers as the safest place to put data (really??). People are employed full time to audit security controls and force compliance. It’s a lucrative business riding the coat-tails of criminals! For the rest of us we have no choice. Non-compliance with security controls means you lose a seat at the table to compete for customer contracts and business.

Yet here we are.

Despite all the people and investment thrown at making us more secure, it feels like our data and personal information has never been more unsecure. The bad guys have access to see all the controls and best practices too. Some of them prey on that list by taking advantage of those of us who fail to do the basics. Other more sophisticated criminals invent new ways to go around our defenses. We know the merchants that we shop, the financial institutions that hold our money, and the medical providers that keep us healthy are not 100% secure. But we shop, bank, and receive medical services anyway.

Like I said. I’ve noticed that I’ve become desensitized to all this theft. But I don’t like it. Discipline and vigilance are necessary actions. Keep your guard.