Auditing: An Overview
Security audit management involves a team of security professionals conducting various audits at a site. The site is a large secure facility such as an airport, seaport, industrial park, government facility, or entertainment complex.
The audit team is commonly an experienced crew of retired police offers, MPs, security experts, and/or contracted investigators.
Auditors are assigned a number of red team security tasks, commonly called audits. The auditors are to enter the facility and either watch for infractions or demonstrate infractions.
Security Audit Issues
The Citation Focus Audit systems are often built around issuing citations for security infractions, as described above. The citations are similar to a traffic ticket in nature. It generally involves a reprimand of the individuals cited, then a review and reprimand for the company or agency (”organization”) employing the individuals. In most cases, only three basic data items are tracked: Site compliance A site is commonly under a requirement to meet a certain percentage of “clean” audits, where no citations are issued—95%, for example. Many audit systems do not track audits that issued no citation beyond the basics of date and type of audit. Organization compliance Citations are issued to individuals and the agency / company responsible for that individual. Ultimately the organization is responsible for these security lapses, so a count of citations issued to an organization is kept to determine the worst offenders. The organization must show improvement or risk penalties. Individual compliance Individuals are generally tracked by their badge number. Multiple citations can lead to discipline or release, but this action is commonly taken by the responsible organization. Citation-only mindset management issue Audit systems commonly limit themselves to a citation-only focus. Either laws or statutes require the audits, or a site makes the mistake of applying someone else’s legal list to their security audit methods. While this makes sense from a legal angle, it commonly leaves out crucial security auditing that should be conducted and tracked. One danger of limiting focus to a legal mandate is that the legal side commonly moves far slower than the security landscape in the real world. This causes gaps in important, relevant security auditing. Lost expertise value audit team issue Let’s take the case of an experienced airport auditor, a former military facilities security expert. He is checking airplanes on the tarmac for invalid entry. In the course of his work, he notes a U-Haul parked close against the perimeter fence. What is his response? Commonly there is no organized method for him to provide this information to those who need to hear it. He is there that day to check airplane access. Any software entry is concerned only with the results of the aircraft check. While there may be a way for him to add a text note to his audit findings, that information is not made official. Other system users are not naturally notified of this issue, and no statistical history is kept. Being focused on citations by both procedure and software, audit efforts usually have no organized and tracked method for an auditor to comment on a security issue that they witnessed in the course of their day. As a result, the valuable expertise of the auditors is not being leveraged. Fixed audit types software issue Audit systems usually “hard code” the list of audits into their system. They do this because those audit types are based on law and rarely change. But if the list of audit types does change—a new one added, for example—then programmers must write more code to manage a new audit. That new audit must then undergo testing and bug fixing before it becomes stable and ready for use. Also, systems are commonly designed for a specific facility, such as an airport. If, for example, an airport system was to be reused for a seaport, a major programming rewrite would be required. As a result, fixed audit types are both a time and money expenditure of significance. Fixed site classification software issue Similar to audit types, audit systems commonly have fixed hierarchies for defining the facility. An airport audit system will have data defining the airport, then the terminal, then a concourse, and perhaps gates and retail stalls below that. But, should the nature of the airport change, or should the system be wanted for a seaport, that strict classification can prevent use until another programming rewrite can be undertaken. Citation sticks, no carrots management issue Port authorities have tried programs that provide good citations as well as bad—rewarding an individual for security diligence. This is a good way to encourage good practice. However, audit systems are designed for bad citations. Good citations do not fit into the model. Such good citations should be part of the statistics as well. If not, their value is limited and the program is at risk of being discontinued. This is a disservice to the organizations that are putting in the proper time and effort to produce security-conscious employees. Lack of leveraging and vetting data management and software issue Most audit systems focus on collecting the basics of an audit, feeding statistics only from the citations issued, and providing quarterly or monthly summaries of the findings. This means that in some or many cases, the data that has been collected is not fully leveraged or vetted: Action on serious security findings may be delayed because a structured, swift way of notification has not been created and deployed. A lack of streamlined review and approval of audit results could introduce delayed or even faulty information. Those who may wish to watch certain aspects of security may have to wait for monthly or quarterly statements before discovering an issue. Organizations that wish to improve their security effectiveness may be delayed or prevented in discovering useful information that is important to their training. The most common failing of data collection systems is a failure to put the collected data to full use.
Analysis of these limitations began in 2014 and expanded in later years. The Redeye audit system is the result of putting into practice that analysis. Citations and issues The most critical aspect of Redeye is the capacity for handling more than legal citations. Redeye manages three types of findings: Citations Citations are “tickets” tied to a legal requirement. They are generally served to an individual, with that individual's employer being equally responsible. Notations Like citations, notations are issued statements, paper or electronic, served to an individual and/or organization. However, notations are not tied to a legal source. They can be an official commendation for excellence, or a “heads up” or warning about instances of a new security issue that has not yet been considered by law. The greatest value of notifications is to the organizations, who have both a desire to see their security training pay off, and to be an effective partner in security outside of what the law demands. Issues Issues are security risks discovered by an auditor. These can occur in two ways: An unrelated issue discovered during a specific audit. For example, an auditor may discover a broken lock on a power panel while conducting an access point audit. Issues discovered during a general security assessment or walkthrough. For example, a security assessment of an airport's perimeter is not intended to issue citations, but to check for gaps or issues in fencing, surveillance points, unusual activity, etc. Security is significantly advanced when the expertise of auditors and assessors are fully leveraged. Audit based on best value Redeye's audit suite is not reliant on legal definitions or identification of citations. While such legal requirements will always be a key focus of audits, this should not prevent other types of important audits. A Redeye audit may be tied to a specific legal citation, but it does not need to be. It can be tied to no citation at all, if wished. As a result, a new type of audit designed to tackle a growing security risk can be implemented swiftly. It can be put to use without waiting for external requirements. Assessments, not just audits Redeye audits are called assessments because they are not limited to audits. An assessment could be a sweeping security walkthrough, a review of security training effectiveness, an external surveillance watch, or any other security-related evaluation. This generates a much broader security landscape that may cause seemingly separate security issues to be seen as connected issues. Dynamic assessments Assessments are not hard-coded into Redeye. It takes little or no programming effort to add or modify the list of assessments that your organization intends to use for your particular security site, and to collect the specific detail for each one. Dynamic divisions Redeye does not have hard coded divisions such as terminal, concourse, and retail stall. The hierarchy of your site, whether it is an airport, seaport, complex, or campus, can be arranged in a way that makes sense, not jammed into an artificial structure not meant for your needs. These two capabilities—dynamic assessments and dynamic divisions—prevent having to “live with” with a system that was intended for a situation outside of your own. Fully leveraged data Because the Redeye method collects a clearer and more expansive picture of site security, new questions can be asked, such as: Are there concentrations of security issues in certain locations, and not simply by company? Are infrastructure issues contributing to human violations? Is it possible to effectively combine several assessments during one assessment activity? Are there seasonal issues to both human and infrastructure issues being discovered? Are certain auditors showing greater or lesser capability in spotting true security issues ad hoc? Should there be a greater number of dedicated security walkthroughs? If so, in what part of the site, and how often? Is a company's training proving more or less effective than others? Is there a trend of security issues that may suggest a larger risk? Are there any surprising connections between the issues and audit violations being discovered? As security managers become familiar with the extent of the information available to them, and the ways in which that information can be further targeted for enhancement, their level of site security takes on greater certainty.