User
We are a SaaS-based company and we are hosted on AWS cloud. Hence we use AWS Security groups which act as virtual firewalls. We have multiple security groups. One of the controls in ISO is that a Firewall review needs to be performed. The traditional approach is that the Firewall owner reviews the rules and provides sign-off off etc. However, since we have multiple security groups it becomes difficult to review each. We have implemented a CIS benchmark tailored for AWS. Deploy regular scans on AWS Security Groups, using parameters established by the CIS benchmark. The focus is on detecting potential misconfigurations, especially in the context of publicly open ports, ensuring a robust defence against unauthorized access. Weekly reports are generated and sent to the team.
My question is as part of an audit. Can this evidence suffice since we have automated the process of firewall review and not perform manual review?
Experta
I assume your question is about if the automatic review is the replacement for an internal audit.
Considering that, regardless of whether the firewall review is performed manually or it is an automatic review, it is not a replacement for an internal audit. You should audit the review process.
In case your question is about whether automated evidence is acceptable for the audit, please note that from your text, the CIS benchmark is focused on detection, and this is not sufficient audit evidence that the process of firewall review is being performed.
A review process, besides information gathering, also needs to include information analysis, evaluation, and decision-making (e.g., decision to adjust the CIS parameters in case of need or to act in case an event is detected).
Since you also informed us that weekly reports are generated and sent to the team, you need to show what the team does with the information they receive to prove that the review is being performed.