I once read an article that stated that many people worry about accidental death, particularly in ways that are very frightening, like poisonous snakes or spiders, or even alligator attacks. This same article noted that based on official death statistics, the vast majority of people actually die from chronic health causes, including heart attacks, obesity and other ailments that result from poor attention to long-term personal fitness. In 2003, accidental deaths in the United States numbered around 100,000; chronic health-related deaths were more than 2.4 million.
The point of the article, of course, was that people must focus their attention in the correct places when considering what would most influence their quality of life. That same exact issue exists within organizations where the board and management must ensure they build and sustain the long-term health of the company.
This concept also applies when auditing information security. Does your information security program need to go to the gym, change its diet, or perhaps do both? I recommend you audit your information security efforts to find out.
The internal audit department should evaluate the company’s health—that is, internal auditors should evaluate the critical functions of the organization for long-term sustainability. Do risk management efforts identify and focus on the right risks? Does senior management encourage the right level of risk-taking within defined tolerances? Is the status quo challenged regularly? Is the company considered a good place to work? What could bring the organization down, and are measures in place to prevent or reduce that possibility (by regularly running continuity table top exercises, for example)?
To that end, internal audit should have regular talks with management and the board regarding the organization’s information security efforts. Are management and staff anticipating future requirements? Is the organization building “muscle” for critical security activities (development of policy and standards, education and awareness, security monitoring, security architecture and so forth)? Is there a comprehensive security planning process and program? Is there a strategic vision, strategic plan and/or tactical plan for security that is integrated with the business efforts? Can the security team and management sustain them as part of conducting day-to-day business?
Overall, is the information security program focused on the critical information protection needs of the organization, or is it just worried about the accidents?
The exact role of internal audit regarding information security varies greatly among organizations, but it can provide a significant opportunity for internal audit to deliver real value to the board and management. Internal auditors should play a leading role in ensuring that information security efforts have a positive effect on an organization and protect the organization from harm.
Why worry so much about information security? Consider some reasons why organizations need to protect their information:
Availability: Can your organization ensure prompt access to information or systems to authorized users? Do you know if your critical information is regularly backed up and can be easily restored?
Integrity of data and systems: Is your board confident they can rest assured that this information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that could compromise reliability?
Confidentiality of data: Can you tell your customers and employees that their nonpublic information is safe from unauthorized access, disclosure or use? This is a significant reputational risk today.
Accountability: If information has been compromised, can you trace actions to their sources? Is there an incident response process in place?
An audit of information security can take many forms. At its simplest form, auditors will review an information security program’s plans, policies, procedures and new key initiatives, plus hold interviews with key stakeholders. At its most complex form, an internal audit team will evaluate every important aspect of a security program. This diversity depends on the risks involved, the assurance requirements of the board and executive management, and the skills and abilities of the auditors. For example, if the organization is undergoing extensive change within its IT application portfolio or IT infrastructure, that could be a great time for a comprehensive assessment of the overall information security program (likely best just before or just after the changes). If last year’s security audit was positive, perhaps a specialized audit of a particular security activity or an important IT application would be useful. The audit evaluation can, and most times should, be part of a long-term (i.e., multi-year) audit assessment of security results.
Defining the audit goals, objectives and scope for a review of information security is an important first step. The organization’s information security program and its various measures cover a broad span of roles, processes and technologies, and just as importantly, support the business in numerous ways. Security really is the cardiovascular system of an organization and must be working at all times.
Firewalls, monitoring technologies, encryption software, network architectural design, desktop asset management, identity management solutions, high-availability solutions, change management and change auditing systems, logical access control solutions—the list of security systems, technologies and processes used is almost endless. The planning phase of the audit needs to ensure the proper focus and depth of audit evaluation. Internal auditors need to determine the level of their involvement, the best audit approach to take during the audit planning, and the skill sets they’ll need.
The decision about how comprehensively internal audit should evaluate information security should be based on an audit risk assessment and include factors such as risk to the business of a security compromise of a critical asset (information or system), the experience of the information security management team, size and complexity of the organization and the information security program itself, and the level of change in the business and in the information security program.
ENCOURAGE CONTINUOUS IMPROVEMENT
Like most audits, an audit of an information security program generally will involve three phases: planning, fieldwork and reporting. Information security programs, however, come in many shapes and sizes, so the audit of information security must be flexible and risk-based. The audit should encourage the organization to build strength, endurance and agility in its security program efforts.
During the planning phase, the internal audit team should ensure that all key issues are considered, that the audit objectives will meet the organization’s assurance needs, that the scope of work is consistent with the level of resources available and committed, that coordination and planning with IT and the information security staff has been effective, and that the program of work is understood by everyone involved. It is important that the audit scope be defined using a risk-based approach to ensure that priority is given to the more critical areas. Less-critical aspects of information security can be reviewed in separate audits at a later date.
In the fieldwork phase, the auditor analyzes the various components of the information security program based on the scope identified in the planning phase. Among some of the important questions that may be asked in a typical audit are:
Does the information security program reflect the risks and complexity of the organization?
Is the program actively investigating threat trends and implementing new ways of protecting the organization from harm?
Is there an active education and awareness effort, so that management and staff understand their individual roles and responsibilities?
Are the security measures and controls regularly tested for operational effectiveness, and are corrective actions occurring?
Is performance being measured and reported to stakeholders?
How does the organization’s security compare with other well-run similar organizations?
Audit tests could include reviewing program plans and budgets, interviewing key executives, looking at security training material, reviewing management test plans to evaluate operating effectiveness of security efforts and their results, reviewing management’s communications to employees regarding the importance of security to the organization and how it contributes to long-term success, and studying the support and trends for performance reporting. On the more technical side, try assessing intrusion detection practices, testing of physical and logical access controls, and using specialized tools to test security mechanisms and potential exposures. The evaluation of business continuity and disaster recovery efforts also could be considered.
The bottom line is that internal auditors should be like a company doctor: (1) completing regular physicals that assess the health of the organization’s vital organs and verifying that the business takes the necessary steps to stay healthy and secure, and (2) encouraging management and the board to invest in information security practices that contribute to sustainable performance and ensuring the reliable protection of the organization’s most critical assets.
This article was written by Dan Swanson.