// by Dan Swanson for Compliance Week

I recently read that many people worry about accidental death, particularly in ways that are very frightening: poisonous snakes or spiders, or even alligator attacks. This same article noted that based on official death statistics, the vast majority of people actually die from chronic health causes: heart attacks, obesity, and other ailments that result from poor attention to long-term personal fitness. In 2003, accidental deaths in the United States numbered around 100,000; chronic health-related deaths were more than 2.4 million.

The point of this article, of course, was that people must focus their attention in the correct places when they consider what would most influence the quality of their lives. Exactly the same issue exists at organizations where the board and management must ensure they build and sustain the long-term health of the organization. This concept also applies when auditing information security. Does your information security program need to go to the gym, change its diet, or perhaps both? I recommend you audit your program to find out.

The internal audit department should evaluate the company’s health- that is, internal auditors should evaluate the critical functions of the organization for long-term sustainability. Do risk-management efforts identify and focus on the right risks? Does senior management encourage the right level of risk taking within defined tolerances? Is the status quo challenged regularly? Is the company considered a good place to work? What could bring the organization down, and are measures in place to prevent or reduce that possibility (say, by running continuity scenarios and exercises)?

To that end, internal audit should have regular talks with management and the board regarding the organization’s information security efforts. Are management and staff anticipating tomorrow’s requirements? Is the organization building “muscle” for critical security activities (policy development, awareness and education, security monitoring, security architecture, secure code development, research and development, and so forth)? Is there a comprehensive security planning process and program? Is there a strategic vision, mission, strategic plan, or tactical plan for security that is integrated with the business? Can the security team and management sustain them as part of conducting day-to-day business? Is the information security program focused on the critical information protection needs of the organization, or is it worried about the accidents? Are the results of security efforts reported regularly?

Evaluating Security
The exact role of internal audit regarding information security varies widely among companies, but it always provides a significant opportunity for internal audit to deliver real value to the board and management. Internal auditors should play an important role in ensuring that information security efforts have a positive effect on an organization and protect the organization from harm.

Why worry so much about information security? Consider some reasons why organizations need to protect their information:

• Availability. Can your organization ensure prompt access to information or systems to authorized users? Do you know if your critical information is regularly backed-up and can be easily restored?
• Integrity of data and systems. Are your board and audit committee confident they can rest assured that this information has not been altered in an unauthorized manner and that systems are free from unauthorized manipulation that could compromise reliability?
• Confidentiality of data. Can you tell your customers and employees that their nonpublic information is safe from unauthorized access, disclosure, or use? This is a significant reputational risk today!
• Accountability. If information has been compromised, can you trace actions to their source?

An audit of information security can take many forms. At its simplest, the auditors will review the information security program’s plans, policies, procedures, and key new initiatives, plus hold some interviews with the key stakeholders. At its most complex, a large internal audit team will evaluate almost every aspect of the security program and even do intrusion testing. This diversity depends on the risks involved, the assurance requirements of the board and executive management, and the skills and abilities of the auditors. For example, if the organization is undergoing extensive change within its IT application portfolio or IT infrastructure, that would be a great time for a comprehensive assessment of the overall information security program (likely best just before or just after the changes). If last year’s security audit was positive, perhaps a specialized audit of a particular activity or an important e-commerce application would be useful. The audit evaluation can, and most times should, be part of a long-term (read: multi-year) audit assessment of security results.

Defining the audit goals, objectives, and scope for a review of information security is a vital first step. The organization’s information security program and its various measures cover a broad span of roles, processes, and technologies, and just as importantly, support the business in numerous ways; security really is the cardiovascular system of an organization and must be working at all times.

Firewalls, monitoring technologies, encryption software, network architectural design, desktop asset management, identity management solutions, high-availability solutions, change management and change auditing systems, logical access control solutions- the list of security systems, technologies, and processes used is almost endless. The planning phase of the audit needs to ensure the proper focus and depth of audit evaluation. Internal auditors need to determine the level of their involvement, the best audit approach to take during the audit planning, and the skill sets they’ll need.

The decision about how aggressively internal auditing should evaluate information security should be based on an audit risk assessment and include factors such as risk to the business of a security compromise of a critical asset (information or system), the experience of the information security management team, size and complexity of the organization and the information security program itself, and the level of change in the business and in the information security program.

Information security standards dictate that information security controls should be selected in the light of an asset-level risk assessment. Aggregating assets is sensible when one is dealing with a group of like assets exposed to the same risks (”risk” being defined as the likelihood of an identifiable threat exploiting a specific vulnerability).

Auditing information security should, therefore, include auditing the organization’s risk assessment process and the appropriateness of the controls selected, implemented, monitored, reviewed, and updated as a result of the risk assessment.

Moving To Continuous Improvement
Like most audits, audit of an information security program will generally involve three phases: planning, fieldwork, and reporting. Information security programs, however, come in many shapes and sizes, so the audit of information security must be flexible and risk-based. The audit should encourage the organization to build strength, endurance, and agility in its security program efforts.

During the planning phase, the internal audit team should ensure that all key issues are considered, that the audit objectives will meet the organization’s assurance needs, that the scope of work is consistent with the level of resources available and committed, that coordination and planning with IT and the information security staff has been effective, and that the program of work is well understood by everyone involved. It is important that the audit scope be defined using a risk-based approach to ensure that priority is given to the more critical areas. Less-critical aspects of information security can be reviewed in separate audits at a later date.

In the fieldwork phase, the auditor analyzes the various components of the information security program based on the scope identified in the planning phase. Among some of the important questions that may be asked in a typical audit are:

• Does the information security program reflect the risks and complexity of the organization?
• Is the program actively investigating and implementing new ways of protecting the organization from harm based on threat trends?
• Is there an active education and awareness effort, so that management and staff understand their individual roles and responsibilities?
• Are the security measures and controls regularly tested for operational effectiveness, and are corrective actions occurring?
• Is performance being measured and reported to stakeholders?
• How does the organization’s security compare with other well-run similar organizations?

Audit tests could include reviewing program plans and budgets, interviewing key executives, looking at security training material, reviewing management test plans to evaluate operating effectiveness of security efforts and their results, reviewing management’s communications to employees regarding the importance of security to the organization and how it contributes to long-term success, and studying the support and trends for performance reporting. On the more technical side, try assessing intrusion detection practices; testing of physical and logical access controls; and using specialized tools to test security mechanisms and potential exposures. The evaluation of business continuity and disaster recovery efforts could be considered as well.

The bottom line is that internal auditors should be the company doctor: (1) completing regular physicals that assess the health of the organization’s vital organs and verifying that the business takes the necessary steps to stay healthy and secure, and (2) encouraging management and the board to invest in information security practices that contribute to sustainable performance and ensuring the reliable protection of the organization’s critical assets.

Dan will be hosting Ethisphere’s September 20th online symposium, Auditing Information Security. To register for the event, please click here.

 Print This Post