9 Reasons why you are Failing your Information System Audit
Most professionals in my field know the feeling – the tightening of the chest, the quickening pulse, sinking heart, the palpable silence with which an unsatisfactory Information Systems Audit Report is received. If you were the auditor, the experience is akin to being the grim reaper of traditional folklore. There are intimations of heads rolling and no one will quite meet your eye; for a split second you reconsider your career, maybe even your life choices and whether it is worth the heart health. Such has come to be the scene that plays out over and over again, with auditees invariably asking themselves and sometimes you, “How did we get here?”
Information Systems Audits have become a pivotal element of risk-aware organizations looking to improve security posture and systems and management controls around Information Systems and IT infrastructure. As organizations leverage information systems to transform business and enhance their value chain, so has the need for visibility of the organization’s IT environment by stakeholders. The modern business seeks assurance that the control environment are effective and efficient in supporting strategic objectives and insights into improvement actions that can be taken.
How then, did we get here?
- Strategic Implementation of Controls
At the heart of an Information Security and IT Infrastructure implementation should be the premise that a sound IS control environment can only be achieved through sound and deliberate methods in the selection and implementation of those controls. I often find that in organizations where system and management controls are introduced outside of a security framework, there are bound to be several gaps. This is because choosing and implementing controls based on gut feel, tends to depend heavily on the risk perspective and appetite of the individual tasked to do so, and may therefore be skewed towards certain security domains or concerns of the day. For instance, an organization that has suffered from multiple incidents of cyber fraud may focus more on logging and monitoring and the implementation of a SIEM, or even forensic controls, rather than addressing control gaps around asset management, access management or network security controls that may have allowed for the incident to be possible in the first place.
A more strategic implementation of controls for example, documentation of processes or investment in IT security tools etc. is one guided by security frameworks. Common security frameworks available are such as ISO 27001:2013 which is the de facto international standard for Information Security Management and NIST Special Publication 800-53 which provides a catalog of security and privacy controls for information systems. Your choice of security framework could be anything from ubiquity or coverage or the possibility of certification to demonstrate compliance, as would be possible with the ISO 27001 Standard.
A Security framework provides a holistic listing of security controls that organizations can implement and a yard stick against which they can measure the effectiveness of these controls to definitely answer the question; How secure are we?
Anarchy Rules! “Hardcore anarchists” are everywhere, ruining it for everyone else.
- The Art of Design
Design is a funny word. Some people think design means how it looks. But of course, if you dig deeper, it is how it works. ~ Steve Jobs ~
Closely coupled with the selection of a security framework is the idea that organizations need to put some thought into the design of the security controls it implements. This simply means that prior to the implementation of controls, one should define a plan of which controls to implement and how the controls would be implemented in order to effectively manage the organization’s risks. A common approach to the design of controls is a risk-based approach that takes into consideration the information security/cyber security risks the organization is exposed to and identifying controls that can be out in place for mitigation. An arguably more sustainable approach would be to take a defense in-depth strategy to the design of controls where the organization could use prediction to focus prevention, detection and response resources on the most likely threats and attack methods.
Finally, mature organizations may choose to define a holistic organization security architecture that incorporates building blocks of security across the entire organization. Defining a security architecture allows for security controls to be tied to the business objectives and for the organization to have a long term view of security controls and technology investments that would be required. Common architecture frameworks are such as TOGAF, for organizations wishing to design and build enterprise architecture.
While in and of itself a risk- based approach may be adequate if done right, the sheer amount and constantly evolving threat and vulnerability landscape may render constantly employing new risk mitigation tactics for all vulnerabilities prohibitively expensive or impossible. Thus, requiring that the organizations identify a more sophisticated and sustainable approach to the design of controls.
- Governance Vacuum
If Everyone’s Responsible, No One Is!
ISACA’s IT Governance Institute summarizes governance beautifully as “…leadership, organizational structures and processes to ensure that the organization’s IT sustains and extends its strategies and objectives.” This typically relates to the roles and responsibilities for monitoring and controlling Information technology capabilities and supporting decision making around IT in the organization. A common feature in organizations is the treatment of governance as an event, notably around big digital transformation processes such as migration of organizational processes to an ERP or an overhaul of the network. This is because at that point in time, in most cases there is a 1 to 1 relationship between IT and the strategic direction. Once the IT project is complete, this usually leaves a governance vacuum in the everyday monitoring of IT; to continually monitor and make decisions regarding governance issues such as the organization’s governance framework(as earlier discussed), strategic alignment, benefits realization, resource optimization, risk optimization, its alignment to the strategic objectives of the business and decision making that is required.
- Weak 1st line of defense
In just about all audits there are always these concerns, “ Who is responsible for this control? Who should produce a report on the effectiveness of this ? This seems like a responsibility for the internal audit team”. This is always an early indicator that roles and responsibilities as well as understanding of management controls, risk management and assurance/audit is lacking. The first line of defense alludes to just that, the first line management of security risks and controls. This could be through various means. At a very basic level, this includes controls documentation and communication to staff – policies, processes, procedures, standards, guidelines etc. to ensure that the organization’s security controls are consistently applied. Furthermore, it is important to note that unenforced policies breed contempt. A common symptom of a weak line of defense could be processes documentation that do not reflect the actual operations of the organizations, either because they are a great copy/paste job off the internet or are not reviewed periodically to ensure continued suitability and adequacy to support the organizations’ processes.
- Weak 2nd Lines of defense
The 2nd line of defense is the monitoring and oversight function played by Risk Management in the organization to ensure that risks and controls are properly managed. Risk Management can be implemented either as a separate function or implemented as a process depending on the size of the organization. Many organizations that fail the IS audit tend not to have mature risk management processes, translating into un-imagined and therefore uncontrolled security risks for the organization.
It has been my experience, especially in heavily regulated industries, that compliance, including information security related legal, regulatory and contractual compliance, is a key focus area. The converse is likely for industries that are not heavily regulated where the absence of noncompliance, in the form of fines, legal sanctions etc. may be taken for compliance. Compliance should be a key component on any security program, where organizations should identify and evaluate the regulations that apply directly and what compliance would look like in terms of the security controls to be implemented. A great example of the importance of alignment of security controls with compliance, would be the recent enactment of data protection laws and regulations in the region(East Africa) and the world over. These laws and regulations necessitate that organizations, aside from addressing the legal repercussions of the same, identify and implement technical measures to ensure protection of Personally Identifiable Information processed via its information such as encryption, pseudonymization, access control etc.
Moreover, it should be noted, that implementation of controls in compliance with security frameworks and standards such as ISO 27001(Information Security Management) and ISO 27701(Privacy Information Management) can greatly ease the organizations compliance efforts with the legal, regulatory and contractual obligations related to security.
- Third Party Risk Management
Most organizations implement robust internal control frameworks only to set themselves up for death by a thousand supplier security risks. Third Party Risk Management ensures that the use of third parties such as IT Suppliers, Internet service Providers etc. does not have a negative impact on business performance, in terms of disruption of services and/or result in security breaches.
Information Security and Cybersecurity Awareness and Training is important to ensure that the human aspects of security in your organization are covered. Statistically, a large percentage of security breaches that occur are due to human error, while this is true for general staff, it is also true for your IT Staff. This is because, in order to have a secure organization your IT staff need to know what they are doing, why they are doing it and how they will do it. It is beneficial for organizations to take IT staff through specialized security training to enhance their skill sets in implementing and maintaining secure information systems and information technology environment. Common areas where specialized training could be required are such as database security configuration, Active Directory Design, Implementation, Network Security configuration, Minimum Baseline security Configurations , ISO 27001, ISO 22301 etc.
Additionally, the organization’s staff should be taken through targeted information security/cyber security awareness through targeted Role-Based Security Awareness Programs that will help them understand the mistakes they’re making and teach them to work more effectively.
- Not Doing Audits
This last one is a doozy. Not doing audits is one of the reasons you’re failing audits.
In presenting an unsatisfactory audit report, I am usually obliged to qualify the report by calling attention to the fact that it is the first, and therefore the worst. If and about the intention is to cool temperatures, or to present simple fact; this is true. A hallmark of organizations ‘failing’ audits is the approach to audit as a last minute cram session before a major examination, rather than a requirement to ‘study all semester long’. Organizations looking to ‘pass’ IS audits need to assess the effectiveness and efficiency of security controls through continuous internal audit programs, Vulnerability Assessments and Penetration Tests, Compliance Assessments etc. so that control weaknesses are being identified and resolved early.
An audit is not and should never be a painful process, but an investment in the organization to help ensure that best practices are applied in leveraging Information Systems to protect and grow value.