Why is IT important to set up an internal audit program in an information security management system?

[Slide 1]

Hey, everyone. In this video we look at the role audits play in an overall information assurance and security program. It is a key component of governance: the part management plays in ensuring information assets are properly protected.

[Slide 2]

In general, management uses audits to ensure security outcomes defined in policies are achieved. For example, if a policy specifies that all employees must have all access removed within 24 hours after the end of their final day with the organization, an audit will check a sample of former employees to ensure all access was removed as specified in the policy. Note that an audit does not typically check HOW you achieve the outcomes it just makes sure that you did. It is the responsibility of management and the security team to create and manage the standards, guidelines, procedures, and controls that lead to policy compliance.

Audits also help drive root cause analysis to fill gaps in our security efforts.

[Slide 3]

First, lets look at how all these pieces come together.

The information assurance and security foundation begins when management collaborates with security to write policies. These policies are usually based on regulatory requirements, industry standards, and an adopted standard of best practice. Each policy clearly states

the outcomes management expects when users of the organizations information resources comply with the policy.

Managers, the security team, and IT develop standards and guidelines (which also contribute to baselines) that specify how to achieve the policy outcomes.

Managers, the security team, and IT use these components of the security program to develop and implement procedures and controls, including the training needed for employees.

An audit then checks for results. It starts by ensuring the organization has the right policies in place. It then checks to ensure policy outcomes are reached. For example, suppose an organization has a policy to ensure separation of duties. Remember, a policy dictates “what” not “how.” An audit might look across all applications to determine proper separation of duties exists for selected business processes. If not, business managers, internal audit, and the security team perform a root cause analysis and develop or modify procedures to achieve the required outcome.

Selecting audit targets is based on data sensitivity and the regulatory environment. Financial information in publicly traded companies (regulated by Sarbanes-Oxley), and the systems that store and process it, is always audited. For health care organizations, there is always the possibility of a government audit of patient information protection, governed by the Health Insurance Portability and Accessibility Act (HIPAA). Some information, however, is not covered by specific internal audits.

Internal audit teams often do not care about anything that is not related to financial or other regulated areas of the business. This can leave employee and customer information without third-party assessments. In these cases, the security manager should work with IS or business management to include budget dollars for annual assessments. These audits not only help identify weaknesses in specific data controls; you can also use them to take a look at your overall security framework.

The role of deciding what to audit is usually a business management decision. If you have an internal audit team, they will let you know what needs an audit.

[Slide 4]

We should never simply wait for an audit to determine if we are doing the right things. This is why we should perform various activities to ensure we are keeping up with new threats and associated vulnerabilities. We must also check to see if gaps between what is needed for regulatory and industry compliance exist or are widening.

Examples of these activities include

Threat intelligence and associated vulnerability scans
Network behavior monitoring to identify network traffic patterns that statistically exceed traffic baselines
User behavior monitoring to detect unusual user behavior based on user role, location, devices used, time of day, etc.
Daily or weekly spot checks of things like employee termination results
Penetration tests
Third party reviews of our entire information assurance and security program to identify gaps we simply missed

But not all audit misses mean we should immediately jump to fix something when higher priorities exist.

[Slide 5]

When conducting an audit, auditors use a specific approach to determine if a material finding exists. According to ISACA, auditors work with the business to determine if a finding is material by assessing the degree to which a finding affects

Confidentiality, availability, and integrity
Access control rules on privileges management (least privilege and separation of duties)
Degree of criticality and risk to the business
Compliance with laws and regulations

Lets take a look at how this might work.

[Slide 6]

In this example, we are looking to see if our terminations procedures and solutions achieve policy compliance.

In our sample policy, terminations include any departure of an employee: voluntary or involuntary. Further, each affected account must be disabled or deleted within 24 hours of the final day of employment

First, we

1. Obtain from the HR system a list of all job terminations since the last audit.

Auditors then work with IT or security staff to

1. Randomly select 25% of the termination set.

Auditors are either given temporary access or work with security to

1. Check the audited application (financials, Active Directory, etc.) to ensure the accounts for the terminated employees are disabled or deleted and were placed into that state within 24 hours of the final day of employment.

1. If more than two terminations were missed, mark the key control for this application or service as failed. (This depends on the size of the tested population set. The larger the set, the more failures accepted.)

Three or more terminations is just an example of a possible material finding. Specific auditors auditing specific organizations may establish different failure thresholds.

[Slide 7]

A material finding is a HUH? Moment. It means something is not working. To determine the cause of the material finding, we perform a root cause analysis.

The root cause is the actual reason we eventually arrive at an unwanted event. It is not usually
the thing that happened just before the event known as the proximate cause.
…

If we simply put a bandage on the proximate cause,

the root cause

still exists and will cause us more pain in the future.

I cover root cause analysis in a later video.

[Slide 8]

If you have questions or comments about this video, please leave them on my blog. You can also send email, including ideas for future videos, to one of the addresses listed here.

Until next time, be careful what you click.

Why is important to set up an internal audit program in an isms?

Why is internal audit so important?

What is the most important benefit of an internal auditing activity to management?

What is the purpose of internal audits of management systems and how are they conducted?