Shopping Cart
Login
Critical Information Security Audit Considerations
January 17, 2009
Imagine that the finance department internal audit passed with flying colors. All accounting and finance policies / procedures were found to be in-line with best of industry standards. Would you sign the financial statements? Your answer should be an emphatic “No”.
Even if accounting and finance is working at a very high level, a significant failure in the information security audit would call into question the quality of all of the organizations financial statements. All financial statements are based on calculations representing accruals, the timing of revenue and expenses, depreciation, tax, amortization, and many more issues tied to the performance of the information technology system. Computer system manipulation, computer fraud, and data loss represent extremely significant risks for every organization.
The most recent annual estimate for the cost of lost data per record is $202 (The study was conducted by the Ponemon Institute, a privacy and data-protection research group, and PGP, a data-encryption vendor) and the average cost per breach of those companies surveyed reached $6.6 million. In January of 2009, Heartland Payment Systems discovered that as many as 130,000,000 private records had been compromised. These losses do occur and it can happen to you.
Sarbanes Oxley (SOX) recognizes the importance of IT security on the reliability of financial statements produced by publicly held companies. A significant misstatement on the financials of a company bound by SOX regulations could conceivably send the CEO and the CFO to jail. If you think that you are off the hook because you work for a privately held company, you had better check your bank covenants. Some bank covenants can require essentially the same financial statement quality as SOX compliant public companies. Therefore, the security and reliability of the IT system is at least as important as the performance of the financial system processes.
Data can also be manipulated from the inside (think Enron, WorldCom, etc.). Procedures should be designed and tested to determine if insider tampering has occurred leading to fraudulent results. Management fraud can be more difficult to determine because insiders would attempt to cover their tracks is such a way as to confound an independent auditor. Therefore, management cooperation cannot be relied upon. When using a risk-based model to construct an IT internal audit program, the auditor must give significant weight to the possibility that management itself has reason to hinder his or her efforts.
This article will address specific policies, procedures, and methods related to the security portion of an information technology internal audit. Security is arguably the most important element of an IT audit and requires that validity testing be interwoven through almost every audit procedure. The concepts discussed here embody the foundation of a broad security program. They represent the primary factors that should be considered to ensure that your IT system is providing sound and relevant data.
General Security Concerns:
Confidentiality, integrity, and availability are the cornerstone principles for all information security concerns. Virtually every issue pertaining to organizational security is based on these core principles.
These three principles are implemented through an information security governance program which entails an infrastructure that provides clear guidance on security issues. Security governance begins with a robust policy document that outlines standards and procedures that are implemented and managed consistently.
Security Policies, Procedures, and Standards:
The security policy of an organization is the single most critical element of the information security doctrine. A clear understanding of business objectives and the protection of critical processes should drive security implementation. Policies exist to provide a framework within which employees should make informed decisions. They are high-level determinations by management as to how information security will function. The length of the policy document should be kept to a minimum in order to make clear and concise statements leaving no ambiguity in interpretation. Management should review the policy on a regular basis and make changes as needed. Management support is crucial in order to achieve true security. Without it, the security effort will very likely fail.
Standards are more rule-based documents defining the security requirements. They are directive in nature (emails will require encryption if …). Procedures are step-by-step instructions supporting the requirements codified in the standards. A procedure will list the specific actions required to encrypt an email, for example. Of course, all of these documents require constant review so as to remain meaningful.
Information Risk Management:
Senior management must determine the level of risk acceptable for the organization. This assessment will drive the implementation of all security functions. After defining risk tolerance, management should assign responsibility for risk mitigation to a specific individual or team with the appropriate skills to make informed decisions. Certifications such as CITP, CISSP, and CISA should be included in the criteria for selection of risk management team members. The risk management team should review every conceivable risk and assess the likelihood of the threat occurring. If the likelihood is sufficiently strong, a countermeasure will be installed and monitored via the standards and procedures documents. Common countermeasures can include steps from configuring a basic firewall to establishing a detailed disaster recovery plan.
Once the team is in place, specific processes and procedures for identifying risk should be implemented. The team should carefully identify all vulnerabilities within the organization and any threats to business operations. Once a risk is identified, the team has to mitigate the risk by instituting appropriate countermeasures, transfer the risk to another party through the purchase of insurance coverage, or accept the risk. Ignoring risk is not an acceptable option.
Access Control:
Access control is one of the most important issues in information security. Flaws in the access process can prove devastating. In essence, access control makes sure that only authorized employees can see sensitive information. A properly set up system sign-on will require a three step process before a user can enter. First, the user is required to identify herself to the system, usually through a user name. The access server sees this access attempt by a user claiming an identity on the system. If the user is known to the system, the next step requires that the user authenticate, or prove to the system that the user is who they claim to be. This is done by verifying something you know (password), something you have (token), or something you are (biometrics, e.g. retinal scan). Use of two of these forms of authentication is considered strong authentication. The final step in the process is authorization, or the formal granting of access rights to the user within the system based on the user’s clearance level.
The organization’s security policy should provide guidance on the methods of access control demanded, how clearance levels for users will be determined, what level of authentication will be required, to name just a few critical items.
Physical Security:
Physical security is usually the most intuitively appreciated of the information security domains. Fences, locks, hardened windows are all easily understood. However, physical security also includes the concept of “defense in depth”. Sensitive areas of an organization, such as a server center, have to be designed with obvious (and not obvious) obstacles to entry. The server center should be in the center of a building without windows and limited access points to impede the flow of traffic. The expected fences, locks, and possibly security guards would prohibit unauthorized access to this central location. The walls should cover the entire floor to “true” ceiling (not the hanging ceiling found in most offices). Closed circuit TV monitors, motion detectors, and sound detectors can all offer some protection against intrusion. Fire suppression systems must be carefully designed to avoid pouring enormous amounts of water on expensive computer equipment and, most importantly, to ensure the safety of all employees.
The security policy should provide specific guidance regarding the level of physical security required and the frequency of audits, drills, etc.
Intrusion Detection:
Any system can be vulnerable to unauthorized intrusion. The configuration of routers, firewalls, and other system architecture can be effective if properly designed. There are five generations of firewalls generally employed, each one adding somewhat different functionality. A common set up entails placing a screening router in front of a firewall, thus creating multiple levels of protection. Some intrusion detection systems (IDS) rely on pre-stored signatures of commonly known attacks. The signature base must be constantly updated to remain current. Behavior based intrusion detection relies on building a set of rules based on normal traffic, then recognizing abnormal traffic which could be an attack. There are many highly motivated criminals out there searching for a vulnerable system. A poorly designed IDS can leave the organization open to violations of privacy laws (PCI credit card requirements, HIPPA, etc.), data loss, data manipulation, and many other unfortunate conclusions.
Change Control:
All IT systems require update management for software and hardware (called Patch Management). The organization should have a current inventory of all devices attached to the system. This includes firewalls, servers, workstations, peripherals, mobile devices, etc. Each device should be inventoried with all loaded software and the current version of each. Hardware elements such as processer type, hard drives, optical drives, etc. should also be carefully recorded. This inventory will be critical if a natural disaster were to destroy a facility. The backup media will do very little good if legacy hardware and software must be replaced before a restore can occur. In this event, the configuration inventory will be essential. In short, you must know in great detail the hardware and software elements that make up every device on your system, and you have to ensure that all manufacturer updates are regularly applied.
Another important element of change control regards the procedures used to modify data. Even if you have your system locked down from the outside, an authorized user could modify information to create a false result on a financial statement. Altering the depreciation calculation, for example, could increase net profit and therefore perpetrate a fraud. A clearly defined process for making authorized changes to data or how the data is used should be a serious concern.
Personnel Security Issues:
Employees represent a very significant threat to the organization. Job rotation, segregation of duties, background checks, etc. are critical when protecting data from an organizations own employee’s. Most computer systems require an acknowledgement by the user at log on that the system is provided for business purposes and that no right of privacy exists for the user. Effective monitoring of employee activities on all computer systems (including internet usage) is a necessary part of the overall security policy. Fraud will increase dramatically during times of economic hardship. Therefore, personnel controls should be viewed with greater importance than usual as we face a recession with uncertain recovery. This type of crime is especially hard to deter since the employees already have access to a great deal of information.
Even honest employees can be tricked into divulging sensitive information or into giving improper access to anyone pretending to be onsite to repair a telephone system, deliver office supplies, etc. This method of subterfuge is called social engineering. Social engineers often approach employees with a confident, charming attitude so as to disarm and win over those who can give access or information. Think of the real life character of Frank Abagnale played by Leonardo DiCaprio in the movie “Catch Me if You Can”. There are many skilled “scam artists” capable of fooling an organization’s employees. All employees, but especially those in a position to grant physical access to restricted areas or those knowing confidential information, should be continually suspicious of any effort to solicit their “help”. A continuing effort to educate employees on the day-to-day events that can affect security is a critical element of the security program.
Email Security:
The possibility always exists that emails generated internally may contain sensitive information. What may constitute sensitive information can vary depending on the nature of the organization. A health care organization will certainly fall under HIPPA privacy regulations and a bank would fall under a number of laws restricting financial data. There are a number of products that support email security through encryption or using digital certificates from a trusted third party such as VeriSign, Symantec, and RSA Security. Email encryption and digital certificates are available in the standard Microsoft XP Professional Edition operating system, and they should be used when appropriate as determined by the security policy. The security policy should also anticipate litigation requiring recovery of subpoenaed internal emails. This process is called e-discovery and lack of planning can be very expensive.
Mobile / Laptop Security:
Many of the startling data losses that make the news are caused by stolen laptops. Now even smart phones can carry enough data to represent a major risk to privacy law compliance. The first rule of mobile security is to realize that no place is safe. Laptop thieves are very good at targeting vulnerable equipment at airports, hotels, conferences, etc. The data carried outside your organization should be protected by setting passwords on the system BIOS, encrypting the data, disabling the guest account, and other prudent steps. Consider installing GPS tracking software.
Conclusion:
Today’s business environment is littered with expensive lessons on lax security. Many states have notification laws requiring that an organization notify anyone whose personal information may have been compromised. The number of individuals with personal information compromised in recent attacks total in the hundreds of thousands. The loss of reputation can be even more costly. Commit your organization to an in depth security internal audit. A qualified information security internal audit professional should be consulted in the design and implementation of a full program tailored to the regulatory requirements of your industry and the specific needs of your organization. Look for in-depth experience in security audits and certifications that require expertise in security matters (CITP, CISSP, CISA). An information security internal audit performed by well trained professionals will strengthen your organization and reduce the risk of a catastrophic security breach.