CISOs are quick to point out they are often at odds with internal auditors. Auditors are duty-bound to regulations and internal policy, and are accountable to ensure that industry and federal mandates are carried out by business leaders. Security officers bemoan that auditors pull the security staff in so many directions, and have them concentrating on controls that satisfy so many regs, that compliance supersedes security and the strategic plan is forsaken.
Reality may be a bit less contentious.
"I don't think we have different goals personally. Internal audit and information security have same goal, which is to mitigate risk," says Anthony Noble, vice president of IT audit at media giant Viacom. "Internal audit has a broader frame where we're trying to mitigate financial risk, while information security mitigates data loss or disclosure. They shouldn't have clashing agendas."
Noble has refined this vision sitting on Viacom's equivalent of a security steering committee, an ad hoc entity composed of information security, audit, finance, legal and human resources that formed on the heels of a publicly disclosed breach earlier this year.
As a result, the committee pushed through controls to secure personally identifiable information that include awareness training programs, the elimination of PII from business processes (e.g., the use of Social Security numbers as identifiers), and a DLP implementation that scans files for sensitive information. Noble's job is one of checks and balances that ends up being much more than a rubber stamp on the process. Up front he helps evaluate the committee's plans and points out potential gaps that could increase risk. And on the back end is the validation of whether work was done as promised and that controls are working and effective. His participation up front via the committee allows him to monitor controls as they're being developed and ward off shortcomings before they're put in production.
"It's much more efficient to have that evaluation up front," Noble says, adding that he—and legal—audits against regulations such as Sarbanes-Oxley and state data breach notification acts, as well as internal policy. "We work fairly closely in developing the plan, and then there is that aspect of 'audit blessing' [afterward]."
Mergers and acquisitions (Viacom acquired CBS in 1999, and then the two split again in 2005) as well as the requirements presented by Sarbanes-Oxley drove information security and audit closer.
"[Security and audit] shouldn't have clashing agendas. The main area we might clash is if we say, 'Might it be good to do this control?' [and] they might turn around and say it's too expensive, that there's not enough risk to make the control cost effective," Noble explains. "In the end, we're both trying to mitigate risk. They have to evaluate the risk of data loss and we have to look at the risk of financial information being incorrect."
Whether tossed together contentiously or coexisting amicably, audit and security better get used to the sight of each other, especially in the current economic downturn that could bring more regulation and more demands for IT risk to be documented and presented.
"The current problems have really been driven by people accepting too much risk, and not necessarily that controls weren't there. From a business aspect, they weren't evaluating risk adequately," Noble says. "Personally, that's the aspect [that's going to grow]; you have to document more the risk you're taking to prove you're aware of risk. Enterprise risk management will be key."
Noble isn't in the camp that more controls will be the answer. Companies are already bogged down in expensive compliance programs, especially around SOX and PCI. Former Speaker of the House Newt Gingrich in November went so far as to call for a repeal of SOX.
"Companies are going to look to cut the cost of compliance with SOX and things like that. I can see companies screaming and saying 'SOX is costing us too much, we can't afford it in this climate,'" Noble says. "I think there will be a corresponding push toward more documentation of the business risk being taken by companies and more transparency to that. I think it's going to be difficult to implement more regulations because of the cost element because the cost of the control is going to be more than the risk. It's a cost balance."
Ram Sastry, an internal IT auditor at American Electric Power in Columbus, Ohio, believes that more regulation is inevitable in his industry and that it will draw him closer to information security. New NERC (North American Electric Reliability Corp.) standards that govern cybersecurity in utilities such as AEP aim to narrow gaps that expose critical infrastructure to attack. Sastry's teams are in place to assess what director of IT engineering security Jerry Freese and his teams are doing to ready business units and process owners.
"That's a good place where we have a strong working relationship," Sastry says. Sastry was a member of Freese's Executive Security Committee for three-and-a-half years up until 2006, participating alongside other business leaders in assessing information security projects as they pertain to the business.
Sastry says his role is one of evaluating initiatives for policies, procedures or processes that may be absent and vital to the success of a project. While up-front input is vital, in the end he has to ensure compliance with internal or industry regulations.
"If you ask me from an audit, compliance and regulatory standpoint, committee or no committee, this is what you need to get done," Sastry says.
Sastry, who is responsible for internal audits on NERC policies and processes, as well as AEP's SOX compliance processes, says audit looks at a new policy or upgrade from a different angle than security.
"We look at it from the lens, Can we audit from this policy? Is this policy auditable? Is it actually implementable? Are we having wide-scale exemptions that water down the policy? Are you directing people to do things but there's no way of preventing or detecting violations? Or are there mechanisms for providing a directive control, then preventing them from doing it and detecting them if they had done something inappropriate?" Sastry explains. He adds that his teams review internal control testing and those results are provided to external auditors who use them to build on their testing efforts.
Clearly, there has to be an affinity with information security for internal auditors. Sastry says information security policies and standards are referenced as controls by internal audit.
"Absence of their policy and standard doesn't give me a get-out-of-jail-free card. If there's a problem I will state there's a problem whether there's a missing policy or procedure. Their lagging is my point," Sastry says. "Where they're not lagging, they're absolutely an ally of mine."
Sastry says it's a healthy tension between internal audit and security, one that arises, obviously, when security is lacking an important cog in a policy or process. It's Sastry's job to point out the gap, and the internal or external policy line item that mandates why that gap must be filled. Sastry says the presence of a security steering committee, meanwhile, helps soothe some angst in those cases.
"If you put audit and the independent objective review of systems and security at one end of the spectrum, and you put the processor who is trying to do job No. 1 which is make money and keep customers happy at the other end, [the committee] lies in the center and tries to balance things," Sastry says. "The committee brings all points of views together, and says let's get a compromise, a tradeoff set of solutions that adequately address the risk side, and the cost, compliance and process sides of the equation."
The committee's biggest benefit, Sastry observes, is the instant buy-in it affords to projects.
"At the end of that meeting, everyone agrees we have considered the alternatives, the risk, why we need to do it and we move ahead," Sastry says. "You can go to lower levels of management and say that this has been agreed to by the ESC and now you have to comply with it. In our organization, if senior and executive management say you will do it, generally we will get good adoption."
Clearly the days of operating in silos are over for information security.
"The key is collaboration, especially up front on plans and policies," says Viacom's Noble. "You both need to agree on what needs to be done and the level of control in the organization. From there it's the business of internal audit to go in and validate."
Michael S. Mimoso is editor of Information Security. Send comments on this article to feedback@infosecurity mag.com.
This was first published in January 2009