In the field of information security, enterprise infosec pros have one straightforward objective: Keep confidential information protected from unauthorized individuals, while ensuring the data retains its integrity and is available to those that need it.
In order to accomplish this, we as security practitioners design and implement a range of internal controls that provide structure to how data is stored, managed, transmitted and ultimately destroyed. While many organizations are subject to periodic validation and certification of these internal controls, all organizations can take steps to ensure their internal controls are comprehensive, efficient and most importantly, effective. These steps, which we’ll discuss in this tip, can go a long way toward not only instilling good governance, but also ensuring compliance with related laws and regulations, such as PCI DSS.
Internal controls checklist
There are four key areas that organizations should consider when evaluating their internal controls for data security:
- Control ownership
- Risk alignment
- Monitoring and testing
- Control limitations
Control ownership – One of the central tenants of control strength is ensuring there is clear ownership. As more organizations have moved toward internal control libraries, (where controls are standardized and centralized and then applied across business processes), there is a potential liability of ownership becoming unclear. Even if a business or operating unit is using a standardized library of controls, there must be a clear indication as to who within each department is responsible for the control. Similarly, while a department head or executive may be the one to sign the control attestation, he or she may not be the one responsible for day-to-day ownership of a specific internal control. The true owner of the control must have knowledge of 1) the true underlying risk, 2) the purpose and design of the control, 3) how the control is monitored and tested, and 4) the ability to determine whether the control is effective.
Risk alignment – The danger with many internal controls is that they are created to address a “perceived” risk without a real analysis of the inherent threat. Without a clear understanding of both the real threat and its potential impact, it is impossible to design the appropriate control. Remember, internal controls do not eliminate risk; they only bring it within acceptable tolerance levels. There is always a component of residual risk, despite the presence of a control. Therefore, it is critical that any key control designed to protect confidential data must 1) be tied to a risk assessment that gives a rationalization for the control, and 2) identifies what is the expected level of residual risk. This does not have to be a complex analytic exercise (although this data can be modeled); it could be as simple as a narrative that describes the risk, how the control is effective, (assuming it is properly maintained) and what are the potential risk scenarios that exist despite the presence of the control.
Monitoring and Testing – Perhaps one of the most misunderstood areas in all of internal control management, and yet perhaps one of the most critical, is that of monitoring and testing. Most people fail to understand the difference. Control monitoring involves understanding who is overseeing a control on a day-to-day basis to ensure it’s being used. Examples may include a supervisor who monitors to see that nightly walkthroughs are conducted (in compliance with clean desk policies), certain types of management reports that may identify control exceptions, etc. Control testing, on the other hand, involves a deliberate process of testing a given control to ensure it’s being utilized as intended. An example of testing would include pulling a controlled sampling of change logs for a period of time to ensure all required approvals were obtained. Generally speaking, monitoring takes place constantly and informally, whereas control testing is typically done periodically, but more formally. Both are important and serve a specific purpose.
Control limitations – Unfortunately, in our increasingly risk averse business environments, “risk” itself has become something of a dirty word. But, as mentioned above, we cannot hold onto any illusions that internal controls eliminate risk. This is particularly true in the field of information security, because as long as people need to access data to perform their job functions, the data is inherently exposed. Management needs to be aware of what risks are being mitigated through internal controls and what risks still exist. Sometimes merely having this conversation with senior management can be extremely informative. This information can also be helpful when planning incident response programs by knowing more precisely what risks exist despite the presence of internal controls.
The central theme that runs through this internal controls checklist is that internal controls need to be carefully understood, evaluated and monitored if they are going to truly accomplish what we intend for them. And, taking a deliberate and thoughtful approach to strengthening internal controls is critical to ensuring compliance with legal and regulatory guidelines.
About the author:
Eric Holmquist is President of Holmquist Advisory, LLC, which provides consulting to the financial services industry in risk management, operations, information technology, information security and business continuity planning. Send comments on this tip to firstname.lastname@example.org.