The board, management (both staff and line managers), and internal audit each have a significant role in ensuring information security is effective. Auditing information security is a key means of ensuring the appropriate state of security and assuring the board that the organization's key assets are being appropriately protected. Internal auditing can also help prepare the organization for an external regulatory audit (SOX or HIPAA, for example) by evaluating management's efforts and providing recommendations for improvement prior to the external audit. This article will look at the roles of the key players in an internal audit and introduce several types of internal audits.
Information security efforts are designed to protect the organization's information. However, any organization that deploys security technologies and policies but does not audit its systems and personnel compliance is assuming unnecessary levels of risk. Routine, independent reviews of security systems, processes and procedures ensure that adequate protection is in place, and confirm they are working as designed and that employees are using them effectively. Audits highlight an organization's strengths and weakness, allowing the information security team to understand where their efforts can improve – a basic audit function and a key benefit of auditing.
The key players and their roles
Management is responsible for designing and implementing an information security program as they are responsible for protecting and enhancing the value of the organization's assets, including its information assets. Managers within the various business units, who OWN the information, need to define their security requirements based on the significance of the information, all legal requirements, the seriousness of the threat regarding its loss or disclosure to others, and on the achievement of their business objectives.
Executive management must also provide leadership to ensure the organization's information security efforts are supported and understood. They must also invest/assign sufficient resources to information security in order for the controls to be effective.
Information security management needs to organize and implement the information security program including its monitoring (test) program.
The board provides oversight; asking the right questions and encouraging the right results. The board needs to set the right tone at the top, communicating to executive management the importance of an effective information security management program.
Finally, the internal audit function provides assurance to the board and management that the information security program is implemented and adhered to. It also highlights opportunities for improvement. Internal audits tell the board and management that business units understand the importance of security and adhere to policies, whether their key information assets and systems are secure, and if programs are in place for continually updating and strengthening safeguards against the many internal and external threats. The internal audit team can also compare current organizational practices with industry practices, i.e. whether the organization is operating comparably to others.
The value of information security audits
Auditing information security is complex, challenging and not for the uninformed. An internal audit provides strategic, operational and tactical value to an organization's operations. Internal auditing can serve as:
- A resource to the board and management for making sure the information security function has the resources, systems and processes for operating an efficient and effective program.
- An assurance tool for management and the board to know all that should be done is being done regarding information security. By ensuring that qualified professional reviews and audits are performed, the board and management can advance its goal of overseeing the organization's information security program and ensure its continuous improvement and success.
- An independent validation resource that the organization's information security program efforts are proactive and effective against current and emerging threats. Internal audits will also evaluate the organization's efforts to comply with laws and regulations – a critical activity in most organizations these days and an ongoing challenge.
The internal audit team needs to:
- Have a long term information security audit plan,
- Have a strong understanding of the technical and business environments,
- Know what to ask for, and most importantly,
- Know what they are doing! – i.e. skills to perform security audits are significant.
Information security auditing by internal audit needs to be planned, take into consideration the constantly changing technical and business environments, and "complement" but never replace management's responsibility to ensure IT controls are operating properly. The skills necessary to complete IT security audits are extensive and diverse. Typically, the audit team is composed of a variety of experts (i.e. to deliver on the skills needed). To ensure an independent and objective evaluation of the security department's efforts, members of the security staff are rarely on the audit team.
Types of security audits
The four basic approaches to security auditing include an organizational audit, results-based audits, point-in-time audits and an extended-period audit. Each method focuses on different functions and scope to produce assessment reports ranging from a snapshot of a specific application's performance to an enterprise-wide evaluation of overall security effectiveness.
An organizational audit reviews the management processes and functions an organization has in place for managing security and protecting vital assets. Its focus is to ensure a management function is in place and to see that security and IT managers are using best practices to keep systems operating effectively. It is critical to examine organizational positioning, the level of importance given IT security, whether there is an IT security risk assessment process and whether there are sufficient resources.
A results-based audit is an approach where the auditor(s) reviews the security practices within the individual business units and assesses the security understanding of the managers and staff. One of the key objectives of an effective security program is that operating management and staffs take responsibility for protecting the organization's assets. A results-based audit looks to confirm that this is occurring.
The point-in-time systems audit employs various diagnostic tools, many times the same tools used by an organization's IT staff, to gauge the effectiveness of a security maintenance program and probe for weaknesses in the organization's defenses. An auditor should not find many gaps in an organization that has an enthusiastic and professional security staff on board. What the auditor does bring is a fresh perspective in judging security performance.
An extended-period audit looks to assess the security program's performance over a period of time. It leverages the efforts of all the previously mentioned audit approaches and their results, and provides an overall assessment of the information security program. This type of audit is also useful in the review of new products and services and can be used in reviewing significant organizational initiatives over a period of time, e.g. various e-commerce and other IT initiatives could be audited throughout their development life cycle.
IT security audits contribute to an organization's regulatory compliance efforts by confirming to senior management and the board that organization's security efforts reflect the many challenging risks and compliance requirements of today's business world. Security practitioners also benefit from obtaining the independent perspectives of the audit team.
The information security management needs to be proactive with the audit team and audit project, i.e. find out early (and ideally even help to "finalize") what the security audit goals, objectives, purpose and procedures (tests) will be; what standards are being used for the evaluation criteria; and finally who is on the team and what they qualifications and "talents" are – its that simple.
Recommended further reading
Studying "what's new" is a fundamental requirement for implementing and auditing information security effectively. Landmark guidance also comes along every few years and studying these "classics" is also vital. I've provided a variety of resources regarding information security, and its control and auditing. The two resource lists includes a mix of some very recent guidance and some of the real "classics" too.
About the author
Dan Swanson is a 26-year internal audit veteran, who most recently was director of professional practices at the Institute of Internal Auditors. Prior to the IIA, Swanson was an independent management consultant for more than 10 years. The author of more than 70 articles on internal auditing and other management topics, Swanson is currently a freelance writer and independent management consultant at an eponymous firm. He can be reached via email at firstname.lastname@example.org.