Security Audit Findings Spurring Organizational Change
Financial institutions today must be prepared to undergo top-to-bottom audits aimed at finding chinks in their information security architectures, and then go about remediating deficiencies. Where should they look?
Before an institution can interpret and act upon the findings of an audit, it must understand the audit's scope. According to the Information Systems and Control Association, a security audit is broken down into seven categories: systems understanding, security management, security administration, system configuration, access controls, file & directory protection, and reporting & auditing.
Within each category are subcategories outlining the objectives and the steps required by management. Under security administration, for example, are three subcategories: roles & responsibilities, staffing, and security administration procedures. Within security administration procedures, the steps include determining if documented procedures exist and are up-to-date, and evaluating the use of third-party tools to complete security administration activities.
With so many detailed requirements, it's no wonder that institutions are having a tough time keeping up. According to a study of 216 IT organizations by the Security Compliance Council, the three most deficient security controls and procedures are user and application access controls, configuration and change management, and security policies and standards. In general, these deficiencies are being measured by IT organizations. However three areas with high levels of deficiencies (asset classification, application development and maintenance, and data archive and management) are being undermeasured, while two areas with low levels of deficiencies (information access controls, and network and operations management) are being overmeasured. This makes for a misallocation of resources.
In reaction, 75% of the IT organizations surveyed by the Security Compliance Council are taking steps to reallocate IT resources, including automating compliance procedures and controls, employing technology solutions to automate controls and procedures, and increasing staff dedicated to security compliance.
The advent of stricter auditing has resulted in major organizational changes: 73% of companies surveyed are realigning their IT security and internal controls functions (31% are merging IT security and internal controls into a risk management function; 22% are merging IT security into the internal controls function, and 20% are merging internal controls into the IT security function).
In addition to the three major deficiencies cited above, a second tier of deficiencies has emerged from audit findings: database access controls, auditing & reporting, asset classification, information access controls, business continuity management. A third tier of deficiencies has also emerged: application development & maintenance, data archive & management, network and operations management, personnel security, E-mail, Web and Internet access controls, physical and environmental security.
Fortunately, IT organizations don't have to grope in the dark around addressing security audit findings. A new international standard, ISO 27001, has been codified to help organizations implement an effective information security management system. The Institute of Internal Auditors has published recommendations to determine an IT organization's level of maturity in adopting ISO 27001. The recommendations are formulated as a series of questions for auditors to investigate.
â€¢ Does a document exist that specifies the scope of compliance? The "scope document" lists all business processes, facilities, and technologies within the organization.
â€¢ Are business processes and information flows clearly defined and documented?
â€¢ Does a list of information exist? Is it current? Information assets typically include software, hardware, documents, reports, databases, applications, and application owners. The list should be updated regularly.
â€¢ How are information assets classified? Information assets must be classified based on the importance to the organization and level of impact.
â€¢ Is a high-level security policy in place? The policy must convey management's commitment to protecting information, and should also identify security risks and how they'll be managed?
â€¢ Has the organization implemented a risk assessment process?
â€¢ Is a controls list available? Selected controls should be mapped to Annex A of the ISO 27001 standard, which identifies 133 controls divided into 11 domains.
â€¢ Are security procedures documented and implemented?
â€¢ Is there a business continuity management process in place?
â€¢ Has the company implemented a security awareness program?
â€¢ Was an internal audit conducted?
â€¢ Was a gap analysis conducted? A gap analysis links appropriate controls with the relevant business unit.
â€¢ Were corrective and preventive actions identified and implemented? Gaps identified in the internal audit must be addressed, and corrective actions taken.
â€¢ Are there mechanisms in place to measure control effectiveness?
â€¢ Is there a management review of the risk assessment and risk treatment plans? Risk assessments and risk treatment plans must be reviewed at least annually.