control, and governance
Edited by Dennis Lane McGuffie
A CAE is concerned about a security consultant’s relationship with the chief information officer.
Clean Sweep Inc. is a large commercial cleaning and restoration services company with annual revenues approaching US $3 billion. The company’s audit department, led by chief audit executive (CAE) Bert Smith, recently completed an IT security audit. The team reported that no external penetration or network vulnerability testing had ever been performed to assess potential exposures to attacks from internal and external hackers. Moreover, no one had ever assessed the effectiveness of firewalls and other controls implemented to prevent such attacks.
Bert and his team met with the chief information officer (CIO), Frank Pool, to discuss action plans. Frank said he planned to send a request for proposal (RFP) to three firms that could assist with the vulnerability testing and asked Bert and his team to provide suggestions for firms qualified to perform this type of work. Bert was familiar with several firms that employed only certified information systems auditors with extensive experience and a proven commitment to high ethical standards. He provided contact information for those firms to Frank the next day.
A few weeks later, a member of the audit team came to Bert’s office to relay some information he obtained during lunch with an employee of the IT department. The employee heard that instead of sending out an RFP, Frank asked one of his long-time friends — an ex-hacker — to perform the network vulnerability testing. The IT employee was unsure about the friend’s credentials, the specific terms of the arrangement, and whether anyone else in the company had been notified of the scope or timing of the testing.
Bert’s first thought was that any concerns the IT employee raised could easily be addressed during a follow-up audit his team was scheduled to perform in 60 days. But could the review wait that long? What if the ex-hacker is a “black hat” and can’t be trusted? Because Smith and his team made the initial recommendation to perform the testing, could they be implicated if something goes wrong?
Because Frank said he would develop an RFP and asked internal auditing to recommend qualified firms, Bert has an obligation to discuss the situation with him before the scheduled follow-up audit. If the rumor is true, Bert should have the discussion before the ex-hacker performs any work. He should ask, for example, how the individual’s credentials compare to those of the recommended firms. Bert should also meet with the legal or contracts department to discuss any policy implications of using personal contacts for company business.
One would assume the CIO knows better than to hire a black hat, even if he or she is a friend. I don’t see how Bert or his team could be implicated simply from recommending that a network security review be performed, especially when the action plan involved submitting an RFP to reputable and qualified firms. These types of recommendations are relatively common in IT auditing.
If the security specialist is really a friend of Frank’s and an ex-hacker, Bert should advise him to consider using another firm — doing so will help ensure the integrity of the work performed and avoid the appearance of a conflict of interest. If Frank remains insistent on hiring his friend, Bert may need to inform executive management.
Auditors are responsible for the validity of their findings — as well as the worthiness of their recommendations — but they cannot be faulted for the misguided decisions of others. Nonetheless, this situation presents issues that the CAE must navigate.
Bert recommended three firms that employed certified information security professionals and would presumably have ethical hackers on staff. In deciding to engage a friend, Frank may have disregarded purchasing procedures that would have required a statement of work, requests for quotations, and disciplined vendor selection criteria. If the relationship is more personal than business in nature, Frank may not be putting the best interests of his company first.
More troubling is the impact that a hacker can have on the business — the individual could take advantage of the access gained and cause considerable damage. Given the risk associated with hacker access to the company’s lifeblood, it is essential that the security expert or firm possess appropriate credentials. Moreover, their activities need to be governed by a specific statement of work regarding systems, level of penetration, interference with operations, and other criteria
Auditors have a natural tendency to make recommendations and step back, because they see themselves as independent. However, the repercussions from this situation could be considerable. Bert has valid concerns about the reputation of the individual hired as well as the terms of the engagement and should discuss the situation with Frank immediately. If Bert is not satisfied, he should elevate the matter to the next level of the organization.
Instead of waiting for the follow-up review, Bert should consider visiting with Frank immediately to inquire on the status of the RFP plan. He should let Frank know that the typical factors that should be considered before engaging an ethical hacker would include:
In addition to these factors, the following technical monitoring controls could be used to ensure that the engaged hacker is not a black hat:
Bert and his team cannot be implicated, even though they made the initial recommendation. Frank would be held responsible for not following due diligence procedures and instead engaging his old friend.
Director – Information Systems Business Assurance
Brinker International Inc.
Given the concerns raised by the IT employee and the potential risks to Clean Sweep, it would not be in the company’s best interest for Bert’s team to wait 60 days for a follow-up review. External penetration and network vulnerability tests require disclosure of highly sensitive information to whomever performs the testing. Additionally, business productivity can be adversely affected if the testing is not performed by skilled professionals who work closely with designated internal personnel to minimize disruptions.
Bert should meet with Frank as soon as possible to better understand the proposal process, the scope of testing, and the internal stakeholders/project team involved — this will enable him to confirm appropriate sponsorship for the project and alignment to his team’s recommendations. During the discussion, Bert should emphasize the audit team’s organizational objective to help manage risks, and he should demonstrate his team’s desire to partner with Frank’s team to do what is best for the company. This way, Bert should be able to address the specific concerns communicated by the IT employee without actually involving him or her. A discussion that demonstrates partnership would be more productive than one in which Bert tries to minimize the audit team’s responsibility for any project failures.
If the discussion is framed correctly, Bert should be able to gain the comfort he needs to ensure that the proposal process does not present any significant risks to the company. For any concerns Frank may validate, Bert should help him understand that evaluation of potential third-party service providers is a risk-mitigation process that helps ensure neither the services to be provided nor the firm to be used present any significant risks to the company. This discussion should help both Bert and Frank gain comfort that the proposal process and the project execution are conducted in a manner that protects the company.
How would you handle this scenario? Continue the discussion by sharing your comments below.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.