April 2011

The Information Security Control Environment

 

Chief audit executives responding to a survey identify the most and least common controls their organizations deploy to protect IT resources.

 
 

Meghann A. Cefaratti, PHD
Assistant Professor, Department of Accountancy
Northern Illinois University

 

Hui Lin, PHD
Assistant Professor, School of Accountancy and MIS
DePaul University

 

Linda Wallace, PHD
Associate Professor, Department of Accounting and Information Systems
Virginia Tech

 

 

Information security management continues to be the most important initiative affecting IT strategy, investment, and implementation in businesses and industries, according to the American Institute of Certified Public Accountants’ (AICPA’s) 2011 Top Technology Initiatives survey. Automated information security controls are essential to reducing business risk by safeguarding business information and IT assets as well as supporting regulatory compliance efforts. IT control frameworks and other guidance, such as International Organization for Standardization (ISO) 27002, ISACA’s Control Objectives for Information and Related Technology, The Committee of Sponsoring Organizations of the Treadway Commission’s Enterprise Risk Management–Integrated Framework, and The IIA’s Guide to the Assessment of IT Risk (GAIT-R), describe specific controls and risk assessment considerations that organizations may use to enhance their internal control environment.

 

ISO 27002, formerly ISO 17799, is an international information security control standard that outlines specific controls designed to address essential components of effective information security management to safeguard an organization’s information and IT assets. The standard contains 11 categories of controls that may be implemented: security policy management, corporate security management, organizational asset management, human resource security management, physical and environmental security management, communications and operations management, information access control management, information systems security management, information security incident management, business continuity management, and compliance.

 

Because of the specificity of the controls outlined by ISO 27002, the standard formed the basis for a survey of IIA-member chief audit executives (CAEs), which was conducted as part of a larger study of internal auditors. The 204 survey respondents indicated the extent to which their organizations use IT to implement the 108 information security controls described by the standard on a five-point scale ranging from “strongly agree” to “strongly disagree.”

 

Most Commonly Implemented ControlsCefaratti_Most Implemented Controls

Information access controls are the most extensively supported area of ISO 27002 by CAEs’ organizations (see “Most Commonly Implemented Controls” at right). Six of the top 11 controls that are deployed using IT by CAEs’ organizations are from ISO 27002’s Information Access Control Management section, including enforcing a secure logon process, protecting networks from unauthorized access, and authenticating remote users. The other five controls on the list come from the Communications and Operations Management, and Information Systems Security Management sections. The prevalent use of IT-supported controls from these three sections may lay a foundation for using IT more extensively to support controls outlined in other sections of the standard as a means of improving the information security environment.

 

 

Least Commonly Implemented Controls

Six of the 10 least commonly implemented controls are presented in ISO 27002’s Physical and Environmental Security Management section (see “Least Commonly Implemented Controls” below). Although organizations in the survey are using IT to support this section the least, they may be implementing these controls in a manner that does not involve the use of IT. For example, they may implement physical control mechanisms to protect equipment onsite and secure physical facilities. Therefore, consideration of automated controls to support the controls in the Physical and Environmental Security Management section may present the opportunity for organizations to increase the efficiency of the controls and improve the effectiveness of the control environment.

 

Cefaratti_Least Implemented ControlsMEASURING THE EFFECTIVENESS OF INVESTMENTS

In the ISO 27002 survey, a subset of 94 CAEs with U.S. publicly listed companies responded to open-ended questions to describe how their organizations measure the effectiveness of IT-related investments on U.S. Sarbanes-Oxley Act of 2002 compliance control efforts. Most frequently, survey respondents say their companies use information gathered during a formal evaluation of IT controls by external auditors, internal auditors, or both, or use a cost-benefit perspective to evaluate controls. Some companies, though, do not have specific measures of the effectiveness of IT-related investments.

 

Formal IT Control Review

Responding to questions about Sarbanes-Oxley compliance, some respondents indicate that their organization has a formal evaluation process in place to review the effectiveness of IT controls and focuses on the results of formal evaluations made by external auditors or internal auditors. One respondent, whose company focuses on the results provided by its external auditor, says, “If our external auditors don’t find a material weakness related to our IT controls, then we are effective.”

 

Some CAEs who responded to the Sarbanes-Oxley questions say their company uses the internal audit function to assess the effectiveness of IT. “From an internal controls over financial reporting perspective, internal auditing performs annual assessments for the significant areas based on a formal evaluation process and Sarbanes-Oxley risk assessment,” one respondent says. The results of internal audit reviews often influence the design of key controls that have been identified as best practices.

Another participant notes that a formal evaluation process, such as a Sarbanes-Oxley compliance review, provides an opportunity to improve the organization’s control environment: “We like to reduce the number of manual controls by embedding controls in applications. A side benefit of Sarbanes-Oxley was that we revisited our IT general controls and change controls, and as a result, we have improved a previously ignored area.”

 

One CAE describes a holistic approach that integrates results from both external and internal auditors: “We measure the effectiveness of IT-related investments on Sarbanes-Oxley by the feedback we get from our internal and external auditors as they perform their assessments.” Overall, respondents consider the effectiveness of the controls and the investment to be linked to the results of the formal evaluation process.

 

Cost-Benefit Perspective

Companies also are considering the effectiveness of IT control investments from a cost-benefit perspective. “On a case-by-case basis we consider whether the investment will allow us to move from a manual/detective control to an automated/preventive control and estimate the efficiencies to be gained in doing so,” one respondent says. Another respondent focuses on the compliance aspect of IT investment spending: “Any spending necessary to go from noncompliant to compliant is considered effective and justified; any spending beyond that is not.” The CAEs’ responses demonstrate a cautious approach to spending and a focused examination of the expected benefits and costs before implementing a new control.

 

No Formal Measurement

Several respondents indicate that there is no formal measurement of the effectiveness of IT control investments in place in their organization other than the Sarbanes-Oxley compliance process. One respondent reports that IT control investment effectiveness was “considered part of ‘business as usual’ and not tracked separately. Sarbanes-Oxley-related control requirements were just considered good business practice for IT.” Yet another respondent focuses on compliance as a benchmark and says, “There is no metric associated with measuring the effectiveness of IT-related investments outside of the external review of IT general controls. The success of the financial area in passing the Sarbanes-Oxley audit is the benchmark for success in other areas.” This response suggests that although the focus in evaluating the effectiveness of IT controls is on Sarbanes-Oxley compliance, and not on a formal measurement process focused on IT investments, the benefits of compliance efforts notably affect other areas of the business as well.

 

IMPLEMENTATION ISSUES

Recent discussions with auditors and IT control experts at a Big Four accounting firm illustrate the control implementation issues that organizations face. First, many organizations may not be familiar with all of the controls outlined in the many IT control and internal control frameworks that are available. Although implementing one framework consistently can provide a stable IT control environment, organizations may miss the opportunity to deploy specific controls outlined by other frameworks and standards that could improve the effectiveness of the control environment. Further, organizations may not be automating controls that historically have been supported by manual procedures. Many of the least commonly implemented IT-supported controls currently may be supported manually. Organizations should review the manual physical controls in place — particularly those designed to support controls outlined in ISO 27002’s Physical and Environmental Security Management section — to identify opportunities for introducing automated controls that could strengthen their internal control environments.

 

Second, in an environment of ever-decreasing budgets, companies may not have the financial resources to implement specific controls organizationwide. Both survey respondents and control experts note that the benefit of the control must outweigh the cost of implementation.

 

Lastly, although large organizations tend to have more resources to expend on IT controls than small organizations, they face a scalability problem that small entities may not encounter. An IT analyst for a large organization notes that although the control environment may benefit from the implementation of a specific control or program, the reality of implementing such a control for his organization’s 80,000 users is one that could derail a project from the beginning. He reflected that careful planning and developing realistic expectations for new IT-supported controls or programs before their launch helps to avoid jumping into projects that would not support the organization.

 

COMMITMENT TO CONTINUED IMPROVEMENT

Although organizations face control implementation issues, the survey results and discussions with control experts suggest four ways in which organizations may continue to improve the effectiveness of their IT control environments:

  • Identify best practices and common practices. CAEs may compare the controls they have in place to the lists of controls provided in this article to assess their control environment relative to the organizations represented in the survey. However, an organization’s information security risk mitigation efforts may benefit from a full internal audit review of the controls that it currently has in place compared to all of the detailed controls identified in ISO 27002. Such efforts can help organizations keep pace with the rapidly changing IT control environment.
  • Review revisions to standards. Many standards and frameworks that are used in IT governance are updated regularly. Scheduled reviews of the standards will allow organizations to respond to new guidance and compliance requirements.
  • Use information security controls to support compliance efforts. Internal auditing should consider the ways in which information security controls support organizational compliance efforts such as Sarbanes-Oxley. By increasing the effectiveness of the information security environment, an organization also can support Sarbanes-Oxley Section 404 compliance efforts; however, many CAEs recognize the value of implementing controls beyond those that are needed to support the regulation. One respondent says, “We view Sarbanes-Oxley as a minimum requirement. Any IT tools utilized to maintain compliance are necessary.”
  • Consider alternatives. Innovative control design is essential to overcoming scalability issues. Large organizations should consider controls that meet multiple objectives and remain affordable to deploy. Internal auditing may play a key role in monitoring the implementation of these controls.
 

Although organizations face many challenges regarding their control environments, those that are committed to benchmarking internal control activities, using controls to meet multiple objectives, and considering alternatives to traditional controls may increase the effectiveness of their control environments and better manage their information security risk. The internal audit function can contribute to these efforts by evaluating the internal control activities to ensure they are implemented appropriately and are effective.

 

To watch the authors' video discussion of information security controls, visit AuditChannel.tv.

 

 

 

 


Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2012 IA Online Cover

CCH 2012-2

UCMC 2012 

 International Conference Boston 2012

 

GRC August 2012 

 

 Twitter 
 

facebook IAO 

IA APP