control, and governance
Preparing for the Security Audit — Recommendations for Beginner IT Auditors
Identifying risks and vulnerabilities and evaluating the effectiveness of perimeter security efforts are some of the steps beginner IT auditors need to understand to conduct more effective reviews of security controls.
Lakshmana Rao Vemuri, CISA
Senior Security Consultant
Organizations make different assumptions about the security levels needed to protect their information systems and assets. Although companies may differ on their ideas about IT security, the role of internal auditors is the same: Review the existing security environment and identify the effectiveness of internal controls. Unfortunately, beginner IT auditors have their work cut out for them. Many companies have poorly configured firewalls and intrusion detection systems (IDS), lack monitoring systems to detect noncompliance with IT policies and procedures, use antivirus systems with outdated definitions, and wait too long to patch systems when vulnerabilities are detected. Each of these issues can be a challenge for the seasoned auditor, so those just entering the field have to be up and running quickly. Furthermore, beginner auditors need to understand the complexities of often-disparate computer networks, operating systems, software programs, and hardware. Thus, even experienced auditors must "do their homework" prior to the audit to maximize the review process.
BEFORE THE AUDIT
To conduct successful reviews of security controls, beginner IT auditors must learn what to expect during the audit process. In addition, first-time auditors should understand the appropriate ways to identify security risks and vulnerabilities, evaluate the effectiveness of perimeter security efforts, and work with senior management effectively. The main issues beginner auditors should keep in mind before a security audit takes place are determining existing risks and vulnerabilities, as well as the organization's level of IT governance and compliance landscape.
Once an auditor is tasked with reviewing a company's IT security environment, he or she will have to evaluate the different security levels of all IT assets and how each asset is protected. The auditor also is expected to provide recommendations to improve the organization's IT security and certify whether adequate internal controls are in place to secure all IT assets. To make appropriate recommendations and understand which controls are needed, auditors should identify existing security vulnerabilities and risks in partnership with IT and senior management staff.
One way to identify security risks and vulnerabilities prior to the audit is by recommending that the organization conducts a risk assessment. Besides helping auditors determine which controls would be most effective based on the organization's security needs, a risk assessment can help dissipate resistance to audit results by allowing management to have an accurate picture of the current security landscape before the audit takes place. If the client has not completed a risk assessment, the auditor should conduct a basic risk assessment to identify any weak areas, which in turn will help demonstrate the need for a given control.
IT governance is based on high-quality, well-defined, and repeatable processes, which must be documented and communicated properly, and requires the involvement and commitment from senior management, IT, security, and assurance professionals. One way to review whether a company has an effective IT governance program is by ascertaining that senior management has set clear goals, policies, and procedures and IT management is based on the use of effective frameworks, tools, or best practices. Many frameworks and best practices exist that can help companies in their IT management efforts. Some of the most popular models are the UK's Office of Government Commerce IT Infrastructure Library, ISACA's Control Objectives for Information and related Technology, and the International Organization for Standardization's 17799: 2000 Standard.
Furthermore, when evaluating the effectiveness of existing IT governance practices, auditors should be on the lookout for the following red flags: absence of enterprisewide internal controls or a formal risk management program, and ineffective IT financial reporting and disclosure preparation processes. IT auditors also should note the executive board's or audit committee's level of knowledge about the organization's current IT security landscape and whether the IT department is unable to determine if the information stored in a system has been altered or if the data retention period has been executed properly. Although these indicators are not the only ones internal auditors should consider, they represent some of the main problems faced by organizations lacking an effective IT governance program.
IDENTIFYING SECURITY RISKS AND VULNERABILITIES
Given the current security landscape, beginner IT auditors should make every effort to understand the different security threats that may affect an organization's IT assets. When reviewing a company's security environment, auditors will likely come across one of the following:
Scenarios 2 and 3 usually provide beginner auditors with the most difficulty, because of the level of knowledge required to provide effective security recommendations. When encountering a company that lacks a properly established security infrastructure (i.e., scenario 2), the auditor may use the following plan of action to explain the security landscape and justify investment in a proper infrastructure:
When auditing organizations with a security infrastructure that does not protect IT assets adequately (i.e., scenario 3), auditors can recommend that the IT department:
If the organization does not have the skill set to perform a vulnerability test, it should hire an expert or use scanning tools to detect any system vulnerabilities. However, IT staff using these tools must have a thorough understanding of how to use them to obtain the best results.
WHAT'S NEXT — AUDITING PERIMETER SECURITY IMPLEMENTATION
Senior management is more likely to accept audit recommendations if auditors document the organization's need to enhance IT security efforts first. However, documenting the effectives of perimeter security measures is also important to ensure audit recommendations are established properly. Because many organizations use perimeter security as their main line of defense against external threats, beginner IT auditors need to become familiar with how to identify common problems during and after the perimeter security implementation process.
According to the SANS Institute, a security training and research organization, the following are some of the most common problems companies encounter during the perimeter security implementation process:
Beginner auditors who identify any of the risk areas above should recommend that organizations purchase security tools to help evaluate the IT network's strength and detect network vulnerabilities and risk areas. Some of the tools available for different activities include host-based audit software, network traffic analysis and intrusion detection system tools, security management and improvement programs, and network-based audit and encryption software.
WORKING WITH SENIOR MANAGEMENT
In addition to identifying network vulnerabilities or providing guidance on perimeter security efforts, beginner IT auditors could end up working with senior executives to help maximize the implementation of audit recommendations. As a result, auditors need to watch out for any top management behaviors that may affect the organization's IT security efforts and, consequently, the acceptance of audit results.
First, auditors need to ensure management understands the relationship between business needs and IT security. When management knows which risks relate to specific business goals and objectives, they can begin to understand where investment is needed. Because IT security must focus on mitigating risks to the business, auditors need to help management make this connection. Other behaviors to watch out for include:
When any of the above are encountered, auditors could recommend that executive managers advocate the implementation of the following best practices to ensure the creation of a more effective security infrastructure:
Keeping these pointers in mind will help beginner auditors work with senior executives in a more productive and collaborative fashion, break away any stereotypes that hinder the implementation of security controls, and help organizations be on the road to a more secured IT environment.
IT SECURITY — MORE THAN USING HARDWARE AND SOFTWARE
Reviewing a company's security efforts is an important component of the IT audit process. Knowing what to do prior to the audit, identifying security risks and vulnerabilities, auditing perimeter security efforts, and working with senior management are all essential components of an effective security audit. However, security is only as strong as the organization's weakest link. As a result, internal auditors' role is crucial to ensuring IT assets are protected and secured properly. IT security, therefore, demands more than the use of hardware and software: Organizations must have the right attitude and set the proper tone at the top for security to work. Without this right attitude, future security efforts are likely to fail, and organizations will always be one step behind in their IT security activities.
Lakshmana Rao Vemuri, CISA, is a senior security consultant for Paladion Networks in India. Prior to working as a security consultant, he was a senior IT manager for a public-sector bank in India for 12 years. Vemuri has worked in the field of banking for 23 years and is a certified associate of the Indian Institute of Bankers. He is also a guest faculty professor for the Institute of Chartered Accountants of India in the Information Systems Audit Program.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.