April 2006

Preparing for the Security Audit — Recommendations for Beginner IT Auditors

Identifying risks and vulnerabilities and evaluating the effectiveness of perimeter security efforts are some of the steps beginner IT auditors need to understand to conduct more effective reviews of security controls.

Lakshmana Rao Vemuri, CISA
Senior Security Consultant
Paladion Networks

Organizations make different assumptions about the security levels needed to protect their information systems and assets. Although companies may differ on their ideas about IT security, the role of internal auditors is the same: Review the existing security environment and identify the effectiveness of internal controls. Unfortunately, beginner IT auditors have their work cut out for them. Many companies have poorly configured firewalls and intrusion detection systems (IDS), lack monitoring systems to detect noncompliance with IT policies and procedures, use antivirus systems with outdated definitions, and wait too long to patch systems when vulnerabilities are detected. Each of these issues can be a challenge for the seasoned auditor, so those just entering the field have to be up and running quickly. Furthermore, beginner auditors need to understand the complexities of often-disparate computer networks, operating systems, software programs, and hardware. Thus, even experienced auditors must "do their homework" prior to the audit to maximize the review process.

BEFORE THE AUDIT

To conduct successful reviews of security controls, beginner IT auditors must learn what to expect during the audit process. In addition, first-time auditors should understand the appropriate ways to identify security risks and vulnerabilities, evaluate the effectiveness of perimeter security efforts, and work with senior management effectively. The main issues beginner auditors should keep in mind before a security audit takes place are determining existing risks and vulnerabilities, as well as the organization's level of IT governance and compliance landscape.

Once an auditor is tasked with reviewing a company's IT security environment, he or she will have to evaluate the different security levels of all IT assets and how each asset is protected. The auditor also is expected to provide recommendations to improve the organization's IT security and certify whether adequate internal controls are in place to secure all IT assets. To make appropriate recommendations and understand which controls are needed, auditors should identify existing security vulnerabilities and risks in partnership with IT and senior management staff.

One way to identify security risks and vulnerabilities prior to the audit is by recommending that the organization conducts a risk assessment. Besides helping auditors determine which controls would be most effective based on the organization's security needs, a risk assessment can help dissipate resistance to audit results by allowing management to have an accurate picture of the current security landscape before the audit takes place. If the client has not completed a risk assessment, the auditor should conduct a basic risk assessment to identify any weak areas, which in turn will help demonstrate the need for a given control.

IT governance is based on high-quality, well-defined, and repeatable processes, which must be documented and communicated properly, and requires the involvement and commitment from senior management, IT, security, and assurance professionals. One way to review whether a company has an effective IT governance program is by ascertaining that senior management has set clear goals, policies, and procedures and IT management is based on the use of effective frameworks, tools, or best practices. Many frameworks and best practices exist that can help companies in their IT management efforts. Some of the most popular models are the UK's Office of Government Commerce IT Infrastructure Library, ISACA's Control Objectives for Information and related Technology, and the International Organization for Standardization's 17799: 2000 Standard.

Furthermore, when evaluating the effectiveness of existing IT governance practices, auditors should be on the lookout for the following red flags: absence of enterprisewide internal controls or a formal risk management program, and ineffective IT financial reporting and disclosure preparation processes. IT auditors also should note the executive board's or audit committee's level of knowledge about the organization's current IT security landscape and whether the IT department is unable to determine if the information stored in a system has been altered or if the data retention period has been executed properly. Although these indicators are not the only ones internal auditors should consider, they represent some of the main problems faced by organizations lacking an effective IT governance program.

IDENTIFYING SECURITY RISKS AND VULNERABILITIES

Given the current security landscape, beginner IT auditors should make every effort to understand the different security threats that may affect an organization's IT assets. When reviewing a company's security environment, auditors will likely come across one of the following:

  • Scenario 1 — IT security controls properly address risks and vulnerabilities to IT assets. Minor modifications may be necessary to enhance the efficiency of existing controls.
  • Scenario 2 — The company lacks a proper security infrastructure. Therefore, because any recommendations will be implemented for the first time, organizations may not feel they are reinventing the wheel or spending additional money to recreate already-established controls.
  • Scenario 3 — The auditor comes across an existing security infrastructure that does not protect IT assets adequately due to poor configuration, monitoring, or management. The auditor then has to identify current risk levels, their possible impact, and provide recommendations. Thus, the organization has to spend additional time and resources to comply with the audit's recommendations.

Scenarios 2 and 3 usually provide beginner auditors with the most difficulty, because of the level of knowledge required to provide effective security recommendations. When encountering a company that lacks a properly established security infrastructure (i.e., scenario 2), the auditor may use the following plan of action to explain the security landscape and justify investment in a proper infrastructure:

  • Recommend a risk assessment be completed to determine the value of IT assets. This will give senior management an understanding of the various security threats that may affect or are affecting the business.
  • Recommend that the IT department installs passive network tools to demonstrate the frequency of remote access attempts and external probes. This will help managers gain a thorough understanding of the network's topology (i.e., what services are available, what operating systems are in use, and what vulnerabilities may be exposed on the network).
  • Explain to top managers how security threats may affect the organization’s reputation and financial stability.
  • Explain the legal ramifications of a security breach due to poor internal controls and the consequences of noncompliance with specific data laws and regulations.
  • Provide executives with information on the latest cyber crime statistics and how they have affected similar organizations. This will help instill a sense of urgency for securing IT systems.
  • Talk to executives about the possibility of insider threats by listing the different data assets and systems that could be affected. The auditor could do this by performing a data classification exercise and informing executives of the results. This will help point out how much money the organization is loosing due to its lack of proper security controls and any losses of bandwidth due to unproductive use of network resources.

When auditing organizations with a security infrastructure that does not protect IT assets adequately (i.e., scenario 3), auditors can recommend that the IT department:

  • Runs a vulnerability scanning tool on the network from outside the firewall's demilitarized zone (DMZ) to identify any security vulnerabilities.
  • Conducts a network vulnerability assessment and submits the report to executive managers. The report should explain all IT security threats and their impacts, as well as expose any security gaps and weaknesses in the IT infrastructure.

If the organization does not have the skill set to perform a vulnerability test, it should hire an expert or use scanning tools to detect any system vulnerabilities. However, IT staff using these tools must have a thorough understanding of how to use them to obtain the best results.

WHAT'S NEXT — AUDITING PERIMETER SECURITY IMPLEMENTATION

Senior management is more likely to accept audit recommendations if auditors document the organization's need to enhance IT security efforts first. However, documenting the effectives of perimeter security measures is also important to ensure audit recommendations are established properly. Because many organizations use perimeter security as their main line of defense against external threats, beginner IT auditors need to become familiar with how to identify common problems during and after the perimeter security implementation process.

According to the SANS Institute, a security training and research organization, the following are some of the most common problems companies encounter during the perimeter security implementation process:

  • Management and IT staff believe that once a firewall is in place, they have sufficient security and no further checks and controls are needed on the internal network.
  • Analog lines and modems are provided to connect to an Internet service provider or have dial-in access to the desktop system, thus bypassing perimeter security measures.
  • Internal host network services are passed through security perimeter control points unscreened.
  • Firewalls, hosts, or routers accept connections from multiple hosts on the internal network and from hosts on the DMZ network.
  • The organization allows incorrect configuration of access lists, which results in allowing unknown and dangerous services to pass through the network freely.
  • The details of logged user activities are not reviewed regularly or are insufficient, thus deteriorating the effectiveness of the monitoring system.
  • Hosts on the DMZ or those running firewall software also are using unnecessary services.
  • Support personnel use unencrypted protocols to manage firewalls and other DMZ devices.
  • Employees are allowed to run encrypted tunnels through the organization's perimeter device without fully validating the tunnel's end-point security.
  • The company uses unsecured or unsupported wireless network applications.

Beginner auditors who identify any of the risk areas above should recommend that organizations purchase security tools to help evaluate the IT network's strength and detect network vulnerabilities and risk areas. Some of the tools available for different activities include host-based audit software, network traffic analysis and intrusion detection system tools, security management and improvement programs, and network-based audit and encryption software.

WORKING WITH SENIOR MANAGEMENT

In addition to identifying network vulnerabilities or providing guidance on perimeter security efforts, beginner IT auditors could end up working with senior executives to help maximize the implementation of audit recommendations. As a result, auditors need to watch out for any top management behaviors that may affect the organization's IT security efforts and, consequently, the acceptance of audit results.

First, auditors need to ensure management understands the relationship between business needs and IT security. When management knows which risks relate to specific business goals and objectives, they can begin to understand where investment is needed. Because IT security must focus on mitigating risks to the business, auditors need to help management make this connection. Other behaviors to watch out for include:

  • Not understanding the importance of IT security or being able to quantify the worth of the organization’s reputation if a security breach occurs.
  • Relying on temporary or short-term solutions, which result in the resurfacing of previous problems.
  • Relying on a vendor's firewall only for perimeter security.
  • Not managing the operational aspects of IT security effectively and efficiently.
  • Not realizing the consequences of poor information security.
  • Assigning people who are incompetent or can't perform their duties effectively to specific job functions, as well as improperly training IT security staff.

When any of the above are encountered, auditors could recommend that executive managers advocate the implementation of the following best practices to ensure the creation of a more effective security infrastructure:

  • Get senior-level support for IT security initiatives and ensure management understands the business' security needs and the processes required to meet those needs.
  • Set aside a contingency fund every fiscal year to finance any unforeseen security infrastructure problems. The risk management process should be used to identify what needs to be handled through the standard budgetary process as much as possible.
  • Draft, establish, and enforce a written security policy that is adopted companywide and lists clear procedures to support the organization's IT security goals.
  • Conduct frequent and mandatory security awareness training for all employees.
  • Define the roles and responsibilities of key security personnel.
  • Develop a system for managing IT security controls and create metrics to measure and report the effectiveness of security controls to senior executives.
  • Draft a short- to medium-range road map detailing how to implement security infrastructure improvements.
  • Acquire necessary, networked-based, security audit tools to improve the performance of internal controls.
  • Hire a dedicated team with proven IT security skills, or ensure security employees have the necessary expertise to handle assigned roles and responsibilities.

Keeping these pointers in mind will help beginner auditors work with senior executives in a more productive and collaborative fashion, break away any stereotypes that hinder the implementation of security controls, and help organizations be on the road to a more secured IT environment.

IT SECURITY — MORE THAN USING HARDWARE AND SOFTWARE

Reviewing a company's security efforts is an important component of the IT audit process. Knowing what to do prior to the audit, identifying security risks and vulnerabilities, auditing perimeter security efforts, and working with senior management are all essential components of an effective security audit. However, security is only as strong as the organization's weakest link. As a result, internal auditors' role is crucial to ensuring IT assets are protected and secured properly. IT security, therefore, demands more than the use of hardware and software: Organizations must have the right attitude and set the proper tone at the top for security to work. Without this right attitude, future security efforts are likely to fail, and organizations will always be one step behind in their IT security activities.

Lakshmana Rao Vemuri, CISA, is a senior security consultant for Paladion Networks in India. Prior to working as a security consultant, he was a senior IT manager for a public-sector bank in India for 12 years. Vemuri has worked in the field of banking for 23 years and is a certified associate of the Indian Institute of Bankers. He is also a guest faculty professor for the Institute of Chartered Accountants of India in the Information Systems Audit Program.

 

Interested Security Auditing
Hi I really think your Post is good and gives straight information on how beginners should start with their audits and how important it is to know what you need to do before you even Start the Audit I'm interested in being a Auditor myself but the knowledge seem too much little to even cure the smallest problems in a network. I'm in need of good material that I'd study for a couple of Months maybe, before I can venture into this field CIAO
Posted By: Njabulo Thwala
2013-04-11 5:43 PM


COMMENT ON THIS ARTICLE

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

April 2013 Cover Subscribe Now

Mitigate Career Risk CRMA

Save on IIA Seminars  

Write for FSA Times

 

 Twitter

facebook IAO 

IA APP