control, and governance
Establishing Controls for Software Security Assurance
Performing effective software security audits and implementing security best practices can help companies prevent serious risks to their IT systems and data.
Charles H. Le Grand, CIA, CISA
and Chief Executive Officer
CHL Global Associates
Many auditors have a workable understanding of the different network security controls used to protect corporate data and assets, including firewalls, intrusion prevention systems, and event monitoring software. However, recent targeted attacks and widely publicized security breaches all point to software vulnerabilities as a greater, but less understood, source of risk. These security vulnerabilities are at the center of many of the major data breaches that resulted in the theft of more than 50 million customer records in the first half of 2005 alone. In April of last year, for instance, clothing retailer Polo Ralph Lauren blamed a software glitch for an incident that compromised the identities of 180,000 customers, and warehouse retail store BJ’s Wholesale Club set aside US $16 million to cover possible losses after a software breach targeted 40,000 consumers.
Companies are not the only ones affected by software vulnerabilities. Last year, an audit group came under fire in the largest identity theft case to date, in which approximately 40 million American Express, MasterCard, and VISA customers had their personal information compromised. The credit card processing company from which the information was stolen, CardSystems, testified before the U.S. Congress in June 2005 that blame should fall on security auditors who improperly certified the processing systems as compliant with approved VISA standards. Unfortunately, research data shows software vulnerabilities will continue to plague organizations in the future. According to a December 2005 report by IT research firm Gartner, 80 percent of companies are expected to suffer an application security incident by 2009.
As exemplified here, vulnerable software clearly poses serious risks to successful business operations. As a result, it is essential for internal auditors to determine whether existing controls effectively identify and address flaws that could leave critical systems open to attacks and recommend that organizations incorporate established best practices as part of their software security efforts.
USING THE SOFTWARE SECURITY AUDIT FRAMEWORK
As software security risks continue to grow and gain more attention among media, legislators, and law enforcement agencies, it is important for companies and auditors to determine which best practices will provide the most effective software security controls and assurance. An example of these best practices is the Software Security Audit Framework developed by information security services company CHL Global Associates and sponsored by Ounce Labs, a software security assurance company.
Software security assurance is an important management responsibility. Because vulnerabilities represent significant control deficiencies in terms of secure and reliable information, processes, and reporting, software security should fall within the direct purview of the chief executive officer (CEO), chief financial officer (CFO), and the board’s audit committee. Vulnerabilities also may result in the disclosure of personal and other sensitive information, thus impacting the roles and responsibilities of management positions throughout the enterprise. Consequently, the two most important priorities for executives to consider and balance are assurance and a control's cost and value:
Besides assurance and a control's cost and value, establishing the proper tone at the top allows the organization to develop the necessary IT security infrastructure to safeguard IT assets, including software systems and data. Once software security assurance and each control's cost and value are established, internal auditors can review the company's overall software security environment. The four components of effective governance and software management risk that should be audited in all information systems are:
Auditing these four elements will enable auditors to recommend the implementation of effective software security management policies and procedures, as well as ensure that all practices involving the development, implementation, and maintenance of online systems are assessed frequently maintain desired levels of software security.
CONTROLS FOR SOFTWARE ASSURANCE
Any enterprisewide program for managing software risk requires executive-level sponsorship and leadership. Although many companies are quick to assign security responsibilities to IT staff, a top-down approach is a far more effective way to ensure budget and other resources are allocated properly among business stakeholders.
Below is information on the top four executive-level controls auditors should keep in mind. These controls — policies, assessments and monitoring, assurance, and audits — are fundamental to an effective software assurance program across the organization’s IT, audit, risk, and development functions, as well as any outsourcing vendors.
When examining an organization's policies, auditors must determine whether:
Security Assessments and Auditing
Internal auditors should identify the following during security assessments and monitoring activities:
Audits of assurance efforts should ensure:
Finally, internal auditors should ensure compliance audits and other audits of information security specifically address the management of source code vulnerabilities. These audits should include:
To maintain reliable operations, protect sensitive data, and comply with regulations, companies must establish a process for managing and auditing software risks. Ensuring these executive-level controls are implemented will help organizations improve the effectiveness of software assurance programs across the entire IT landscape.
As the threats associated with maintaining online systems and sensitive information continue to increase, managers and auditors should make sure companywide software security efforts parallel their liability risks. Given the myriad of tools, techniques, and guidance available, companies should be able to find plenty of information to manage software security risks more effectively and efficiently.
Executives also play an important role in the security arena, helping organizations identify the different threats to software systems, as well as the standards, processes, and technologies necessary to answer critical software security assurance questions. The result will be a repeatable, consistent, and measurable process that addresses internal and external threats to corporate operations, data, and reputation.
For more information, auditors may consult the Software Security Assurance Framework, which details the processes, stakeholders, and metrics required for an enterprisewide approach to software security assurance. The framework also provides in-depth audit guidance and an example audit program and aligns different control objectives with key regulatory requirements. To access the framework, visit the Ounce Labs' Web site, www.ouncelabs.com/audit.
Charles H. Le Grand, CIA, CISA, is the CEO of CHL Global Associates and has more than 30 years of experience dealing with security, compliance, risk, assurance, and governance matters in the IT field. Prior to forming CHL Global Associates and joining TechPar Group as their managing principal, Le Grand served as The IIA's director of technology practices, where he initiated the organization's Global Technology Audit Guide series. Le Grand also has provided expert testimony to the U.S. President’s Commission on Critical Infrastructure Protection and has served on the board of directors of the Partnership for Critical Infrastructure Security and the Center for Continuous Auditing, among other organizations.
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.