Today's organizations focus great attention on protecting network perimeters from sophisticated external attacks. A December 2014 survey report from the independent research firm Ponemon Institute reminds internal auditors that organizations also must focus attention on internal security while balancing employee productivity (see "Summarized Security Results" below).
The Ponemon research, sponsored by data protection company Varonis Systems, indicates that organizations are not taking a holistic approach to information security. Given the current publicized data breaches, organizations — including the board and senior executives — are focusing on ensuring their external borders are secure from outside threats. However, the survey points out that internal threats still need attention.
Internal auditors can help their organizations ensure current security initiatives are balanced between external and internal threats. To do this, the internal audit function should be engaged with the IT department and assign the appropriate personnel to add value to information security discussions. One way auditors can add value is by thinking outside the box regarding security approaches and providing a holistic view of security risks and considerations.
Assessing Security Readiness
Auditors should be engaged early in the conversation regarding risks and potential information security solutions. In addition to its standard assurance service, internal audit should expand its advisory services role with the organization's IT activity to suggest ways to protect the organization from internal and external threats. Examples include working more closely with the security administration function and participating on the organization's security advisory committee.
To be a credible contributor in today's changing IT risk landscape, internal audit needs personnel who are qualified to advise and work with IT and information security specialists. The internal auditor should have a basic understanding of the security technologies used and how they have been integrated with the organization's systems, processes, and procedures. The auditor could obtain this understanding by performing a detailed walkthrough or specific audit of each of these technologies. Additionally, previous experience in a security administration role also would benefit the internal auditor.
Summarized Survey Results
A recent Ponemon Institute study,
Corporate Data: A Protected Asset or a Ticking Time Bomb?, surveyed more than 2,200 employees of organizations in France, Germany, the U.K., and the United States, with perspectives from both end users and IT and information security personnel. The findings highlight several internal threats that organizations may be overlooking:
- Users have access to confidential data they should not have or no longer require.
- The growth of data in organizations has impacted users' ability to locate and access the data they need to perform their jobs.
- Users encounter long wait times to gain access to data.
Loss or theft of organizational data has occurred over the past two years.
Regardless of the organization's overall approach to evaluating security risks, internal audit should perform its own risk assessment of the organization's security posture. By leveraging its broad view of the organization, internal audit's assessment can be sufficiently detailed to ensure appropriate coverage of both major and more basic security aspects such as how access is approved and how user security is handled for transferred employees. The Ponemon report points out that it's imperative that organizations cover these basic security activities and processes, because when they aren't working they often are the root causes of external data breaches and internal data losses. The evaluation results could be used as a baseline for annual security reviews.
If the organization contracts with external security providers to assess its security posture, internal audit should be involved from the beginning to ensure the appropriate coverage occurs and includes both external and internal threats. The provider's report should suggest ways to enhance the overall security posture. Based on its organizational experience, internal audit should review those suggestions with an open mind and consider enhancing the suggestions or providing alternatives to the consultant's solutions to best align the suggestions with the organization's philosophy and what's needed to address the risks. Where the consultant's review falls short of suggesting alternatives or may not have assessed certain areas, internal audit should provide additional suggestions and consider assessing areas that were not covered.
Following the risk assessment, the internal audit function should be involved in the organization's discussions to address the risks that were uncovered, including recommending alternatives to standard remediation activities. For example, auditors could suggest supplementing the organization's security administration function with evolving security-as-a-service providers. Such providers could assume certain activities of the current security administration function to free up in-house resources to work on larger, higher-risk imperatives or core IT competencies such as providing virus definition updates, log management, simple provisioning, or expertise on current security events.
The security risk assessment may provide additional advisory or assurance opportunities for internal audit. Examples include suggesting best practices, such as performing more proactive assurance activities on high-risk areas, or recommending places where new security technologies, such as a data-loss prevention solution, could be implemented. As with the risk assessment, internal audit needs to strike a balance between its advisory and assurance roles. The key points for auditors to remember are to engage early, have the right staffing model, think holistically, and keep an open mind.