At a large financial institution, several employees did not like how long it took IT to respond to technology and data access requests. They started creating their own spreadsheets to track data used to make their decisions. This “shadow” production data and IT operation lacked controls, backup, and security. Moreover, the organization’s lack of IT and security governance weakened its security program.
The IIA’s Global Technology Audit Guide, Auditing IT Governance, points out that IT governance typically focuses on five key areas: strategic alignment, risk management, value delivery, performance management, and resource management. Information security governance touches all of these areas.
The critical link is risk management. By auditing the organization’s information security governance, internal auditors can better understand its risk culture and the effectiveness of the security program.
To address risk, organizations need to consider aspects such as the sensitivity of the data they own, the value of that data to the outside world, and whether their industry is regulated. This information can help the organization address the elements of an effective information security governance program.
Develop an Enterprisewide Program If an organization’s information security governance program is left to one individual or group, it will be challenging for it to succeed. An effective program:
- Is led by an information security governance committee.
- Has senior management involvement from business, operations, and administrative areas.
- Comprises a group that can make decisions, and has enough authority, budget, and resources to act.
Gather Risk Intelligence Based on the Threats Facing the Organization The information security governance committee should gather relevant risk intelligence for its industry. For example, peer groups across their industry can share risks and threats facing their organization. Government agencies can provide information on nation-states, political unrest, and the state of information security threats. Attending information security conferences can help the committee understand how cyberthreats could impact the organization.
Prioritize the Risks and Define the Tolerance Threshold IT, business managers, and internal audit should jointly conduct a business-impact analysis at an enterprise level. This analysis should help the organization understand the overall impact of information security risks. The committee should prioritize risks at an enterprise level to ensure its budget is allocated to the highest risks. Organizations that prioritize risks at a division or department level may make decisions that do not address the prioritized risks at an enterprise level.
Create an Organizational Structure and Environment to Address Identified Risks The organization can ensure it has the structure to address risks by adopting The IIA’s Three Lines Model. First line roles are most directly aligned with the delivery of products and services. Second line roles assist with managing risks such as information security. Internal audit, in its third line role, provides assurance and advice on the effectiveness of governance and risk management.
Plan for Events That Could Cause Interruption of Business Operations If an organization is not ready for an interruption and does not have a tested and documented plan, it will most likely fail if an actual disruption occurs. The organization should take steps to prevent interruptions:
- Adopt effective security policies and procedures.
- Establish a culture of security awareness training and robust testing such as phishing exercises.
- Test business continuity, disaster recovery, and incident response plans.
- Implement a robust, around-the-clock security monitoring program, including vulnerability management, patch management, and infrastructure and network controls.
- Set up appropriate management of identities and access.
- Implement data classification, data governance, and data leak prevention programs.
- Create a controlled vendor management program encompassing privacy, security, and data leakage.
Auditing the Program
Internal audit should review the effectiveness of the information security governance program and practices. The review should identify any governance committee red flags, including:
- The governance committee does not meet frequently.
- Senior management does not understand the risk, does not attend meetings, and delegates responsibility to lower management.
- Meeting minutes are not detailed enough to understand what was discussed, what decisions were made, and who is responsible.
- There is a lack of understanding of organizational needs around information security budgets, resource requirements, and the status of projects.
The best way for internal auditors to review the effectiveness of the program is to obtain answers to five key questions:
- What are the top five information security risks the organization has identified for the year? Each organization faces different types of risk and has a different level of risk appetite. For example, during the COVID-19 pandemic, some organizations realized their business continuity plans are not adequate and their supply chain poses risks to their success. Activities such as rolling out a bring-your-own-device program or migrating to a new productivity software platform could be top risks, as well.
- Has the organization addressed data governance? The focus should be on the data the organization sends or shares with outside parties. Does the organization have a process to approve the transmission of its data to outside parties? Does the organization know whether its third-party vendors send its data downstream to fourth and fifth parties?
- Do the organization’s employees understand their responsibilities related to the information security program? At a minimum, internal auditors should ask whether employees participate in a robust awareness training program. Does the organization use simulation exercises to test employees’ knowledge?
- Is the organization able to respond to and recover from an information security incident? Specifically, internal auditors should determine whether the organization is able to monitor potential attacks on its systems.
- Is the organization using an industry-accepted information security framework? These frameworks include U.S. National Institute of Standards and Technology 800-53, Center for Internet Security 20 controls, and International Organization for Standardization 27001/27002. What is the organization’s current compliance status against the framework’s security control requirements? Who is responsible for the organization’s compliance with the framework? Must the organization comply with regulatory and industry requirements related to information security such as the U.S. Health Insurance Portability and Accountability Act and the Payment Card Industry Data Security Standard?
Governance Starts at the Top
Information security is an important agenda item at all levels of the organization. The governance over the information security program needs to start from the top and be communicated downstream. Senior management needs to take charge of information security governance while internal audit must review the program’s effectiveness.