Many companies are implementing continuous risk management activities to reallocaonte resources used for troubleshooting security problems to revenue-generating initiatives, such as the use of real-time notifications that alert key personnel of security threats requiring immediate attention. As a result, these organizations can quickly report on the status of their compliance activities; are aware of vulnerabilities before problems occur; and require fewer resources to prevent, detect, and respond to problems. In addition to these benefits, implementing a continuous risk management program can help IT departments to cost effectively reduce security liabilities and protect their assets, customers, and business partners from common security threats.
Whether an organization has an effective risk management program or is looking for ways to improve an existing one, IT auditors of all levels should understand the different components of an effective continuous risk management program. Doing so will enable auditors to provide recommendations that can help organizations to properly align their people, processes, and technology assets to create a culture of continuous risk management.
Adopting a Culture of Continuous Risk Management
Implementing a continuous IT and security risk management strategy requires all business units (e.g., internal audit, compliance, and security departments) to work together and effectively communicate on the organization's compliance, technology, and risk management efforts. Before a major risk management strategy is undertaken, however, managers and auditors need to understand the company's existing risk culture and threats to its business operations. This will enable auditors to provide recommendations that are in line with the organization's risk management needs. For instance, the presence of weak internal controls may lead to a network security breach that could expose confidential information and other data assets to unauthorized personnel. Worse, this breach could lead to a significant business disruption that impacts the organization's bottom line, reputation, and shareholder value.
Benefits of Automated Risk Management Tools
Automated risk management programs can help organizations enhance the effectiveness of continuous risk management activities. For instance, these programs can help companies:
- Automate their ability to assess vulnerabilities.
- Monitor the organization's security posture in real time.
- Alert key personnel of any security problems immediately.
- Publish policies, inform employees of any changes to security policies and procedures, and confirm that changes are read.
- Track and enforce internal compliance and acknowledgement of corporate policies.
The use of an automated risk management program also can help the organization to position itself favorably for its next audit or regulatory examination. For example, automating and continuously monitoring the organization's compliance with industry-recognized best practices will position the company with a strong security posture during an internal audit, protect the organization from any future security attacks, and lower the cost of security activities. Audit, security, and compliance personnel also can have access to information that provides an audit trail for resolving problems, enforcing policies, and reviewing forensic activities.
Besides requiring all business units to work together during the strategy's implementation, the organization must migrate to a business paradigm in which all employees are accountable for their work and are aware of their duties. Organizations that hold employees accountable are better positioned to manage risks and comply with internal policies and external regulations. Furthermore, organizations that continuously check their compliance activities and manage risks on an ongoing basis can use their resources more effectively, thus lowering operation costs and freeing up resources to create more revenue-generating opportunities and adding new value to its services.
Once IT auditors understand the organization's risk culture and IT infrastructure, they can provide recommendations that enhance existing risk management efforts and compliance. For instance, auditors can recommend that traditional security practices be updated and supplemented with real-time vulnerability assessments, monitoring, and alerts; policy monitoring and enforcement; compliance monitoring; and user training. Such capabilities can enable auditors and management to access information that will help to prevent, detect, and respond to IT security incidents more effectively. (For a list of more effective IT security components, auditors can download this IT Security Risk Management Checklist, (PDF 3KB)) The benefits of these automated capabilities are discussed in greater detail below.
Real-time Security and Activity Monitoring
Monitoring and updating IT security policies and procedures are an important aspect of an organization's risk management efforts. To help organizations ensure the effectiveness of these policies and procedures, auditors can recommend that IT departments continuously gather and analyze information regarding new threats and vulnerabilities, actual attacks on the organization, and the effectiveness of existing security controls. In addition, the IT department needs to provide assurance on the adequacy of its risk mitigation strategy, operations, and initiatives.
There are numerous actions that security personnel and system owners can take when monitoring for new vulnerabilities and developing appropriate mitigation tactics to address them. Actions auditors can recommend include:
Establishing an effective process that monitors for hardware and software vulnerabilities.
Implementing a process to install and test security patches.
Maintaining up-to-date antivirus definitions and intrusion detection attack definitions.
Providing effective oversight of service providers and vendors to identify and react to new security issues.
Monitoring network and host activity to identify policy violations and inappropriate behavior.
Monitoring the host's and network's condition to identify unauthorized configuration and other activities that increase the risk of intrusion or other security threats.
Analyzing monitoring activity results to accurately and quickly identify, classify, escalate, report, and guide responses to vulnerabilities and security events.
Responding to intrusions and other security issues and weaknesses to appropriately mitigate their risk to the organization and its customers as well as restore the company's systems.
Real-time Vulnerability Assessments
In addition, auditors can recommend that IT departments continuously look for network vulnerabilities that expose the organization to unauthorized activity risks, below-average system performance, and other threats that could harm the confidentiality, integrity, or availability of data or information systems. Vulnerabilities can be characterized as weaknesses in a system or control gaps that, if exploited, could enable unauthorized disclosure, misuse, alteration, or destruction of data or information management systems.
Vulnerabilities also are generally classified as known or expected. Known vulnerabilities are discovered by testing or reviewing a system's environment and by identifying policy weaknesses, inadequate system implementations, and personnel issues, while expected vulnerabilities can be reasonably anticipated to occur in the future. Examples of expected vulnerabilities include:
New and unique attack methods that bypass current controls.
Employee and contractor failures to perform security duties correctly.
Personnel turnover, in which current staff members are replaced with less experienced or knowledgeable staff.
New technology introduced with security flaws.
Failure to comply with policies and procedures.
Regardless of whether vulnerabilities are known or expected, auditors should encourage the organization to perform effective and real-time testing of policy compliance and controls to identify these vulnerabilities and other known and expected threats. Auditors can also expand their role beyond that of a consulting capacity and review whether the organization is adopting and testing many of the recommended practices listed above as well as perform internal assessments of the organization's ability to identify vulnerabilities and adopt risk-based controls as needed.
Real-time Vulnerability Alerting
The sophistication of today's zero-day threats (i.e., computer attacks that expose application vulnerabilities for which there is no known solution) creates an immediate problem for the entire organization, its customers, and partners. Many of these zero-day attacks are designed to exploit vulnerabilities in a network infrastructure and its systems. As a result, organizations should implement a rapid response method that identifies vulnerabilities and alerts the necessary personnel to prevent or remediate these threats in real time.
The goal of real-time vulnerability alerts is to allow the organization to execute a rapid response that avoids or minimizes companywide damages. Preparation for the rapid response is a key ingredient for its success and involves defining the policies and procedures that guide the response, assigning responsibilities to the appropriate individuals, providing the necessary training to these individuals, and formalizing information flows among responsible parties. In addition, the response's effectiveness is a function of the organization's culture, policies, procedures, and training and primarily involves people rather than the use of technology. These staff members should represent different business functions ― senior management, compliance, operations, internal auditing, human resources, and IT ― and have expertise in the various aspects of their work.
As part of their work, auditors should take an active role in helping the organization to validate the adequacy of its rapid response capabilities. For example, IT auditors can assess whether the organization has:
A clear definition of material events that justify a rapid response.
Identified a rapid response team along with adequate procedures for initial response and escalating response activities.
Defined clear roles and responsibilities among the rapid response team.
Tested the response against various event scenarios.
A process for updating the rapid response procedures based on changes to the organization's risk profile.
Identified all the necessary reporting criteria for notifying management, law enforcement, regulators, and shareholders, as appropriate.
Policy Monitoring and Enforcement
All employees must formally acknowledge their understanding and acceptance of following company-approved policies. A successful policy enforcement program, however, needs to keep up with changes in the company's risk profile and updates to controls and security practices. These continuous adjustments require ongoing awareness training for employees to confirm that their understanding of security roles and responsibilities is accurate and effective. All employees also must be kept aware and educated on the different threats and vulnerabilities that can affect the organization's daily operations.
Furthermore, senior management should support strong ongoing security policy awareness and compliance, while remaining alert to operational changes that could affect security and communicating these issues to security personnel. Finally, business line managers must have responsibility and accountability for maintaining the security of their personnel, systems, facilities, and information.
As the organization enforces and monitors its security policies, auditors should review documentation that validates whether all staff have acknowledged their understanding of existing policies. Auditors also should review training materials on an annual basis to ensure they are updated to address current policies, practices, and threat scenarios. Training records should go beyond a sign-in sheet for a particular session and include confirmation of the attendees' understanding of these topics. Finally, auditors can look for prior policy violations to help identify areas that may warrant additional education and monitoring.
Companies need to have the ability to proactively know when user violations occur, take the necessary remediation and enforcement steps, help mitigate fraud risks, avoid financial losses, minimize productivity losses, and manage damages to the company's brand and reputation. Therefore, senior managers should ask auditors to perform periodic self-assessments that provide an ongoing evaluation on the adequacy and effectiveness of current policies and procedures, the company's compliance with these IT security policies, and any corrective actions taken to rectify identified security deficiencies.
Establishing a compliance monitoring program will help the organization, the compliance officer, and internal auditor to perform periodic self-assessments as well as:
Identify which regulations the organization must comply with and when regulatory updates occur.
Track and report formal awareness and training of all employees.
Require all employees to be knowledgeable of compliance mandates.
Provide reports to the board and executive management on its compliance status.
Incorporate compliance responsibilities into individual and business unit performance plans.
As a best practice, organizations should educate all employees on internal policies and their security roles and responsibilities. This training should support the company's security awareness program and strengthen compliance with security policies, standards, and procedures. Ultimately, the behavior and priorities of senior management will heavily influence the level of employee awareness and policy compliance, so training and the commitment to security should start with senior management (i.e., take a top-down approach).
The training frequency and method of delivery might vary among different companies depending on their current resources, infrastructure, and needs. Generally, training activities are held annually or as material updates are made to policies, and many companies are using a variety of multimedia approaches, such as in-person seminars, Web-based courses, and video conferences. In addition, many organizations are now asking employees to sign a security awareness agreement at the conclusion of each training session and refresher course to make sure employees are aware of and continuously adhere to these policies.
Throughout the risk management process, auditors should ensure that IT security training materials include a review of the company's acceptable-use policy for desktops and laptops as well as the programs and applications residing in those machines. Examples of issues that should be covered in the acceptable-use policy include desktop security, login requirements, password administration guidelines, and proper use of the e-mail system. Training also should address social engineering tactics, insider fraud, and other threat scenarios along with the organization's policies and procedures that protect against these kinds of threats.
Who Is Responsible?
In today's rapidly changing networked environment, current security technologies such as antivirus programs, firewalls, and intrusion detection systems are not enough to protect an organization's resources from constantly emerging vulnerabilities and threats. As a result, organizations must be proactive in their efforts to deal with IT security issues. To this end, aligning an organization's people, processes, and technology assets is an effective way to minimize security risks and prevent security breaches.
Adopting a successful culture of continuous risk management also requires top-down and bottom-up awareness and acceptance of responsibility among board members, executive management, and company staff. Therefore, for the continuous risk management program to be successful, everyone ― from the chief executive officer to the summer intern ― must be held accountable. IT auditors can become part of this process by helping to validate that a proactive risk management culture exists. Auditors that are not actively engaged in monitoring their organization's risk culture and are not sure where to begin should start by keeping it simple. For instance, auditors can start taking an active role by:
Validating senior management approval of written policies and procedures.
Reviewing the organization's risk assessment to ensure it reflects a realistic understanding of existing risks and mitigating controls.
Reviewing policies, procedures, and training materials to determine whether they are adequate, given the organization's risk profile.
Performing sample tests to validate that policies and procedures are being followed.
In addition, while the company's information security officer is ultimately responsible for aligning the organization's people, processes, and technology assets, everyone in the organization needs to adopt daily security practices that help to mitigate vulnerabilities and understand the risks posed by the unauthorized use of sensitive information or network resources. Consequently, prudent and educated user behavior should be supported by a companywide infrastructure of proactive risk management tools that help to prevent, detect, and respond to network and user vulnerabilities.
Once a culture of continuous risk management is established, the role of the company's compliance officer will also change. He or she needs to advocate for promoting and influencing a positive culture of compliance security management throughout the organization. To help compliance officers in their new role, auditors can recommend that organizations invest in a risk management program that will manage compliance activities, distribute and maintain policies, assess and monitor vulnerabilities, and train employees. Such capabilities provide the information security officer, compliance officer, internal auditor, and other key personnel with access to actionable data to help monitor, maintain, and enforce a culture of information security compliance, which in turn, helps to create a cost effective and continuous risk management culture.