Security is considered an afterthought in many organizations when they implement a new system, or it only becomes important after that system has suffered a significant security breach. Usually in reaction to an event, organizations put measures in place to address the shortcoming, but as time passes, the sense of urgency and effort is forgotten and things fall into a regular, familiar pattern. A sense of complacency starts forming, and senior management and the board lose their focus on setting the tone at the top regarding security. Three factors can help the board and management create a sense of urgency about safeguarding systems.
1. A Security Policy Framework
Organizations should develop a robust security policy framework that encompasses policy, standards, and guidelines.
Policy. The security policy should detail mandatory requirements that need to be followed by all members of the organization, and it should document a process for addressing noncompliance. Moreover, by demonstrating how the organization has dealt with some public acts of noncompliance or security breaches, the organization can highlight to employees that violations of the security policy will not be tolerated and that it takes such incidents seriously and will act on them.
Standards. These are minimum security requirements that should be set in a particular area. For example, to access their building, employees will need a valid photo ID — issued by the organization — as well as a swipe card. The standards provide the necessary detail for the security personnel to complete their day-to-day tasks. These should be considered mandatory, and only the security manager can seek an exemption.
Guidelines. These are requirements that are provided to the impacted teams to give them parameters or directions in a specific area. For example, in firewall rules, a range of ports may be specified for incoming data.
Auditors should review policies, standards, and guidelines annually to ensure that the requirements are relevant and appropriate to the level of risk. Senior management can set the tone at the top by publicly supporting the overall framework. For example, if there is a new standard or training program, the managing director can introduce and endorse the standard or program.
2. Ownership of Security
There is a common misconception that the IT department owns security. Although IT manages security in many organizations, this only applies to IT systems. Every employee is responsible for security.
From an IT system perspective, a business owner of the system needs to be responsible for specifying how the data should be protected. The IT security function will have the know-how to provide advice and implement security measures. Too many times, though, accountability for security is dumped on IT with little or no input from the business. To ensure this does not occur, clear ownership of systems should be defined together with the roles and responsibilities of key parties in this process. There has to be a partnership between IT and business management; otherwise, gaps in the process will develop and be exposed. It is only a matter of time.
While most security revolves around IT applications and systems, other aspects of security, such as physical security, are not considered in the same light. How often has a stranger "tailgated" or "piggybacked" behind when you swiped your access card to get onto your floor? Have you stopped and asked this person for his or her ID? When reviewing such a physical security scenario, auditors should expect to see an example of an awareness campaign, such as posters around key exits warning employees not to allow people they don't know to enter the building.
3. Senior Management Leadership
It is imperative that senior management sets the example and provides leadership for security. In some organizations, senior management may believe the business plays no part in this activity. Security managers and chief information officers must change that perception.
This change in attitude needs to occur through education. Too many times there is considerable finger-pointing between IT and top management and a lack of collaboration and foresight, with each side claiming security to be the other party's problem. Security is a joint issue — both parties need to engage and interact. The finger-pointing will carry no weight when there is a breach and all their clients' private data is freely available in the public domain.
How Can Internal Audit Assist?
The simplest and easiest way auditors can contribute to security is to commence the communication among the impacted parties. In most instances, this will manifest itself in an audit issue. Auditors should be ready for the inevitable finger-pointing and blame game and try to focus the conversation on the outcomes. Auditors can act as a change agent for the benefit of the organization by getting IT and senior management focused on working together to solve security issues.
In this role, internal auditors must consider their independence. Although auditors can provide control design advice, they should not be involved in the implementation. Still, auditors need to be part of the solution; otherwise, they may not have a job to go to on Monday morning.