What Can Auditors Do About Data Breaches?
In the wake of the Target incident, internal auditors should provide assurance that basic security measures are in place in their organization's commerce system.
February 01, 2014
Most people have heard of, or may have been directly affected by, the recent Target data breach, which exposed 40 million customers' credit card information during the busy year-end holiday shopping period. What is known so far is the malware was not identified by antivirus software and the intruders used credentials from a Target business partner.
The fact is that in-store retailing, and e-commerce in general, requires many related interconnections among credit card companies, technology companies, point-of-sale (POS) vendors, etc. All these third parties would be considered extensions of a retailer's own internal network, such that any weakness within one of their networks could possibly open the door to the retailer's network. Such arrangements are not limited only to retailers — most organizations have some type of third-party vendor or partner connecting to their network.
In light of the Target incident, many organizations are now reviewing their own internal procedures. Audits surrounding those controls that detect and prevent network intrusions and third-party vendors would add value to the organization's overall preparedness. Given the sophistication of the Target breach, most organizations would tend to respond by increasing their security infrastructure. However, sometimes the root causes of a breach are weaknesses in basic security procedures, such as:
- Failing to fully test Web server applications from known intrusion techniques.
- Misusing standard password techniques.
- Not performing hardening tests on systems.
- Vendors storing the organization's credentials in unencrypted files.
- Untimely patching of systems.
- Not following standard change-management procedures.
Sometimes organizations become so reliant on sophisticated security controls that they ignore the basic security procedures. Therefore, the internal audit staff could provide assurance that the standard security protocols are working as intended. Questions auditors might ask include:
- Are patches being applied timely?
- Are all website applications tested using all the standard test scripts and not circumventing procedures to get updates out timely?
- Is all computer technology involved in credit card and customer data security hardened?
- Is encryption on mobile devices (e.g., portable computers, tablets, phones, and USB devices) being maintained?
- Are third-party partners and vendors monitored to ensure their security infrastructure is appropriate?
- Are passwords for privileged service accounts stored securely (e.g., encrypted file)?
- Do management's self-assessments include reviews of the organization's basic security protocols?
Overall, organizations rely on sophisticated security technology to detect and prevent breaches. However, it usually is the small things, such as not following simple procedures, that provide an intruder a door to gain access. Internal auditors should step forward and increase their assurance activities regarding these basic security practices.