360 likes | 472 Views
The Relationship between Internal Audit and Information Security: An Exploratory Investigation. Paul John Steinbart Arizona State University Robyn Raschke University of Nevada – Las Vegas Graham Gal University of Massachusetts William N. Dilla Iowa State University.
E N D
The Relationship between Internal Audit and Information Security: An Exploratory Investigation Paul John Steinbart Arizona State University Robyn Raschke University of Nevada – Las Vegas Graham Gal University of Massachusetts William N. Dilla Iowa State University © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Motivation: Security Should be a Team Effort “Two are better than one … A three-fold cord is not quickly broken” Ecclesiastes 4:10, 12 © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
What COBIT says • PO4.15: “Establish and maintain an optimal co-ordination, communication, and liaison structurebetween the IT function and various other interests inside and outside the IT function, such as … the corporate compliance group” • PO6.1: “The control environment should be based on a culture that … encourages cross-divisional co-operation and teamwork …” © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Reality: Miscommunication & Conflict … A lot of places that I’ve seen and been, it’s been a game of cat and mouse. The auditors are trying to catch IT doing something, IT is trying to prevent audit from finding out…. – Security manager, institution C © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Motivation: fill agap in the information security research literature Prior Research has investigated: • Human factors issues regarding security • “Optimal” investments in information security • Stock market reactions to news But, little attention paid to “operational governance” of information security © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Research insight – where audit can fit They define audit control as documentation (systems review) and logging © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Internal audit can add value Monitoring Controls + + + Review by Internal Audit + + Configuration Controls Access Controls “We can’t help [management] design controls or tell them that a control is the right one to have in place, but we can help them to monitor it” – Mary Ann Tourney, director of internal audit for Talecris Biotherapeutic, CFO.com 11/10/2009 © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Research Method: Exploratory interviews Goals: • Understand practice • Identify enablers and inhibitors • Develop model and research propositions Method: Two interviewers per session © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Data Set – Educational Institutions • Security not “deal breaker” like defense industry • Affected by multiple regulations (PCI, HIPAA, GLBA, FERPA) • Complex set of users: employees, students, faculty Interviewees: IT security – Institutions A, B, C, D Internal audit – Institutions A, B, and C (audit outsourced at D) © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Table 1. Descriptive information about interviewed organizations © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Findings • Auditor characteristics that affect the relationship with information security function: • IT knowledge • Communications skills • Role perceptions • Organizational factors also important: • Top management support • Regulations • Cooperation between internal audit and information security benefits both functions © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Findings – auditor characteristics © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Importance of Auditor’s IT Knowledge We’ve actually been very fortunate to hire a very competent IT internal auditor. Intimately familiar with ITGC …“[Internal audit’s level of IT knowledge] with recent hires they’ve actually gone substantially better then where they were … we’re fortunate to hire an IT auditor that knows the business … I’d hate to say it’s tied to an individual, in this case I think it is, but I hope to think that reflective of the direction IT audit or internal audit should be going when they start performing IT security reviews.” – Security manager, Institution A © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Effect of Auditor’s Lack of IT Knowledge I think in an organization that has a little bit of a stronger IT Audit presence, the IT auditors would be working with people at a lower level; the ones who are actually carrying out the work. - Internal auditor, Institution B We see them and we have a very good working relationship with internal audit. But their focus is typically auditing business process. You know, ‘are things being done right in payroll?’ and ‘Are we handling travel vouchers right?,’ and that kind of stuff. – CISO, Institution B © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Communications skills are important • A good IT Auditor should be able to explain what controls are in-scope, and why, prior to the start of testing. With 99% of my interviewees, this is enough to get them on board and most are very receptive to the controls (Which they usually hadn’t been previously exposed to). – IT auditor at Institution A • Personally, I feel the IT Security staff (and the IT Support Staff) and I conduct the review together. So long as they’re clear on what I’m testing and why, they are not defensive. I’d say that they consider us a force for good, and not evil. – IT auditor at Institution A © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Poor communication can hurt And one of the challenges the audit did not outright say that we needed a security officer, which is sort of the problem because it would have been more helpful if it had. But, the audit reports are never quite that directive. • CITO, Institution D Note: internal audit outsourced here © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Perceptions of audit’s role are important “I believe the majority of IT Security staff sees us as collaborators, although that was not always the case. In the past they probably considered IA IT Auditing as a nuisance, and based on the skill sets they encountered that would be understandable. In the past, if IA found an issue; the department might experience the recommendation as an unfunded mandate. Now, IA takes stock of the issue and tries to collaborate system-wide to leverage existing resources. (i.e., going to the President’s office to get a threat and vulnerability scanning application purchased for all of the campuses; or asking the President’s office to develop a centralized scanning operation so that each campus doesn’t have to create redundant operations) - IT auditor, Institution A © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Trust is important “The trust element is important. … I trust that he’s [IT security] going to tell me … but then he trusts me that I’m [Internal Audit] going to take that information and digest it appropriately. I’m not going to get too excited or I’m not just going to dismiss it…. so there’s that mutual trust factor, which I think is really important. If you’re going to be honest with somebody, you don’t want them to turn around and throw you under the bus. You want them to work with you to fix it. That’s one of the key things is that we are very careful from an audit perspective. We don’t want to throw people under the bus. We want to raise issues and then say “okay, what’s the solution?” … That really emphasizes that partnering and that trust, that we don’t want people to get in trouble, we just want to fix it.” – internal auditor, Institution C © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Mutual trust is important “It’s not what I’m familiar with being the traditional IT - audit relationship. We can leverage each other’s expertise and position in the organization to make things happen. A lot of times the IT department will tend to almost hide things from audit because they don’t want to get a black eye and we don’t have that issue here so much…. we have the same goals. … A lot of places that I’ve seen and been, it’s been a game of cat and mouse. The auditors are trying to catch IT doing something, IT is trying to prevent audit from finding out…. It’s not the case here… I trust that he’s [Internal Audit] not out to catch anybody doing anything. He’s out to identify and reduce risk.” – Security Manager, Institution C © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Findings – Organizational characteristics © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Top management needs to provide the resources ...we did have a staff person in the office that was kind of going down the path of being groomed to be an IT Auditor. Unfortunately, she left to work in industry and since then, budgetary constraints, resource constraints, that’s been the main reason why we haven’t… I think we know that we can’t afford to get an IT audit professional. They would probably want more money than I make as the manager. – Internal auditor, Institution B © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Top management needs to be educated I don’t think executive leadership understood quite how costly it would be to fix it … Not simply as a onetime solution, but as an ongoing … as well as, the formalization of policies and practices. … I think there was the assumption that I would go out buy some applications, install and everything would be fine. … There is increasing awareness that is occurring. The behavioral change is glacially slow and so, I see my work right now being to educate at the executive level. - CITO, Institution D © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Management can model desired behavior “Our chief auditor and our senior vice president of IT are very much in that partnering mode, they really feel that audit and IT, same thing with our corporate controller, audit and finance, there should be a partnership, and it should not be adversarial. They really try from a very top down approach, to get all the team members to work together, to partner, we are all trying to drive to a good solution and let’s negotiate and work together.” - internal auditor, Institution C © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Management can model desired behavior “It’s the relationships. You read about it in trade magazines and you hear about it in seminars and it really is about the relationships and I’ve seen that demonstrated at [Institution C] better than any place I’ve been in the past….That’s the most important thing from the workforce point of view. When they see that demonstrated up high, that’s how they follow suit. They watch this, and then they know that’s the expectation and it’s pretty effortless here. People partner and just get along well with the same goal in mind. It shows.” – Information security manager, Institution C © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Regulatory impacts “I do owe a lot of that to Sarbanes Oxley and when they see they could be held criminally liable. Say what you will about the regulations they have really helped the IT security realm because in the past audit has always been fairly well understood. The role of an auditor is clear. But information security hasn’t been. It’s always been identified as hacker deterrence and monitoring and logging in that up until recently it stepped outside of the operational, and really outside of the IT realm and more into a business partnership. That’s why I like the role here, it’s evolving … – IT security manager, Institution C © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Findings – benefits of collaboration © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Benefits: audit’s view I know all of the campus ISOs [information security officers] and some of their support staff. The relationship adds value by ensuring that the IT Audits are taking into account high risk areas, as perceived by the ISO’s. – IT auditor, Institution A. © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Benefits: audit’s view I think the partnership kind of helps with that escalation [of information security procedures], because internal audit, we report directly to the CEO and so ...we can be an avenue to escalate appropriately while still maintaining independence and obviously trying not to get into any of the politics among different people competing agendas. – internal auditor, Institution C © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Benefits: security’s view … we’ve just realized we have a codependent relationship. It’s been very positive… a real big benefit to us achieving a lot of the goals we have from an information security perspective.... and we are going to begin reinforcing the importance of change control. And more importantly the importance of completed documentation as part of change control for the deployment of new services and we are going to strongly reinforce through internal audit reports… - CISO, Institution A © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Benefits: Security’s view Then we were able to implement blocking. Whereas IT before struggled because it was just IT being the network police, but once audit and legal partnered and said this absolutely has to stop, here’s where your violating, here’s what the potential risk is, it really wasn’t that hard. We still got a lot of pushback, and we do periodically. We’ve implemented encryption as well. If they’re in an authorized group they can send it, it will just encrypt it before it goes. Audit was just huge in that I don’t think IT would have been able to enforce it like that without that realistic, again seen more of a business partner then IT is; we’re more of a supporting role. Audit was that voice of reason that said you can’t do this and here’s why, instead of IT just saying bad bits leaving the environment. It made sense when audit said it.– IT security manager, Institution C © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Benefits: security’s view If I’m just being the IT network police, and I have to get [name of internal auditor] and he goes in there with a suit and says here’s why you don’t want to do this. They just usually put their tail between their legs. – IT security manager, Institution C © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Benefits: security’s view a lot of times because I see more of the IT side of things, I don’t get the full view of the procedure on how people are placed into the roles that they’re in. [name of auditor] sees, I mean, he’ll talk with accounting at a deeper level then I do as an IT focus person, and somebody may have multiple group memberships that sort of nest or inherit permissions from a higher group or from another group and [name] understands how that happened. … We just see it; IT sees it as, a group of memberships. [auditor] understands that, who really belongs in certain groups based on, because IT doesn’t determine who gets access, we’re just the custodians of the data and information. The system owners really determines who has the access, so [auditor name] sheds that insight on there, that I don’t glancing at a screen, I don’t pick it up all the time, because it’s groups, users, resources and they’re not always named as you would expect. – IT security manager, Institution C © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Summary: Potential benefits of collaboration • From security’s point of view • Overcome user resistance to security policies • Better understanding of necessary controls • From audit’s point of view • Improved risk management • Improved audit focus on higher risk areas © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Summary © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Outcome – research model © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Questions? © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance