Auditing Organizational Information Assurance (IA) Governance Practices
-
Upload
mansoor-faridi-cisa -
Category
Documents
-
view
431 -
download
0
Transcript of Auditing Organizational Information Assurance (IA) Governance Practices
Auditing Organizational Information Assurance (IA) Governance Practices
Auditing Organizational Information Assurance (IA) Governance Practices
Mansoor Faridi
Fort Hays State University
July 23, 2014
Auditing Organizational Information Assurance (IA) Governance Practices ii
Table of Contents
Introduction ..................................................................................................................................1
Proposed Concept ........................................................................................................................2
Research Approaches ...................................................................................................................3
Review of Feasibility ...................................................................................................................7
Conclusion ....................................................................................................................................8
References ....................................................................................................................................9
Auditing Organizational Information Assurance (IA) Governance Practices 1
Auditing Organizational Information Assurance (IA) Governance Practices
Mansoor Faridi
Fort Hays State University
Introduction
This concept paper evaluates the feasibility of conducting a formal scientific study to
audit an organization's information assurance governance practices. In today’s computing
environment, it is paramount to have sophisticated controls in place to safeguard organizational
information while ensuring its Confidentiality, Integrity, Availability and Non-Repudiation
[emphasis added]. Research indicates that in the absence of a robust security program,
organizations expose themselves (“Open Security,” 2014) to data breaches resulting in flailing
shareholder confidence, litigation and possible financial collapse.
Auditing organization's information assurance governance practices will identify
opportunities for improvement and provide an independent and objective assessment of
organization’s information assurance governance practice’s effectiveness. It will also enable the
organization to comply with regulatory requirements, increase stakeholder confidence and
strengthen security posture in the face of numerous threats (“Ponemon,” 2013).
As part of governance, it will be management’s responsibility to either engage Internal or
External Auditors to develop and execute an audit program evaluating internal controls relating
to organization’s information assurance governance practices. Leveraging leading industry
frameworks (Arora, 2013; “SOX-Online,” 2012), such as, COBIT, COSO, NIST, ITIL,
ISO27002, the audit program will assess organizational information assurance governance
practices; the scope of which will include data governance, incident response, user-training and
attestation, and periodic reviews. Finally, a conclusion will be drawn to determine the feasibility
of auditing an organization’s information assurance governance practices.
Auditing Organizational Information Assurance (IA) Governance Practices 2
Proposed Concept
With the passage of time, more and more data is getting digitized and thus increasing
organizational risk exposure. Globally, forty percent of the largest data breaches recorded
occurred in 2013 (“Online Trust,” 2014, p. 4). Hence, it becomes critical to have proactive
vigilance over organization’s internal controls over information assurance via a formal audit
program. The audit program will be developed after performing a comprehensive risk assessment
(“United Kingdom,” 2004, p. 3) to identify risks (See Appendices A & B) within the four
aforementioned areas. Subsequently, as per organization’s risk management strategy, these risks
will be accepted, mitigated, transferred or avoided (“United Kingdom,” 2004, p. 24). Upon
successful risk assessment, audit program will be implemented to assess effectiveness of internal
controls. Following is a list of areas and scope of audit coverage over internal controls:
Data governance
Is there a standard procedure for user-access provision?
Is user-access periodically validated?
Is data custody and ownership defined?
Is data access logged and monitored?
Is data classified indicating sensitivity and storage location?
Is data retention policy defined?
Incident response
Are there protocols in place in case of a data breach?
Is there a communication/notification plan?
Is there effective coordination between key stakeholders and support personnel?
Are there disaster recovery and business continuity plans in place?
User-training & attestation
Auditing Organizational Information Assurance (IA) Governance Practices 3
Are users educated on their roles and expectations via Information Security policy,
seminars, online training, informational videos and brochures, etc.
Are users required to attest their participation in mandatory online training?
Periodic reviews
Was vulnerability testing performed?
Was penetration testing performed?
Was system hardening performed?
Was the evidence of this testing reviewed, approved and archived for audit purposes?
Internal Controls’ design in the above areas will be examined and tested for operational
effectiveness over a period of time. Once the audit is concluded, management will be provided
with a formal audit report detailing ineffective controls, risk(s) posed, risk impact along with
audit recommendation to bridge identified gaps. Management will then review, approve and
accept the audit report with a formal sign-off. The review approaches for these areas are
discussed in detail in the next section.
Review Approaches
This section describes audit program’s review approaches that will test internal controls
relating to data governance, incident response, user-training and periodic reviews. This program
will determine the design and operational effectiveness of internal controls as follows:
Data governance
By examining relevant documentation, it will be determined if there is a standard
procedure to provision user-access that requires data owner to approve the requested
access and data custodian to provision the approved access. Alignment of data
ownership and data custody will also be verified by reviewing documents detailing
Auditing Organizational Information Assurance (IA) Governance Practices 4
roles and responsibilities. It is to be noted that data ownership and data custody is
aligned with different roles for segregation of duties purposes (“Separation of,”
2014). It will also be determined if this access was granted on the principle of least
access privilege (Langford, 2003). It will also be determined if user access is
monitored and logged each time data is accessed and/or modified. It will also be
examined if data is classified appropriately, indicating data sensitivity, storage
location and log details (“Online Trust,” 2014, p. 10). Furthermore, data retention
policy will be reviewed to determine if data will be destroyed when no longer
required as per data management lifecycle and prevailing legislation(s) in effect
(“Retention Period”, 2014). Please note that above controls relate to the capability to
protect organizational data from unauthorized access, and sending and receiving
protocols in place, hence this satisfies both the Confidentiality [emphasis added] and
the Non-Repudiation [emphasis added] aspects of information assurance governance
practices.
Incident response
By examining communication plan/notification plan, it will be determined if there
are protocols in place in case of data breach. Evidence of effective coordination between
organizational stakeholders and external support personnel (e.g., Law enforcement) will
be determined based on periodic joint exercises simulating emergency drills. These drills
will be confirmed by reviewing detailed reports listing date, time, venue, simulated
scenario(s) and participants.
In addition, evidence relating to the execution of Disaster Recovery Plan (DRP)
and Business Continuity Plan (BCP) will also be examined (“United Kingdom,” 2004, p.
35). Concerned departments will be expected to produce satisfactory evidence noting
Auditing Organizational Information Assurance (IA) Governance Practices 5
successful completion of the drill and issues encountered, if any. Since this area
highlights system’s capability to provide access to network resources and data despite
disruptive events or conditions, hence above controls satisfy the Availability [emphasis
added] aspect of information assurance governance practices.
User-training & attestation
Users will be expected to play a critical role in supporting organizations’
information assurance governance practices. They will be expected to participate in both
formal and informal learning activities (See Figure 1) by participating in awareness,
literacy, training and education sessions (“United Kingdom,” 2004, p. 37). Each phase
will have various activities within it; some of those activities will be audited. After
completing each activity they will be issued a certificate of completion, record of which
will be verified during audit examination. For sampled users, record of completion for
various activities will be compared against the established benchmark to determine if a
minimum number of users have completed mandatory training which will enable them to
effectively safeguard and protect organizational assets against possible abuse/misuse.
Figure 1. Information assurance learning continuum (Maconachy, Schou, Ragsdale,
Welch) 2001
Finally, a user listing will be produced noting user compliance (vis-à-vis
Auditing Organizational Information Assurance (IA) Governance Practices 6
mandatory training) below the acceptable threshold. Subsequently, user’s manager will
be communicated, who will be responsible to ensure that users successfully complete all
required training sessions within an agreed upon timeframe. Record of all completed
training and audit activities will be examined to close audit findings, if any. This area
highlights the emphasis on user education continuum, preparing users to ensure that
organizational system is capable to provide services and process data with the assurance
that it is accurate and uncorrupted. This satisfies the Integrity [emphasis added] aspect of
information assurance governance.
Periodic reviews
Record of system vulnerability testing will be examined to determine if any gaps
exist. (Based on vulnerability testing results, administrators are expected to close the gaps
by addressing audit assertions. This is knows as system hardening.)
Subsequently, results of system hardening will also be examined to determine if
any gaps exist. In the event of reported gaps, auditor will verify their successful closure.
Audit will also examine the result of external penetration testing. The result will help
determine if any gaps need to be addressed.
In the event where organization is dependent on a service organization for their
computing needs, the vendor will be requested to produce a Service
Auditors Report (Statement on Standards for Attestation Engagements (SSAE) No.16) to
determine if all controls relating to the data center are designed appropriately and
operated effectively over a period of time (“SSAE 16,” 2014). It is important to note that
in case the organization chooses to engage a third-party vendor for its computing needs,
its responsibility for governing security has not been removed, it is merely different.
(Kirkpatrick, 2011).
Auditing Organizational Information Assurance (IA) Governance Practices 7
Please note that SSAE 16 Type I report only lists the design of a control at a given
point in time, whereas, Type II lists the design of control and its operational effectiveness
over a period of time.
All of the controls detailed above will be examined in detail and documentary proofs will
have evidence of management review and sign-off. Absence of documentary evidence relating to
the activities, tasks or review & sign-off will lead to audit assertion(s). Audits will be planned as
per the audit schedule and performed on a periodic basis.
Review of Feasibility
Management/stakeholder support (Anhal, 2002) is the main criteria for any governance
program to be successful. This section discusses the feasibility of the concept idea presented to
determine if it is feasible to conduct a formal scientific study to audit an organization’s
information assurance governance practices.
The feasibility is ascertained by breaking down the main concept into four main
governance areas and then listing critical operational activities aligning with each one of these
areas. Each activity also lists internal controls that ensure its governance at a more granular level.
Subsequently, review approaches relevant to each activity are listed along with corresponding
audit activities.
Review approach describes the evidence to be examined for each internal control. It is
also meant to assess the design and implementation of internal controls and comment on their
operational effectiveness over a period of time.
In summary, by reviewing the methodology presented above, it is feasible to audit an
organization’s information assurance governance practices.
Auditing Organizational Information Assurance (IA) Governance Practices 8
Conclusion
This concept paper evaluates the feasibility of conducting a formal scientific study to
audit an organization's information assurance governance practices. Four critical areas (data
governance, incident response, user-training and attestation, and periodic reviews) are examined
to assess their suitability for inclusion in this study. Confidentiality, Integrity, Availability and
Non-Repudiation aspects of information assurance are also reviewed in this context.
Corresponding review approaches for internal controls aligned with each aforementioned
area is also discussed. Based on the discussion in conjunction with review approaches, there is
ample support for feasibility of auditing an organization's information assurance governance
practices.
Auditing Organizational Information Assurance (IA) Governance Practices 9
References
Anhal, A. (2002). Information Assurance and Corporate Governance: Engaging Senior
Management. SC Magazine. Retrieved July 22, 2014 from
http://www.scmagazine.com/information-assurance-and-corporate-governance-engaging-
senior-management/article/30725/
Arora, V. (2013). Comparing different information security standards: COBIT vs. ISO 27001.
Unpublished manuscript. Carnegie Mellon University, Doha, Qatar.
Open Security Foundation. (2014). Data Loss Statistics [Data file]. Retrieved July 22, 2014 from
http://datalossdb.org/statistics?utf8=%E2%9C%93&timeframe=current_year
Jaspal, S. (2011). Fraud Symptom 10 – Lapses in Information Assurance. Sonia Jaspal’s
RiskBoard. Retrieved July 22, 2014 from
http://soniajaspal.wordpress.com/2011/09/30/fraud-symptom-10-lapses-in-information-
assurance/
Kirkpatrick, J. (2011). Governance in the cloud. ISACA Journal, 5, 1-2. Retrieved July 22, 2014
from http://www.isaca.org/Journal/Past-Issues/2011/Volume-5/Documents/11v5-
Governance-in-the-Cloud.pdf
Langford, J. (2003). Implementing Least Privilege at your Enterprise. SANS Institute InfoSec
Reading Room. Retrieved July 22, 2014 from http://www.sans.org/reading-
room/whitepapers/bestprac/implementing-privilege-enterprise-1188
Maconachy, W., Schou, C., Ragsdale, D., & Welch, D. (2001). A model for information
assurance: An integrated approach. Proceedings of the 2001 IEEE Workshop on
Information Assurance and Security, US Military Academy, West Point, NY, USA.
Auditing Organizational Information Assurance (IA) Governance Practices 10
Retrieved July 22, 2014 from
http://it210web.groups.et.byu.net/lectures/MSRW%20Paper.pdf
Online Trust Alliance, (2014). 2014 Data Protection & Breach Readiness Guide. Retrieved July
22, 2014 from
https://otalliance.org/system/files/files/resource/documents/2014otadatabreachguide4.pdf
Ponemon Institute LLC, (2013). 2013 Cost of Data Breach Study: Global Analysis. Retrieved
July 22, 2014 from
http://www.ponemon.org/local/upload/file/2013%20Report%20GLOBAL%20CODB%2
0FINAL%205-2.pdf
Retention Period. (2014). In Wikipedia. Retrieved July 22, 2014 from
http://en.wikipedia.org/wiki/Retention_period
Separation of duties. (2014). In Wikipedia. Retrieved July 22, 2014 from
http://en.wikipedia.org/wiki/Separation_of_duties
Sherwood, J. (2009). Historical Background: Information Assurance. SABSA Institute
Community Forum. Retrieved July 22, 2014 from http://www.sabsa-
institute.com/members/node/19
SOX-online: The Vendor-Neutral Sarbanes Oxley Site. (2012). Mapping COBIT to other
guidance. Retrieved July 22, 2014 from http://www.sox-online.com/cobit_mapping.html
Speed, R. (2011). IT governance and the cloud: Principles and practice for governing adoption
of cloud computing. ISACA Journal, 5, 1-6. Retrieved July 22, 2014 from
http://www.isaca.org/Journal/Past-Issues/2011/Volume-5/Documents/11v5-IT-
Governance-and-the-Cloud-Principles-and-Practice-for-Governing-Adoption-of-Cloud-
Computing.pdf
Auditing Organizational Information Assurance (IA) Governance Practices 11
SSAE 16 Overview. (2014). Auditing Standards Board. Retrieved July 22, 2014 from
http://ssae16.com/SSAE16_overview.html
United Kingdom Cabinet Office. (2004). Information Assurance Governance Framework.
Retrieved July 22, 2014 from
http://www.sylviterma.com/Portals/0/resources/ia_governance_framework8ddbf733-
48c5-4056-807b-42a756dd4b05.pdf