The Relationship between Internal Audit and Information Security: An Exploratory Investigation Paul...

The Relationship between Internal Audit and Information Security: An Exploratory Investigation

Paul John SteinbartArizona State University

Robyn RaschkeUniversity of Nevada – Las Vegas

Graham GalUniversity of Massachusetts

William N. DillaIowa State University

© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance

Motivation: Security Should be a Team Effort

SeniorManagement

InternalAudit

Information

Security


“Two are better than one … A three-fold cord is not quickly broken”

Ecclesiastes 4:10, 12

What COBIT says


PO4.15: “Establish and maintain an optimal co-ordination, communication, and liaison structure between the IT function and various other interests inside and outside the IT function, such as … the corporate compliance group”

PO6.1: “The control environment should be based on a culture that … encourages cross-divisional co-operation and teamwork …”

Reality: Miscommunication & Conflict


… A lot of places that I’ve seen and been, it’s been a game of cat and mouse. The auditors are trying to catch IT doing something, IT is trying to prevent audit from finding out…. – Security manager, institution C

Motivation: fill a gap in the information security research literature

Prior Research has investigated:Human factors issues regarding security “Optimal” investments in information securityStock market reactions to news

But, little attention paid to “operational governance” of information security


Research insight – where audit can fit


They define audit control as documentation (systems review) and logging

Internal audit can add value


MonitoringControls

Configuration Controls

AccessControls

Review byInternal Audit

“We can’t help [management] design controls or tell them that a control is the right one to have in place, but we can help them to monitor it” – Mary Ann Tourney, director of internal audit for Talecris Biotherapeutic, CFO.com 11/10/2009

+

++

++

Research Method: Exploratory interviews

Goals:

1. Understand practice

2. Identify enablers and inhibitors

3. Develop model and research propositions

Method: Two interviewers per session


Data Set – Educational Institutions


Public Private For-Profit

One Campus Institution B Institution D

Multiple campuses

Institution A Institution C

Interviewees: IT security – Institutions A, B, C, DInternal audit – Institutions A, B, and C (audit outsourced at D)

• Security not “deal breaker” like defense industry• Affected by multiple regulations (PCI, HIPAA, GLBA, FERPA)• Complex set of users: employees, students, faculty


Institution A Institution B Institution C Institution DType Public University Public University Private, for-profit

UniversityPrivate University

Size (approximate number of students)

27,000 28,000 19,000 5600

Size (approximate number of faculty)

1100 1700 1800 335

Number of campuses

5 1 11 1

Size of IT (staff) 200 200 50 50Number of IT staff dedicated to information security

3 12 1 3

Title of security professional interviewed

Information Security Manager

Chief Information Security Officer (CISO)

Security Manager Chief Information Technology Officer (CITO)

Title of internal auditor interviewed

IT auditor Internal audit manager

Internal Audit Senior Manager

None – internal audit function outsourced

Number of internal audit staff with IT audit expertise

3 0 2 N/A

Table 1. Descriptive information about interviewed organizations

Findings1. Auditor characteristics that affect the

relationship with information security function: IT knowledge Communications skills Role perceptions

2. Organizational factors also important: Top management support Regulations

3. Cooperation between internal audit and information security benefits both functions


Findings – auditor characteristics

© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems

Assurance

We’ve actually been very fortunate to hire a very competent IT internal auditor. Intimately familiar with ITGC …“[Internal audit’s level of IT knowledge] with recent hires they’ve actually gone substantially better then where they were … we’re fortunate to hire an IT auditor that knows the business … I’d hate to say it’s tied to an individual, in this case I think it is, but I hope to think that reflective of the direction IT audit or internal audit should be going when they start performing IT security reviews.” – Security manager, Institution A


Importance of Auditor’s IT Knowledge

I think in an organization that has a little bit of a stronger IT Audit presence, the IT auditors would be working with people at a lower level; the ones who are actually carrying out the work. - Internal auditor, Institution B

We see them and we have a very good working relationship with internal audit. But their focus is typically auditing business process. You know, ‘are things being done right in payroll?’ and ‘Are we handling travel vouchers right?,’ and that kind of stuff. – CISO, Institution B


Effect of Auditor’s Lack of IT Knowledge

Communications skills are important

A good IT Auditor should be able to explain what controls are in-scope, and why, prior to the start of testing. With 99% of my interviewees, this is enough to get them on board and most are very receptive to the controls (Which they usually hadn’t been previously exposed to). – IT auditor at Institution A

Personally, I feel the IT Security staff (and the IT Support Staff) and I conduct the review together. So long as they’re clear on what I’m testing and why, they are not defensive. I’d say that they consider us a force for good, and not evil. – IT auditor at Institution A


Poor communication can hurtAnd one of the challenges the audit did not

outright say that we needed a security officer, which is sort of the problem because it would have been more helpful if it had. But, the audit reports are never quite that directive.

- CITO, Institution D

Note: internal audit outsourced here


Perceptions of audit’s role are important“I believe the majority of IT Security staff sees

us as collaborators, although that was not always the case. In the past they probably considered IA IT Auditing as a nuisance, and based on the skill sets they encountered that would be understandable. In the past, if IA found an issue; the department might experience the recommendation as an unfunded mandate. Now, IA takes stock of the issue and tries to collaborate system-wide to leverage existing resources. (i.e., going to the President’s office to get a threat and vulnerability scanning application purchased for all of the campuses; or asking the President’s office to develop a centralized scanning operation so that each campus doesn’t have to create redundant operations) - IT auditor, Institution A


Trust is important“The trust element is important. … I trust that he’s [IT security] going to tell me … but then he trusts me that I’m [Internal Audit] going to take that information and digest it appropriately. I’m not going to get too excited or I’m not just going to dismiss it…. so there’s that mutual trust factor, which I think is really important. If you’re going to be honest with somebody, you don’t want them to turn around and throw you under the bus. You want them to work with you to fix it. That’s one of the key things is that we are very careful from an audit perspective. We don’t want to throw people under the bus. We want to raise issues and then say “okay, what’s the solution?” … That really emphasizes that partnering and that trust, that we don’t want people to get in trouble, we just want to fix it.” – internal auditor, Institution C © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial

Symposium on Information Integrity and Information Systems Assurance

Mutual trust is important“It’s not what I’m familiar with being the traditional IT - audit

relationship. We can leverage each other’s expertise and position in the organization to make things happen. A lot of times the IT department will tend to almost hide things from audit because they don’t want to get a black eye and we don’t have that issue here so much…. we have the same goals. … A lot of places that I’ve seen and been, it’s been a game of cat and mouse. The auditors are trying to catch IT doing something, IT is trying to prevent audit from finding out…. It’s not the case here… I trust that he’s [Internal Audit] not out to catch anybody doing anything. He’s out to identify and reduce risk.” – Security Manager, Institution C


Findings – Organizational characteristics


Assurance

Top management needs to provide the resources...we did have a staff person in the office that was kind of going down the path of being groomed to be an IT Auditor. Unfortunately, she left to work in industry and since then, budgetary constraints, resource constraints, that’s been the main reason why we haven’t… I think we know that we can’t afford to get an IT audit professional. They would probably want more money than I make as the manager.

– Internal auditor, Institution B© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial

Symposium on Information Integrity and Information Systems Assurance

Top management needs to be educated

I don’t think executive leadership understood quite how costly it would be to fix it … Not simply as a onetime solution, but as an ongoing … as well as, the formalization of policies and practices. …

I think there was the assumption that I would go out buy some applications, install and everything would be fine. … There is increasing awareness that is occurring. The behavioral change is glacially slow and so, I see my work right now being to educate at the executive level. - CITO, Institution D


Management can model desired behavior

“Our chief auditor and our senior vice president of IT are very much in that partnering mode, they really feel that audit and IT, same thing with our corporate controller, audit and finance, there should be a partnership, and it should not be adversarial. They really try from a very top down approach, to get all the team members to work together, to partner, we are all trying to drive to a good solution and let’s negotiate and work together.” - internal auditor, Institution C


Management can model desired behavior

“It’s the relationships. You read about it in trade magazines and you hear about it in seminars and it really is about the relationships and I’ve seen that demonstrated at [Institution C] better than any place I’ve been in the past….That’s the most important thing from the workforce point of view. When they see that demonstrated up high, that’s how they follow suit. They watch this, and then they know that’s the expectation and it’s pretty effortless here. People partner and just get along well with the same goal in mind. It shows.”

– Information security manager, Institution C


Regulatory impacts“I do owe a lot of that to Sarbanes Oxley and when they see they could be held criminally liable. Say what you will about the regulations they have really helped the IT security realm because in the past audit has always been fairly well understood. The role of an auditor is clear. But information security hasn’t been. It’s always been identified as hacker deterrence and monitoring and logging in that up until recently it stepped outside of the operational, and really outside of the IT realm and more into a business partnership. That’s why I like the role here, it’s evolving … – IT security manager, Institution C


Findings – benefits of collaboration


Assurance

Benefits: audit’s view

I know all of the campus ISOs [information security officers] and some of their support staff. The relationship adds value by ensuring that the IT Audits are taking into account high risk areas, as perceived by the ISO’s.

– IT auditor, Institution A.


Benefits: audit’s view

I think the partnership kind of helps with that escalation [of information security procedures], because internal audit, we report directly to the CEO and so ...we can be an avenue to escalate appropriately while still maintaining independence and obviously trying not to get into any of the politics among different people competing agendas. – internal auditor, Institution C


Benefits: security’s view

… we’ve just realized we have a codependent relationship. It’s been very positive… a real big benefit to us achieving a lot of the goals we have from an information security perspective.... and we are going to begin reinforcing the importance of change control. And more importantly the importance of completed documentation as part of change control for the deployment of new services and we are going to strongly reinforce through internal audit reports… - CISO, Institution A


Benefits: Security’s viewThen we were able to implement blocking. Whereas IT before struggled because it was just IT being the network police, but once audit and legal partnered and said this absolutely has to stop, here’s where your violating, here’s what the potential risk is, it really wasn’t that hard. We still got a lot of pushback, and we do periodically. We’ve implemented encryption as well. If they’re in an authorized group they can send it, it will just encrypt it before it goes. Audit was just huge in that I don’t think IT would have been able to enforce it like that without that realistic, again seen more of a business partner then IT is; we’re more of a supporting role. Audit was that voice of reason that said you can’t do this and here’s why, instead of IT just saying bad bits leaving the environment. It made sense when audit said it. – IT security manager, Institution C


Benefits: security’s view

If I’m just being the IT network police, and I have to get [name of internal auditor] and he goes in there with a suit and says here’s why you don’t want to do this. They just usually put their tail between their legs. – IT security manager, Institution C


Benefits: security’s viewa lot of times because I see more of the IT side of things, I don’t get the full view of the procedure on how people are placed into the roles that they’re in. [name of auditor] sees, I mean, he’ll talk with accounting at a deeper level then I do as an IT focus person, and somebody may have multiple group memberships that sort of nest or inherit permissions from a higher group or from another group and [name] understands how that happened. … We just see it; IT sees it as, a group of memberships. [auditor] understands that, who really belongs in certain groups based on, because IT doesn’t determine who gets access, we’re just the custodians of the data and information. The system owners really determines who has the access, so [auditor name] sheds that insight on there, that I don’t glancing at a screen, I don’t pick it up all the time, because it’s groups, users, resources and they’re not always named as you would expect. – IT security manager, Institution C


Summary: Potential benefits of collaborationFrom security’s point of view

Overcome user resistance to security policiesBetter understanding of necessary controls

From audit’s point of view Improved risk management Improved audit focus on higher risk areas


Summary

Evidence of positive synergistic relationship

Lack of evidence of positive synergistic relationship

Institutions A,C B,D

Nature Public and for profit – both have multi-campus

Public and private, only one campus

Auditor IT knowledge High Low

Auditor role Partner, collaborator ??

Formal relationship Close Separate or outsourced

Top management support

High at C Low


Outcome – research model


Internal Audit’s Level of IT Knowledge

Internal Audit’s Communication

Skills

Internal Audit’s Attitude

Top Management Support

Depth of Relationship

between Internal Audit and

Information Security

Benefits of Collaboration

between Internal Audit and

Information Security

P6

Organizational Characteristics

P5

Questions?


The Relationship between Internal Audit and Information Security: An Exploratory Investigation Paul...

Documents

Transcript of The Relationship between Internal Audit and Information Security: An Exploratory Investigation Paul...