The Relationship between Internal Audit and Information Security: An Exploratory Investigation Paul...
-
date post
19-Dec-2015 -
Category
Documents
-
view
216 -
download
1
Transcript of The Relationship between Internal Audit and Information Security: An Exploratory Investigation Paul...
The Relationship between Internal Audit and Information Security: An Exploratory Investigation
Paul John SteinbartArizona State University
Robyn RaschkeUniversity of Nevada – Las Vegas
Graham GalUniversity of Massachusetts
William N. DillaIowa State University
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Motivation: Security Should be a Team Effort
SeniorManagement
InternalAudit
Information
Security
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
“Two are better than one … A three-fold cord is not quickly broken”
Ecclesiastes 4:10, 12
What COBIT says
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
PO4.15: “Establish and maintain an optimal co-ordination, communication, and liaison structure between the IT function and various other interests inside and outside the IT function, such as … the corporate compliance group”
PO6.1: “The control environment should be based on a culture that … encourages cross-divisional co-operation and teamwork …”
Reality: Miscommunication & Conflict
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
… A lot of places that I’ve seen and been, it’s been a game of cat and mouse. The auditors are trying to catch IT doing something, IT is trying to prevent audit from finding out…. – Security manager, institution C
Motivation: fill a gap in the information security research literature
Prior Research has investigated:Human factors issues regarding security “Optimal” investments in information securityStock market reactions to news
But, little attention paid to “operational governance” of information security
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Research insight – where audit can fit
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
They define audit control as documentation (systems review) and logging
Internal audit can add value
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
MonitoringControls
Configuration Controls
AccessControls
Review byInternal Audit
“We can’t help [management] design controls or tell them that a control is the right one to have in place, but we can help them to monitor it” – Mary Ann Tourney, director of internal audit for Talecris Biotherapeutic, CFO.com 11/10/2009
+
++
++
Research Method: Exploratory interviews
Goals:
1. Understand practice
2. Identify enablers and inhibitors
3. Develop model and research propositions
Method: Two interviewers per session
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Data Set – Educational Institutions
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Public Private For-Profit
One Campus Institution B Institution D
Multiple campuses
Institution A Institution C
Interviewees: IT security – Institutions A, B, C, DInternal audit – Institutions A, B, and C (audit outsourced at D)
• Security not “deal breaker” like defense industry• Affected by multiple regulations (PCI, HIPAA, GLBA, FERPA)• Complex set of users: employees, students, faculty
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Institution A Institution B Institution C Institution DType Public University Public University Private, for-profit
UniversityPrivate University
Size (approximate number of students)
27,000 28,000 19,000 5600
Size (approximate number of faculty)
1100 1700 1800 335
Number of campuses
5 1 11 1
Size of IT (staff) 200 200 50 50Number of IT staff dedicated to information security
3 12 1 3
Title of security professional interviewed
Information Security Manager
Chief Information Security Officer (CISO)
Security Manager Chief Information Technology Officer (CITO)
Title of internal auditor interviewed
IT auditor Internal audit manager
Internal Audit Senior Manager
None – internal audit function outsourced
Number of internal audit staff with IT audit expertise
3 0 2 N/A
Table 1. Descriptive information about interviewed organizations
Findings1. Auditor characteristics that affect the
relationship with information security function: IT knowledge Communications skills Role perceptions
2. Organizational factors also important: Top management support Regulations
3. Cooperation between internal audit and information security benefits both functions
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Findings – auditor characteristics
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems
Assurance
We’ve actually been very fortunate to hire a very competent IT internal auditor. Intimately familiar with ITGC …“[Internal audit’s level of IT knowledge] with recent hires they’ve actually gone substantially better then where they were … we’re fortunate to hire an IT auditor that knows the business … I’d hate to say it’s tied to an individual, in this case I think it is, but I hope to think that reflective of the direction IT audit or internal audit should be going when they start performing IT security reviews.” – Security manager, Institution A
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Importance of Auditor’s IT Knowledge
I think in an organization that has a little bit of a stronger IT Audit presence, the IT auditors would be working with people at a lower level; the ones who are actually carrying out the work. - Internal auditor, Institution B
We see them and we have a very good working relationship with internal audit. But their focus is typically auditing business process. You know, ‘are things being done right in payroll?’ and ‘Are we handling travel vouchers right?,’ and that kind of stuff. – CISO, Institution B
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Effect of Auditor’s Lack of IT Knowledge
Communications skills are important
A good IT Auditor should be able to explain what controls are in-scope, and why, prior to the start of testing. With 99% of my interviewees, this is enough to get them on board and most are very receptive to the controls (Which they usually hadn’t been previously exposed to). – IT auditor at Institution A
Personally, I feel the IT Security staff (and the IT Support Staff) and I conduct the review together. So long as they’re clear on what I’m testing and why, they are not defensive. I’d say that they consider us a force for good, and not evil. – IT auditor at Institution A
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Poor communication can hurtAnd one of the challenges the audit did not
outright say that we needed a security officer, which is sort of the problem because it would have been more helpful if it had. But, the audit reports are never quite that directive.
- CITO, Institution D
Note: internal audit outsourced here
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Perceptions of audit’s role are important“I believe the majority of IT Security staff sees
us as collaborators, although that was not always the case. In the past they probably considered IA IT Auditing as a nuisance, and based on the skill sets they encountered that would be understandable. In the past, if IA found an issue; the department might experience the recommendation as an unfunded mandate. Now, IA takes stock of the issue and tries to collaborate system-wide to leverage existing resources. (i.e., going to the President’s office to get a threat and vulnerability scanning application purchased for all of the campuses; or asking the President’s office to develop a centralized scanning operation so that each campus doesn’t have to create redundant operations) - IT auditor, Institution A
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Trust is important“The trust element is important. … I trust that he’s [IT security] going to tell me … but then he trusts me that I’m [Internal Audit] going to take that information and digest it appropriately. I’m not going to get too excited or I’m not just going to dismiss it…. so there’s that mutual trust factor, which I think is really important. If you’re going to be honest with somebody, you don’t want them to turn around and throw you under the bus. You want them to work with you to fix it. That’s one of the key things is that we are very careful from an audit perspective. We don’t want to throw people under the bus. We want to raise issues and then say “okay, what’s the solution?” … That really emphasizes that partnering and that trust, that we don’t want people to get in trouble, we just want to fix it.” – internal auditor, Institution C © Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial
Symposium on Information Integrity and Information Systems Assurance
Mutual trust is important“It’s not what I’m familiar with being the traditional IT - audit
relationship. We can leverage each other’s expertise and position in the organization to make things happen. A lot of times the IT department will tend to almost hide things from audit because they don’t want to get a black eye and we don’t have that issue here so much…. we have the same goals. … A lot of places that I’ve seen and been, it’s been a game of cat and mouse. The auditors are trying to catch IT doing something, IT is trying to prevent audit from finding out…. It’s not the case here… I trust that he’s [Internal Audit] not out to catch anybody doing anything. He’s out to identify and reduce risk.” – Security Manager, Institution C
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Findings – Organizational characteristics
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems
Assurance
Top management needs to provide the resources...we did have a staff person in the office that was kind of going down the path of being groomed to be an IT Auditor. Unfortunately, she left to work in industry and since then, budgetary constraints, resource constraints, that’s been the main reason why we haven’t… I think we know that we can’t afford to get an IT audit professional. They would probably want more money than I make as the manager.
– Internal auditor, Institution B© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial
Symposium on Information Integrity and Information Systems Assurance
Top management needs to be educated
I don’t think executive leadership understood quite how costly it would be to fix it … Not simply as a onetime solution, but as an ongoing … as well as, the formalization of policies and practices. …
I think there was the assumption that I would go out buy some applications, install and everything would be fine. … There is increasing awareness that is occurring. The behavioral change is glacially slow and so, I see my work right now being to educate at the executive level. - CITO, Institution D
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Management can model desired behavior
“Our chief auditor and our senior vice president of IT are very much in that partnering mode, they really feel that audit and IT, same thing with our corporate controller, audit and finance, there should be a partnership, and it should not be adversarial. They really try from a very top down approach, to get all the team members to work together, to partner, we are all trying to drive to a good solution and let’s negotiate and work together.” - internal auditor, Institution C
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Management can model desired behavior
“It’s the relationships. You read about it in trade magazines and you hear about it in seminars and it really is about the relationships and I’ve seen that demonstrated at [Institution C] better than any place I’ve been in the past….That’s the most important thing from the workforce point of view. When they see that demonstrated up high, that’s how they follow suit. They watch this, and then they know that’s the expectation and it’s pretty effortless here. People partner and just get along well with the same goal in mind. It shows.”
– Information security manager, Institution C
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Regulatory impacts“I do owe a lot of that to Sarbanes Oxley and when they see they could be held criminally liable. Say what you will about the regulations they have really helped the IT security realm because in the past audit has always been fairly well understood. The role of an auditor is clear. But information security hasn’t been. It’s always been identified as hacker deterrence and monitoring and logging in that up until recently it stepped outside of the operational, and really outside of the IT realm and more into a business partnership. That’s why I like the role here, it’s evolving … – IT security manager, Institution C
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Findings – benefits of collaboration
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems
Assurance
Benefits: audit’s view
I know all of the campus ISOs [information security officers] and some of their support staff. The relationship adds value by ensuring that the IT Audits are taking into account high risk areas, as perceived by the ISO’s.
– IT auditor, Institution A.
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Benefits: audit’s view
I think the partnership kind of helps with that escalation [of information security procedures], because internal audit, we report directly to the CEO and so ...we can be an avenue to escalate appropriately while still maintaining independence and obviously trying not to get into any of the politics among different people competing agendas. – internal auditor, Institution C
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Benefits: security’s view
… we’ve just realized we have a codependent relationship. It’s been very positive… a real big benefit to us achieving a lot of the goals we have from an information security perspective.... and we are going to begin reinforcing the importance of change control. And more importantly the importance of completed documentation as part of change control for the deployment of new services and we are going to strongly reinforce through internal audit reports… - CISO, Institution A
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Benefits: Security’s viewThen we were able to implement blocking. Whereas IT before struggled because it was just IT being the network police, but once audit and legal partnered and said this absolutely has to stop, here’s where your violating, here’s what the potential risk is, it really wasn’t that hard. We still got a lot of pushback, and we do periodically. We’ve implemented encryption as well. If they’re in an authorized group they can send it, it will just encrypt it before it goes. Audit was just huge in that I don’t think IT would have been able to enforce it like that without that realistic, again seen more of a business partner then IT is; we’re more of a supporting role. Audit was that voice of reason that said you can’t do this and here’s why, instead of IT just saying bad bits leaving the environment. It made sense when audit said it. – IT security manager, Institution C
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Benefits: security’s view
If I’m just being the IT network police, and I have to get [name of internal auditor] and he goes in there with a suit and says here’s why you don’t want to do this. They just usually put their tail between their legs. – IT security manager, Institution C
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Benefits: security’s viewa lot of times because I see more of the IT side of things, I don’t get the full view of the procedure on how people are placed into the roles that they’re in. [name of auditor] sees, I mean, he’ll talk with accounting at a deeper level then I do as an IT focus person, and somebody may have multiple group memberships that sort of nest or inherit permissions from a higher group or from another group and [name] understands how that happened. … We just see it; IT sees it as, a group of memberships. [auditor] understands that, who really belongs in certain groups based on, because IT doesn’t determine who gets access, we’re just the custodians of the data and information. The system owners really determines who has the access, so [auditor name] sheds that insight on there, that I don’t glancing at a screen, I don’t pick it up all the time, because it’s groups, users, resources and they’re not always named as you would expect. – IT security manager, Institution C
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Summary: Potential benefits of collaborationFrom security’s point of view
Overcome user resistance to security policiesBetter understanding of necessary controls
From audit’s point of view Improved risk management Improved audit focus on higher risk areas
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Summary
Evidence of positive synergistic relationship
Lack of evidence of positive synergistic relationship
Institutions A,C B,D
Nature Public and for profit – both have multi-campus
Public and private, only one campus
Auditor IT knowledge High Low
Auditor role Partner, collaborator ??
Formal relationship Close Separate or outsourced
Top management support
High at C Low
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Outcome – research model
© Paul John Steinbart October 21, 2011 University of Waterloo 7th Biennial Symposium on Information Integrity and Information Systems Assurance
Internal Audit’s Level of IT Knowledge
Internal Audit’s Communication
Skills
Internal Audit’s Attitude
Top Management Support
Depth of Relationship
between Internal Audit and
Information Security
Benefits of Collaboration
between Internal Audit and
Information Security
P6
Organizational Characteristics
P5