informa
News

Go Hack Yourself

Penetration testing is only the first step of self-inspection -- ask internal auditors to scrutinize IT practices beyond compliance to take risk management to the next level
Enterprises can't protect themselves against risks they don't know exist. This is the reason why security checks like penetration tests are crucial in finding IT flaws. But penetration tests are really only the start to looking in the risk management mirror.

In the quest to self-assess the organization for IT risk, organizations must not just look for technical weaknesses, but also risks posed by IT's interdependencies in business processes and procedures. That's why where penetration tests and security monitoring platforms leave off, a good internal auditing team can pick up. If run right -- with an eye toward not just enforcing regulatory compliance, but reducing overall organizational risk -- internal auditors can become a valuable ally in the IT manager's stable of advisers.

"It is essential that organizations not only audit for compliance, but also for security," says Alex Hamerstone, technical compliance manager at TOA Technologies. "The most important aspect of auditing at the highest standard is understanding the big picture, including all of the interdependencies of security."

Internal Audit's Role In IT Risk Management
According to Bill Hull, a principal in PwC's Risk Assurance practice specializing in internal audit, internal audits stand as one of three lines of defense in the risk management world. Penetration testing falls under the first line of defense, which is the actual functional department responsible for actively managing risk. The second line of defense can also fall within that department, but is more specifically the monitoring or supervisory control mechanisms to track operations on a day-to-day basis.

And, finally, there is the third line of defense.

"This is really where internal audit typically lies, where you have this independent, objective body that can not only provide assurance, but also advice," he says.

[How can classifying data help reduce risks in the cloud? See It's Classified: The Secret To Cloud Risk Management Success.]

At the moment, Hull says that many organizations are experiencing a disconnect between these three lines of defense. As the IT risk landscape changes, and as IT monitoring tools do a better job automating analysis and IT controls functions, that disconnect could grow larger if businesses don't adjust. Part of that adjustment will require a change in the way that internal audit interacts with IT departments.

"As more and more risk analysis and compliance testing is automated and housed in IT GRC platforms that serve as a central repository, the need to provide a "single version of the truth" is critical," says Yo Delmar, vice president of GRC Solutions at MetricStream. "Furthermore, with integrations to IT and security monitoring systems, the work of the internal auditor has changed and moved into that of an advisory role, consulting on new and emerging risks and best practices."

This will require a paradigm shift for both the auditors and those being audited.

"Internal audit has a responsibility to educate individuals that they are a trusted resource for and not act a tattler or compliance cop with only the intention of nabbing offenders," Hamerstone says.

According to Hull, one of the biggest advantages that internal audit can offer is a global visibility of risk across the organization that comes as a function of the auditors' cross-departmental responsibilities.

"Internal audit, by its very role, works across an entire enterprise. Very often, risks touch multiple stakeholders. They're rarely single-threaded," he says. "Internal audit has the ability to connect the dots, whereby they can see an IT risk and connect it to other risks in the organization."

That's one big reason why the relationship between the internal audit team and the CISO should be maximized, says Brian Schwartz, Americas internal audit leader for Ernst & Young.

"There are points of convergence that both parties can take advantage of for better and continued coverage of IT security controls," he says. "IT security controls are found throughout the organization given the reliance on systems in key business processes. For this reason, IT security controls are in-scope for many audit projects."

He suggests that internal auditors and the CISO communicate throughout the year and that internal auditors share their annual plans with the CISO.

"In addition, the CISO should be copied on audit reports where IT security issues are surfaced to allow the CISO to provide guidance on solving security control issues uncovered by the internal audit function," Schwartz says. "The CISO can assist the business leaders, who respond to audit reports, in designing IT security controls that protect the organization against the related inherent business risks."

Not only can CISOs better integrate IT risk management functions into overall business risk management through close work with internal auditors, but the relationship will also lend more credibility come time for budget requests.

"It is internal audit that needs to bring IT risk to the forefront of senior management's minds," says Heather Bearfield, principal and practice group leader for Nattional Technology Assurance Services, "particularly when management falsely assumes that the cost of investing in IT is unwarranted or is uneducated about the ROI of strategic IT investment."

Ingredients For Internal Audit Success
But successful cooperation between IT security staff and internal auditors won't come automatically. There are several key ingredients to success.

First and foremost, internal auditors can't let compliance take over an annual audit plan or define its mandate, Schwartz says.

"For some internal audit functions, they are viewed as a 'check-the-box' effort or a compliance effort," he says. "While SOX testing is very important, it should rarely be internal audit's sole focus."

But the only way internal audit can be brought into a more strategic role as risk adviser for IT is if IT staffers start to trust these in-house auditors and better cooperate with them.

"Internal audit should not be feared, but rather should be seen as an integral defense against external threats," Hamerstone says. "Be sure to explain this to the people your internal audit team is working with, as they are more likely to be frank in their discussion if they understand the true consequences of noncompliance."

As IT works with internal auditors, they must remember that many of them are not necessarily IT experts, but they do know how to identify risks.

"They are experts in process, process controls, auditing, and risk management," says Jeff VanSickel, practice leader for compliance at SystemExperts.

But on the flip side, if internal auditors are to keep up with the rapidly changing technology risk landscape, they have to meet IT staffers halfway. Experts say that organizations that are seeking better integration between IT security and internal audit have to help their internal audit department improve their technology competencies and skill sets through improved education of existing staff, strategic hiring, and potentially, some strategic outsourcing.

"Auditors are dealing with a new class of complex processes and technology risks at many layers of the stack, including governance, information, applications, and infrastructure," Delmar says. "As a result, internal auditors must continually educate themselves on emerging standards, best practices, and adopted frameworks, which can help them appropriately manage risk in this new digital world."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: