Our new column, “Ask the Auditor,” answers real questions submitted by real readers. This week, certified internal auditor and certified information systems auditor Dan Swanson answers the question of who is responsible for information security.
By Dan Swanson
A Reader Asks: Who is responsible for information security?
The Auditor Responds: In short, the board of directors, management (of both staff and business lines), and internal audit functions all have significant roles in auditing information security. The big question for many companies is how these stakeholders should work together to ensure that everything that should be done to protect sensitive data is being done—and that the company’s key assets are protected appropriately.
1) Staff and line-of-business managers must have a voice in the design and implementation information security programs, since these managers are ultimately responsible for protecting and enhancing the value of the organization’s assets, including information assets. Managers must also review and monitor security controls to ensure they are appropriate, despite ever-changing risks and business requirements. This is, in fact, a form of auditing information security. And, finally, managers who own business-unit information should also help define their security requirements, based on business objectives, the significance of the information involved, legal requirements, and the seriousness of threats to data privacy.
Under a separate category of management, information security managers should organize and implement the organization’s information security program, including its monitoring (testing) program.
Although business managers often try to assign information security responsibilities to an information security management function, all parts of the organization have information security responsibilities. Security goals include a mixture of technical, procedural, and oversight controls, all of which should be reviewed or tested to ensure they are (a) adequate, as defined to mitigate information security risks, and (b) reasonably effective in practice.
Finally, executive management must provide leadership to ensure that information security efforts are supported and understood across the organization. Executive management must also dedicate sufficient resources to allow controls to be effective.
2) The board of directors must provide oversight at a level above other business managers. The director’s role in information security is to ask managers the right questions and encourage the right results. Directors must set the right tone at the top, communicating to executive management the business imperative of effective information security management.
3) The internal audit function provides strategic, operational, and tactical value to an organization’s operations. For example, internal auditing:
- Tells the board and management whether business units understand the importance of security and adhere to policies; whether key information assets and systems are secure; and whether programs are in place for continually updating and strengthening safeguards against internal and external security threats
- Provides assurance to both directors and managers that information security is as good as people say it is. Auditors identify weaknesses in existing security efforts, along with corresponding opportunities for improvement.
- Helps the board and management understand whether the information security function has the resources, systems, and processes it needs to be efficient and effective
- Independently validate that the organization’s information security program efforts are proactive and effective against current and emerging threats. To provide this level of assurance, internal auditors also compare current organizational practices with industry practices to discern whether their organization is operating comparable to others.
Ensuring that information security systems and management are subject to audit and review by qualified professional reviews and audits, corporate leaders advance the goal of overseeing the organization’s information security program and ensuring its continuous improvement and success.
To fulfill its potential, the internal audit function needs to:
- Know what they are doing (i.e., have the skills to perform appropriate security audits)
- Have a long term information security audit plan
- Have a strong understanding of the technical and business environments
- Know what to ask for
Information security auditing should be planned with an eye to ever-changing technical and business environments. The auditing function should “complement,” but never replace, management’s responsibility to ensure their IT controls are operating properly.
Resources
Proactively studying “what’s new” is a fundamental requirement for implementing and auditing information security effectively. Landmark guidance is issued every few years. These “classics” offer important knowledge relevant to all security stakeholders. The following list represents several classics, as well as some very new information, from a variety of leading resources relating to information security and its control and auditing.
Information Security Resources
1. The Computer Emergency Response Team (CERT) program has developed extensive guidance regarding information security, security management, security governance, and the assessment of risk. CERT is part of the Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University. Some of its most interesting resources explore:
- Evaluation of security risks, practices, insider threats
- Development of a computer security incident response team
- Governing for Enterprise (PDF) (HTML version)
- The “Build Security In” initiative
2. The Corporate Information Security Working Group (CISWG) has produced guidance on the development of information security metrics and created a definitive summary of information security management references. CISWG is a program formed by Adam H. Putnam, chairman of the Subcommittee on Technology, Information Policy, Intergovernmental Relations & the Census of the Government Reform Committee, of the U.S. House of Representatives. Its publications include:
- CISWG—The Final Report of the Best Practices and Metrics Teams (PDF)
- CISWG—Information Security Management References(PDF)
3. Executive Guide: Information Security Management: Learning From Leading Organizations
4. Microsoft’s Security Risk Management Guide
5. The International Systems Security Engineering Association (ISSEA)
6. How to Become an Information Security Professional
7. US Security Awareness—Information Security Auditing
8. The SANS Institute and its SCORE Checklist Project: ISO 17799
9. The Center for Internet Security
10. The Information Systems Security Association (ISSA)
11. The Computer Security Division (CSD) of the National Institute of Standards and Technology (NIST), including the Federal Information Security Management Act (FISMA) library
13. The Open Web Application Security Project
Information Security Auditing Resources
1. The Institute of Internal Auditors (IIA) has published a series of three board-level guidance reports focusing on information security that focuses on assigning responsibilities to the board, management, and internal audit, and providing guidance to board directors.
- Information Security Management and Assurance: A Call to Action for Corporate Governance
- Information Security Governance: What Directors Need to Know
- Building, Managing, and Auditing Information Security
2. “Avoiding IS Icebergs,” by Dan Swanson
3. Management Planning Guide for Information Systems Security Auditing, from the National State Auditors Association and the US General Accounting Office
4. Information Security Oversight: Essential Board Practices, from the National Association of Corporate Directors (NASD)
5. Information Systems Audit and Control Association (ISACA), and IT Governance Institute
6. AuditNet
7. The Global Technology Audit Guides (GTAG)
8. The Canadian Federal Government Internal Audit Guides
9. The IT Process Improvement Institute
10. The Center for Education and Research in Information Assurance and Security
Do you have something to ask the auditor? Send your question to editor@itcinstitute.com. We will try to answer it in a future column.
