What exactly is the role of an information security auditor? In some cases, such as compliance by Level 1 and 2 merchants with PCI DSS 2.0, external audit is a condition to PCI DSS 2.0 compliance. In the case of ISO 27001, the audit process is a key to achieving ISO 27001 certification (unlike PCI and HIPAA, ISO regards certification, not compliance as the goal).
There is a gap between what the public expects from an auditor and how auditors understand their role.
Auditors look at transactions and controls. They’re not the business owner and the more billable hours, the better.
The “reasonable person” assumes that the role of the security auditor is to uncover vulnerabilities, point out ways to improve security and produce a report that will enable the client to comply with relevant compliance regulation. The “reasonable person” might add an additional requirement of a “get out of jail free card”, namely that the auditor should produce a report that will stand up to legal scrutiny in times of a data security breach.
Auditors don’t give out “get out of jail” cards and audit is not generally part of the business risk management.
The “reasonable person” is a legal fiction of the common law representing an objective standard against which any individual’s conduct can be measured. As noted in the wikipedia article on the reasonable person:
This standard performs a crucial role in determining negligence in both criminal law—that is, criminal negligence—and tort law. The standard also has a presence in contract law, though its use there is substantially different.
Enron, and the resulting Sarbanes-Oxley legislation resulted in significant changes in accounting firms’ behavior,but judging from the 2009 financial crisis from Morgan Stanley to AIG, the regulation has done little to improve our confidence in our auditors. The numbers of data security breaches are an indication that the situation is similar in corporate information security. We can all have “get out of jail” cards but data security audits do not seem to be mitigating new risk from tablet devices and mobile apps. Neither am I aware of a PCI DSS certified auditor being detained or sued for negligence in data breaches at PCI DSS compliant organizations such as Health Net where 9 data servers that contained sensitive health information went missing from Health Net’s data center in Rancho Cordova, California. The servers contained the personal information of 1.9 million current and former policyholders, compromising their names, addresses, health information, Social Security numbers and financial information.
The security auditor expectation gap has sometimes been depicted by auditor organizations as an issue to be addressed by educating users to the audit process. This is a response not unlike the notion that security awareness programs are effective data security countermeasures for employees that willfully steal data or bring their personal device to work.
Convenience and greed tend to trump awareness and education in corporate workplaces.
Here are 10 guidelines that I would suggest for client and auditor alike when planning and executing a data security audit engagement:
1. Use an engagement letter every time. Although the SAS 83 regulation makes it clear that an engagement letter must be used, the practical reason is that an engagement letter sets the mutual expectations, reduces risk of litigation and by putting mutual requirements on the table – improves client-auditor relationship.
2.Plan. Plan carefully who needs to be involved, what data needs to be collected and require input from C-level executives to group leaders and the people who provide customer service and manufacture the product.
3. Make sure the auditor understands the client and the business. Aside from wasted time, most of the famous frauds happened where the auditors didn’t really understand the business. Understanding the business will lead to better quality audit engagements and enable the auditor and audit manager to be peers in the boardroom not peons in the hallway.
4. Speak to your predecessor. Make sure the auditor talks to the people who came before him. Speak with the people in your organization who did the last data security audit. Even if they’ve left the company – it is important to understand what they did and what they thought could have been improved.
5. Don’t tread water. It’s not uncommon to spend a lot of time collecting data, auditing procedures and logs and then run out of time and billable hours, missing the big picture which is” how badly the client organization could be damaged if they had a major data security breach”. Looking at the big picture often leads to audit directions that can prevent disasters and subsequent litigation.
6. Don’t repeat what you did last year. Renewing a 2,000 hour audit engagement that regurgitates last years security check list will not reduce your threat surface. The objective is not to work hard, the object is to reduce your value at risk, comply and …. get your “get out of jail card”.
7. Train the client to fish for himself. This is win-win for the auditor and client. Beyond reducing the amount of work onsite, training client staff to be more self sufficient in the data collection and risk analysis process enables the auditor to better assess client security and risk staff (one of the requirements of a security audit) and improves the quality of data collected since client employees are the closer to actual vulnerabilities and non-compliance areas than any auditor.
As I learned with security audits at telecom service providers and credit card issuers, the customer service teams know where the bodies are buried, not a wet-behind-the-ears auditor from KPMG.
8. Follow up on incomplete or unsatisfactory information. After a data security breach, there will be litigation. During litigation, you can always find expert testimony that agrees with your interpretation of information but -
The problem is not interpreting the data but acting on unusual or missing data. If your ears start twitching, don’t ignore your instincts. Start unraveling the evidence.
9. Document the work you do. Plan the audit and document the process. If there is a peer review, you will have the documentation showing the procedures that were done. Documentation will help you improve the next audit.
10. Spend some time evaluating your client/auditor. At the end of the engagement, take a few minutes and interview your auditor/client and ask performance review kinds of questions like: What do think your strengths are, what are your weaknesses? what was succesful in this audit? what do you consider a failure? How would you grade yourself on a scale of 10?
Perhaps the biggest mistake we all make is not carefully evaluating the potential we have to meet our goals as audit, risk and security professionals.
A post-audit performance review will help us do it better next time.