Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Auditing Organizational Information Assurance (IA) Governance Practices

  • Login to see the comments

  • Be the first to like this

Auditing Organizational Information Assurance (IA) Governance Practices

  1. 1. Auditing Organizational Information Assurance (IA) Governance Practices Auditing Organizational Information Assurance (IA) Governance Practices Mansoor Faridi Fort Hays State University July 23, 2014
  2. 2. Auditing Organizational Information Assurance (IA) Governance Practices ii Table of Contents Introduction ..................................................................................................................................1 Proposed Concept ........................................................................................................................2 Research Approaches ...................................................................................................................3 Review of Feasibility ...................................................................................................................7 Conclusion ....................................................................................................................................8 References ....................................................................................................................................9
  3. 3. Auditing Organizational Information Assurance (IA) Governance Practices 1 Auditing Organizational Information Assurance (IA) Governance Practices Mansoor Faridi Fort Hays State University Introduction This concept paper evaluates the feasibility of conducting a formal scientific study to audit an organization's information assurance governance practices. In today’s computing environment, it is paramount to have sophisticated controls in place to safeguard organizational information while ensuring its Confidentiality, Integrity, Availability and Non-Repudiation [emphasis added]. Research indicates that in the absence of a robust security program, organizations expose themselves (“Open Security,” 2014) to data breaches resulting in flailing shareholder confidence, litigation and possible financial collapse. Auditing organization's information assurance governance practices will identify opportunities for improvement and provide an independent and objective assessment of organization’s information assurance governance practice’s effectiveness. It will also enable the organization to comply with regulatory requirements, increase stakeholder confidence and strengthen security posture in the face of numerous threats (“Ponemon,” 2013). As part of governance, it will be management’s responsibility to either engage Internal or External Auditors to develop and execute an audit program evaluating internal controls relating to organization’s information assurance governance practices. Leveraging leading industry frameworks (Arora, 2013; “SOX-Online,” 2012), such as, COBIT, COSO, NIST, ITIL, ISO27002, the audit program will assess organizational information assurance governance practices; the scope of which will include data governance, incident response, user-training and attestation, and periodic reviews. Finally, a conclusion will be drawn to determine the feasibility of auditing an organization’s information assurance governance practices.
  4. 4. Auditing Organizational Information Assurance (IA) Governance Practices 2 Proposed Concept With the passage of time, more and more data is getting digitized and thus increasing organizational risk exposure. Globally, forty percent of the largest data breaches recorded occurred in 2013 (“Online Trust,” 2014, p. 4). Hence, it becomes critical to have proactive vigilance over organization’s internal controls over information assurance via a formal audit program. The audit program will be developed after performing a comprehensive risk assessment (“United Kingdom,” 2004, p. 3) to identify risks (See Appendices A & B) within the four aforementioned areas. Subsequently, as per organization’s risk management strategy, these risks will be accepted, mitigated, transferred or avoided (“United Kingdom,” 2004, p. 24). Upon successful risk assessment, audit program will be implemented to assess effectiveness of internal controls. Following is a list of areas and scope of audit coverage over internal controls:  Data governance Is there a standard procedure for user-access provision? Is user-access periodically validated? Is data custody and ownership defined? Is data access logged and monitored? Is data classified indicating sensitivity and storage location? Is data retention policy defined?  Incident response Are there protocols in place in case of a data breach? Is there a communication/notification plan? Is there effective coordination between key stakeholders and support personnel? Are there disaster recovery and business continuity plans in place?  User-training & attestation
  5. 5. Auditing Organizational Information Assurance (IA) Governance Practices 3 Are users educated on their roles and expectations via Information Security policy, seminars, online training, informational videos and brochures, etc. Are users required to attest their participation in mandatory online training?  Periodic reviews Was vulnerability testing performed? Was penetration testing performed? Was system hardening performed? Was the evidence of this testing reviewed, approved and archived for audit purposes? Internal Controls’ design in the above areas will be examined and tested for operational effectiveness over a period of time. Once the audit is concluded, management will be provided with a formal audit report detailing ineffective controls, risk(s) posed, risk impact along with audit recommendation to bridge identified gaps. Management will then review, approve and accept the audit report with a formal sign-off. The review approaches for these areas are discussed in detail in the next section. Review Approaches This section describes audit program’s review approaches that will test internal controls relating to data governance, incident response, user-training and periodic reviews. This program will determine the design and operational effectiveness of internal controls as follows:  Data governance By examining relevant documentation, it will be determined if there is a standard procedure to provision user-access that requires data owner to approve the requested access and data custodian to provision the approved access. Alignment of data ownership and data custody will also be verified by reviewing documents detailing
  6. 6. Auditing Organizational Information Assurance (IA) Governance Practices 4 roles and responsibilities. It is to be noted that data ownership and data custody is aligned with different roles for segregation of duties purposes (“Separation of,” 2014). It will also be determined if this access was granted on the principle of least access privilege (Langford, 2003). It will also be determined if user access is monitored and logged each time data is accessed and/or modified. It will also be examined if data is classified appropriately, indicating data sensitivity, storage location and log details (“Online Trust,” 2014, p. 10). Furthermore, data retention policy will be reviewed to determine if data will be destroyed when no longer required as per data management lifecycle and prevailing legislation(s) in effect (“Retention Period”, 2014). Please note that above controls relate to the capability to protect organizational data from unauthorized access, and sending and receiving protocols in place, hence this satisfies both the Confidentiality [emphasis added] and the Non-Repudiation [emphasis added] aspects of information assurance governance practices.  Incident response By examining communication plan/notification plan, it will be determined if there are protocols in place in case of data breach. Evidence of effective coordination between organizational stakeholders and external support personnel (e.g., Law enforcement) will be determined based on periodic joint exercises simulating emergency drills. These drills will be confirmed by reviewing detailed reports listing date, time, venue, simulated scenario(s) and participants. In addition, evidence relating to the execution of Disaster Recovery Plan (DRP) and Business Continuity Plan (BCP) will also be examined (“United Kingdom,” 2004, p. 35). Concerned departments will be expected to produce satisfactory evidence noting
  7. 7. Auditing Organizational Information Assurance (IA) Governance Practices 5 successful completion of the drill and issues encountered, if any. Since this area highlights system’s capability to provide access to network resources and data despite disruptive events or conditions, hence above controls satisfy the Availability [emphasis added] aspect of information assurance governance practices.  User-training & attestation Users will be expected to play a critical role in supporting organizations’ information assurance governance practices. They will be expected to participate in both formal and informal learning activities (See Figure 1) by participating in awareness, literacy, training and education sessions (“United Kingdom,” 2004, p. 37). Each phase will have various activities within it; some of those activities will be audited. After completing each activity they will be issued a certificate of completion, record of which will be verified during audit examination. For sampled users, record of completion for various activities will be compared against the established benchmark to determine if a minimum number of users have completed mandatory training which will enable them to effectively safeguard and protect organizational assets against possible abuse/misuse. Figure 1. Information assurance learning continuum (Maconachy, Schou, Ragsdale, Welch) 2001 Finally, a user listing will be produced noting user compliance (vis-à-vis
  8. 8. Auditing Organizational Information Assurance (IA) Governance Practices 6 mandatory training) below the acceptable threshold. Subsequently, user’s manager will be communicated, who will be responsible to ensure that users successfully complete all required training sessions within an agreed upon timeframe. Record of all completed training and audit activities will be examined to close audit findings, if any. This area highlights the emphasis on user education continuum, preparing users to ensure that organizational system is capable to provide services and process data with the assurance that it is accurate and uncorrupted. This satisfies the Integrity [emphasis added] aspect of information assurance governance.  Periodic reviews Record of system vulnerability testing will be examined to determine if any gaps exist. (Based on vulnerability testing results, administrators are expected to close the gaps by addressing audit assertions. This is knows as system hardening.) Subsequently, results of system hardening will also be examined to determine if any gaps exist. In the event of reported gaps, auditor will verify their successful closure. Audit will also examine the result of external penetration testing. The result will help determine if any gaps need to be addressed. In the event where organization is dependent on a service organization for their computing needs, the vendor will be requested to produce a Service Auditors Report (Statement on Standards for Attestation Engagements (SSAE) No.16) to determine if all controls relating to the data center are designed appropriately and operated effectively over a period of time (“SSAE 16,” 2014). It is important to note that in case the organization chooses to engage a third-party vendor for its computing needs, its responsibility for governing security has not been removed, it is merely different. (Kirkpatrick, 2011).
  9. 9. Auditing Organizational Information Assurance (IA) Governance Practices 7 Please note that SSAE 16 Type I report only lists the design of a control at a given point in time, whereas, Type II lists the design of control and its operational effectiveness over a period of time. All of the controls detailed above will be examined in detail and documentary proofs will have evidence of management review and sign-off. Absence of documentary evidence relating to the activities, tasks or review & sign-off will lead to audit assertion(s). Audits will be planned as per the audit schedule and performed on a periodic basis. Review of Feasibility Management/stakeholder support (Anhal, 2002) is the main criteria for any governance program to be successful. This section discusses the feasibility of the concept idea presented to determine if it is feasible to conduct a formal scientific study to audit an organization’s information assurance governance practices. The feasibility is ascertained by breaking down the main concept into four main governance areas and then listing critical operational activities aligning with each one of these areas. Each activity also lists internal controls that ensure its governance at a more granular level. Subsequently, review approaches relevant to each activity are listed along with corresponding audit activities. Review approach describes the evidence to be examined for each internal control. It is also meant to assess the design and implementation of internal controls and comment on their operational effectiveness over a period of time. In summary, by reviewing the methodology presented above, it is feasible to audit an organization’s information assurance governance practices.
  10. 10. Auditing Organizational Information Assurance (IA) Governance Practices 8 Conclusion This concept paper evaluates the feasibility of conducting a formal scientific study to audit an organization's information assurance governance practices. Four critical areas (data governance, incident response, user-training and attestation, and periodic reviews) are examined to assess their suitability for inclusion in this study. Confidentiality, Integrity, Availability and Non-Repudiation aspects of information assurance are also reviewed in this context. Corresponding review approaches for internal controls aligned with each aforementioned area is also discussed. Based on the discussion in conjunction with review approaches, there is ample support for feasibility of auditing an organization's information assurance governance practices.
  11. 11. Auditing Organizational Information Assurance (IA) Governance Practices 9 References Anhal, A. (2002). Information Assurance and Corporate Governance: Engaging Senior Management. SC Magazine. Retrieved July 22, 2014 from http://www.scmagazine.com/information-assurance-and-corporate-governance-engaging- senior-management/article/30725/ Arora, V. (2013). Comparing different information security standards: COBIT vs. ISO 27001. Unpublished manuscript. Carnegie Mellon University, Doha, Qatar. Open Security Foundation. (2014). Data Loss Statistics [Data file]. Retrieved July 22, 2014 from http://datalossdb.org/statistics?utf8=%E2%9C%93&timeframe=current_year Jaspal, S. (2011). Fraud Symptom 10 – Lapses in Information Assurance. Sonia Jaspal’s RiskBoard. Retrieved July 22, 2014 from http://soniajaspal.wordpress.com/2011/09/30/fraud-symptom-10-lapses-in-information- assurance/ Kirkpatrick, J. (2011). Governance in the cloud. ISACA Journal, 5, 1-2. Retrieved July 22, 2014 from http://www.isaca.org/Journal/Past-Issues/2011/Volume-5/Documents/11v5- Governance-in-the-Cloud.pdf Langford, J. (2003). Implementing Least Privilege at your Enterprise. SANS Institute InfoSec Reading Room. Retrieved July 22, 2014 from http://www.sans.org/reading- room/whitepapers/bestprac/implementing-privilege-enterprise-1188 Maconachy, W., Schou, C., Ragsdale, D., & Welch, D. (2001). A model for information assurance: An integrated approach. Proceedings of the 2001 IEEE Workshop on Information Assurance and Security, US Military Academy, West Point, NY, USA.
  12. 12. Auditing Organizational Information Assurance (IA) Governance Practices 10 Retrieved July 22, 2014 from http://it210web.groups.et.byu.net/lectures/MSRW%20Paper.pdf Online Trust Alliance, (2014). 2014 Data Protection & Breach Readiness Guide. Retrieved July 22, 2014 from https://otalliance.org/system/files/files/resource/documents/2014otadatabreachguide4.pdf Ponemon Institute LLC, (2013). 2013 Cost of Data Breach Study: Global Analysis. Retrieved July 22, 2014 from http://www.ponemon.org/local/upload/file/2013%20Report%20GLOBAL%20CODB%2 0FINAL%205-2.pdf Retention Period. (2014). In Wikipedia. Retrieved July 22, 2014 from http://en.wikipedia.org/wiki/Retention_period Separation of duties. (2014). In Wikipedia. Retrieved July 22, 2014 from http://en.wikipedia.org/wiki/Separation_of_duties Sherwood, J. (2009). Historical Background: Information Assurance. SABSA Institute Community Forum. Retrieved July 22, 2014 from http://www.sabsa- institute.com/members/node/19 SOX-online: The Vendor-Neutral Sarbanes Oxley Site. (2012). Mapping COBIT to other guidance. Retrieved July 22, 2014 from http://www.sox-online.com/cobit_mapping.html Speed, R. (2011). IT governance and the cloud: Principles and practice for governing adoption of cloud computing. ISACA Journal, 5, 1-6. Retrieved July 22, 2014 from http://www.isaca.org/Journal/Past-Issues/2011/Volume-5/Documents/11v5-IT- Governance-and-the-Cloud-Principles-and-Practice-for-Governing-Adoption-of-Cloud- Computing.pdf
  13. 13. Auditing Organizational Information Assurance (IA) Governance Practices 11 SSAE 16 Overview. (2014). Auditing Standards Board. Retrieved July 22, 2014 from http://ssae16.com/SSAE16_overview.html United Kingdom Cabinet Office. (2004). Information Assurance Governance Framework. Retrieved July 22, 2014 from http://www.sylviterma.com/Portals/0/resources/ia_governance_framework8ddbf733- 48c5-4056-807b-42a756dd4b05.pdf

×