Information systems audit : Is it a system audit or an information audit


Published on

Vishal Gupta, CEO, Seclore explains why focusing the audit to the asset over and beyond the cost base is the right approach in cases where information is not contained within any perimeter

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Information systems audit : Is it a system audit or an information audit

  1. 1. Information systems audit: Is it a system audit or an information audit? - ... 1 of 2 Print this page Information systems audit: Is it a system audit or an information audit? 22 Nov 2013, Vishal Gupta Most companies handling consumer data (financial services, telecom, utilities, ...) have some kind of compliance (ISO, GLBA, HIPAA, RBI, ...) framework against which periodic compliance audits are conducted. For example, an audit on the handling of credit card transaction data in a bank would include checking the perimeter security of the systems the data resides on, checking the encryption used to store the data, looking at each input and output point that touches the data (and each output point is seen as a risk and measured with the same thoroughness as the core system), including checking the levels of access each role/employee has to that data. An audit of such data will also include checking the process of backup, including following the backup tape in the armored van all the way to the backup vault! An audit such as the above recognizes that a leak from any part of the system renders the strength of the rest of the system useless. In situations such as the above, the bank owns or tightly controls the entire value chain from the input of the data all the way to archive/storage. At no point does the data leave to be in the hands of a third party without the third party being tied down with draconian penalty clauses for any leak, for any reason. In this example where the information is resident within a specified boundary, information audit becomes a comprehensive information systems audit. Now take for example an audit done on a high volume transactional website that engages third party shipment companies (to ship products bought on the website), third party call centre support personnel, often uses third party business intelligence companies to give insights into customer behaviour and purchase patterns. In each of these cases, the data is shipped out (or made available in real time). To audit third parties in such cases becomes near impossible, the third parties are usually scattered around the globe, subcontract work-at-home employees, and urgency of requirement or costing constraints have ensured that the third parties are seldom compliant with industry standard security practices. Once the information has left your system, any checks done on the system are rendered useless, and no track-ability directly translates to no accountability. In this example the information is not really contained within any perimeter and an information audit would ideally cover all the systems the information touches through its life cycle. This may include internal and external systems. Clearly, this is a very difficult job. In this case an information systems audit is a poor way of performing information audit. Thinning of the enterprise perimeter is forcing organizations to perform an information audit over and beyond information systems audit. Beyond the semantics this shift is a fairly fundamental paradigm shift. Focusing the audit to the asset (information) over and beyond the cost base (systems) looks like right approach, but is not very easy. An information audit would cover the whole life cycle of information from creation to destruction. According to Shashidhar CN, Director at ISACA Bangalore, "Any data of Sensitive & Personal (SPI) 12/2/2013 1:16 PM
  2. 2. Information systems audit: Is it a system audit or an information audit? - ... 2 of 2 nature needs to be encrypted at rest and move. If not, it’s as good as lost or misused. With increasing awareness of auditors in performing information audits rather than just system audits, and availability of technologies like IRM, companies no longer have an excuse for not protecting SPI data or to claim that once the information left their system's they are no longer able to control its use.” There will be no real "boundary" of this audit since the information will span perimeters, countries, companies, applications, networks and devices. Given present day systems this is a difficult activity to even know about so audit looks like a distant dream. Such a "borderless" audit would involve process and technologies which have the capability to track and control information usage across perimeters and to provide a central view of information usage through its lifecycle. Information Rights Management systems provide a mechanism by which unstructured information like documents, e-mails, drawings etc. can be audited for use within and outside of the enterprise. The good thing is that IRM systems are available easily and can be deployed without a lot of changes. The not-so-good thing is that IRM systems for now are restricted to unstructured information like documents and emails and do not cover databases. Copyright © 2013 UBM India, All rights reserved 12/2/2013 1:16 PM