Most IT staffs already have all they can handle. Bringing someone in to do the heavy security lifting might make sense for your business.
Computer and network security is a pervasive concern for everyone–even those who are not in tightly regulated industries that demand lockdowns of communications and information. At the same time, most IT staffs already have more day to day projects than they can handle. They lack internal expertise that can be applied to security evaluations and on some IT staffs, there is even active resistance.
The easiest thing to do is throw the security audit “over the fence” and into the hands of an outside auditor who can tell you where you have controls missing and technology exposed. But if you are a small to medium-sized company, the issue is often affordability. What can you do to address IT security with the internal resources that you have available–and at what point do you look for an outside security audit?
We’ll review both options, presenting the elements you need to be successful in your own security approach–and when to make that step to retain an outside security auditor.
The top security audit issues
IT security audit pressures vary between industry sectors. If you are running an IT network in government, finance or healthcare, you are already tightly regulated for security breaches and information sharing. Your company probably receives a visit from an IT regulator or examiner every twelve to eighteen months. There is pressure to comply because if you are found out of compliance, it can have career repercussions.
High technology businesses also have security pressures, but these are more self-imposed. For these businesses, the leak of critical intellectual property from a computer network can bring down an entire organization. On the other hand, mom and pop businesses, manufacturing and fabrication facilities, hardware stores and auto parts dealerships have less security regulation and fewer fears of intellectual property theft. Security demands can be low.
“We find overall that the amount of industry regulation plays a major role in companies’ network security efforts,” says Stuart Chontos-Gilchrist, president of E3 Technology , an IT security auditing and design firm. “For companies not operating in highly regulated industries, it’s often a matter of whether you choose or don’t choose to create industry best practices in security. Financial and healthcare companies are highly regulated, and must focus on IT security. Publicly traded companies that are subject to Sarbanes-Oxley reporting requirements also need to focus on the security aspects of their operations. However, there are still many smaller companies that manage to “fly under the radar” of industry security focuses.”
Chontos-Gilchrist says that important focal issues for any professionally conducted IT security audit begin with the area of vendor management, and the policies and procedures that form the basis of a company’s entire IT security program. Related to this are the company’s disaster recovery and business continuation plans, and the security-related solutions and technologies that are deployed in the company, such as security software on all desktop computers, intrusion prevention, and effective patch and change management procedures for the software that the company runs. If all of these areas are tightly controlled and up to date, the company’s security measures are quite likely to be effective.
However, IT security is a process and not a one-time project. Someone has to continually monitor security trends, and then take steps to ensure that the company’s networks remain bullet-proof. Companies can begin with an internal person who assumes the IT audit responsibility, or they can opt to outsource the function for periodic third party reviews.
Handling security audits internally
Companies that address IT security audits internally look to either their accounting or their IT areas for an individual who can shoulder the security audit responsibility.
“Usually, a company will have someone who already is an internal auditor conduct the security audits for IT,” says Chontos-Gilchrist. “The company wants to do the best job of auditing that it can with its available internal resources, and often these resources come from Finance. This can be a disadvantage to IT, because a financial person may not have the specialized background in IT security. On the other hand, there are segregation of function issues if you have an IT person perform IT security audits, and that same person is responsible for administering IT security on a day to day basis.”
In both cases, unless the company is very large, there are battles between audits and other workload priorities–and audits are not addressed in a timely manner. There is also the danger of too much familiarity if the same auditor examines IT security year after year. It is hard to stay fresh to perceive all of the possible issues. To prevent this excess “familiarity” from occurring, many organizations cycle their internal auditors through a variety of company audits, and these corporate auditors frequently work in conjunction with different external auditors on the various corporate audit areas.
“Companies turn to an outside party to perform their security audits after they reach a certain size that allows for a security budget,” says Chontos-Gilchrist. “While there are exceptions, in the financial market we typically see banks, credit unions and others look for outside IT security audits when they reach an asset level of 100 million dollars or more. For private companies, this threshold is usually around 70 million dollars in annual sales.”
If you choose to utilize an internal auditor for your IT security, look for someone with an IT security skillset. Minimally, the person should have three or four years of IT technical experience–and his function should be segregated from the roles of in-house security technicians and administrators.
Some companies adopt the approach of training a financial auditor “on the job” in IT security audits. This is risky, because an individual with a financial background may not know all of the areas he needs to be concerned with when it comes to checking systems and networks for security. For this reason, larger companies that have internal audit teams have a separate audit team for finance/operations and a separate team that addresses IT.
Formal IT security certifications like the CISSP and CISP are also important as training and qualification criteria–but an non-credentialed individual who knows the ins and outs of the system and of IT security can be just as effective.
“In the end, companies are driven by regulations and financial incentives,” says Chontos-Gilchrist. “If there’s not a regulatory or financial incentive, companies will often do the minimum for their IT security. We’ve seen this in the large retail market, when the minimum is done until the regulator steps in. From a security standpoint, this is where regulations like Sarbanes-Oxley make a difference.”
When to conduct an outside IT security audit
Even large companies that have internal audit functions opt to perform IT audits using external experts. This is because a third party sees the networks with a fresh eye. The third party is up to speed on the latest security trends and regulations. It can suggest remedies for network and system weaknesses–and it can offer an objective perspective that is impossible to obtain from within the company.
“When we find a company that has issues in its IT security, it is often an IT staff training issue,” says Chontos-Gilchrist. “On the average, we only find about 20 percent of the companies that we audit are adequately prepared for the IT security responsibilities they are charged with.”
Minimizing the expense
Outside IT security audits cost money, and are frequently at risk when it comes to budget cuts. An IT security audit also does not offer a magical formula when it comes to measurable return on investment (ROI). Instead, IT audits are defensive measures. Audits are about prevention and detection, and sites should assess what is the worst thing that could happen if there is a security breach, and then present this to management as part of their risk mitigation strategies.
There are also other cost conservation strategies that can be applied to external audits.
Ask the external auditors bidding on your IT security audit to provide you with several options for the audit. Sometimes, it is possible to divide the work into phases, such as intrusion detection testing, or a separate policy and procedure review. This allows you to calibrate your security work to your budget and to pay as you go.
Finally, organize as much documentation as possible before the auditor arrives, and do what you can to have the documentation in electronic form. “The most efficient and cost-effective audits are those where the client has organized all of his security information and documentation into a single binder, or in a consolidated electronic format,” says Chontos-Gilchrist. “An electronic format for documentation is the best, because it allows your external auditor to perform quick searches on topics….In the end, an audit is about proving that a company is already doing what it is supposed to do. Well developed and well organized security documentation goes a long way in this process.”
When do you look to the outside for an IT security audit? Here is a list of 10 telltale signs:
* When there are new industry regulations your company will be subject to. New regulations to comply with mean tight deadlines for compliance. An outside regulator has already met with the compliance agency and has read through all of the documentation. If there is a massive regulatory mandate in your industry, you can pre-empt the possibility of a poor regulatory audit by having a third party auditor in beforehand to assess your networks, and to make recommendations on how you can bring networks and systems up to speed for the latest regulatory environment.
* When you need an outside assessment because there’s the possibility of internal compromise. Not only is security compromise bad–it is even worse when the company is aware of the possibility of internal fraud or compromise and does not seek outside help. Outside help is important because you need someone who is absolutely impartial to the entire audit fact finding process. You also could be held liable if you allow an internal person perform the audit who might have had a role in the system or network breach.
* When you want to check your internal security measures. Most ITers don’t enter the profession with the idea of becoming an internal IT security auditor. Instead, some grow into that position over time. Along the way, they have held (or still hold) other IT duties. Most pick up the security function along the way, and are not trained experts in security– although they might be the company’s “resident experts.” When first establishing your IT security function, it is smart to retain an outside auditor to review your system and to make recommendations. Even if you never engage another outside auditor, the expert review and recommendations will go a long way in setting the stage for your own security priorities.
* When you are large enough and have available budget. This is what most companies wait for–the budget for a third party security review. For financial institutions, this means an asset size of $100 million or better. For private sector companies, company size is generally around $70 million in sales or more. There are also many smaller organizations who opt for outside IT audits because of the information sensitivities of their businesses, or tight industry regulations that they must comply with.
* When you want strong security practices. Most companies don’t start out with IT security expertise on board. Obtaining an outside audit by a third party is an excellent way to get started. It will furnish you with a roadmap of what you need to do to optimally secure your systems and networks.
* When you bring on a new technology with high or unknown risk potential. Implementing a wireless network is a good example. Using an outside auditor to help you establish a security risk mitigation strategy prior to implementation is an excellent practice.
* When you have intellectual property or customer information protection requirements. If you are in these categories, you might also be tightly regulated. It is a good idea to conduct an external audit.
* When you don’t have internal resources. You can outsource your IT security audits, and still meet your security needs.
* When your business risk assessment dictates that you do something about security. If you do not have the resources to address the security shortcomings internally, you can hire an outside security firm or auditor to assist you.
* When you want to design for security. An external audit resource can assist you in developing security policies and procedures, and can provide security training to your IT staff.
Mary E. Shacklett is president of Transworld Data, a marketing and technology practice for technology companies and organizations.