Auditing Organizational Information Assurance (IA) Governance Practices

Auditing Organizational Information Assurance (IA) Governance Practices


Mansoor Faridi

Fort Hays State University

July 23, 2014

Auditing Organizational Information Assurance (IA) Governance Practices ii

Table of Contents

Introduction ..................................................................................................................................1

Proposed Concept ........................................................................................................................2

Research Approaches ...................................................................................................................3

Review of Feasibility ...................................................................................................................7

Conclusion ....................................................................................................................................8

References ....................................................................................................................................9

Auditing Organizational Information Assurance (IA) Governance Practices 1


Mansoor Faridi

Fort Hays State University

Introduction

This concept paper evaluates the feasibility of conducting a formal scientific study to

audit an organization's information assurance governance practices. In today’s computing

environment, it is paramount to have sophisticated controls in place to safeguard organizational

information while ensuring its Confidentiality, Integrity, Availability and Non-Repudiation

[emphasis added]. Research indicates that in the absence of a robust security program,

organizations expose themselves (“Open Security,” 2014) to data breaches resulting in flailing

shareholder confidence, litigation and possible financial collapse.

Auditing organization's information assurance governance practices will identify

opportunities for improvement and provide an independent and objective assessment of

organization’s information assurance governance practice’s effectiveness. It will also enable the

organization to comply with regulatory requirements, increase stakeholder confidence and

strengthen security posture in the face of numerous threats (“Ponemon,” 2013).

As part of governance, it will be management’s responsibility to either engage Internal or

External Auditors to develop and execute an audit program evaluating internal controls relating

to organization’s information assurance governance practices. Leveraging leading industry

frameworks (Arora, 2013; “SOX-Online,” 2012), such as, COBIT, COSO, NIST, ITIL,

ISO27002, the audit program will assess organizational information assurance governance

practices; the scope of which will include data governance, incident response, user-training and

attestation, and periodic reviews. Finally, a conclusion will be drawn to determine the feasibility

of auditing an organization’s information assurance governance practices.


Proposed Concept

With the passage of time, more and more data is getting digitized and thus increasing

organizational risk exposure. Globally, forty percent of the largest data breaches recorded

occurred in 2013 (“Online Trust,” 2014, p. 4). Hence, it becomes critical to have proactive

vigilance over organization’s internal controls over information assurance via a formal audit

program. The audit program will be developed after performing a comprehensive risk assessment

(“United Kingdom,” 2004, p. 3) to identify risks (See Appendices A & B) within the four

aforementioned areas. Subsequently, as per organization’s risk management strategy, these risks

will be accepted, mitigated, transferred or avoided (“United Kingdom,” 2004, p. 24). Upon

successful risk assessment, audit program will be implemented to assess effectiveness of internal

controls. Following is a list of areas and scope of audit coverage over internal controls:

Data governance

Is there a standard procedure for user-access provision?

Is user-access periodically validated?

Is data custody and ownership defined?

Is data access logged and monitored?

Is data classified indicating sensitivity and storage location?

Is data retention policy defined?

Incident response

Are there protocols in place in case of a data breach?

Is there a communication/notification plan?

Is there effective coordination between key stakeholders and support personnel?

Are there disaster recovery and business continuity plans in place?

User-training & attestation


Are users educated on their roles and expectations via Information Security policy,

seminars, online training, informational videos and brochures, etc.

Are users required to attest their participation in mandatory online training?

Periodic reviews

Was vulnerability testing performed?

Was penetration testing performed?

Was system hardening performed?

Was the evidence of this testing reviewed, approved and archived for audit purposes?

Internal Controls’ design in the above areas will be examined and tested for operational

effectiveness over a period of time. Once the audit is concluded, management will be provided

with a formal audit report detailing ineffective controls, risk(s) posed, risk impact along with

audit recommendation to bridge identified gaps. Management will then review, approve and

accept the audit report with a formal sign-off. The review approaches for these areas are

discussed in detail in the next section.

Review Approaches

This section describes audit program’s review approaches that will test internal controls

relating to data governance, incident response, user-training and periodic reviews. This program

will determine the design and operational effectiveness of internal controls as follows:

Data governance

By examining relevant documentation, it will be determined if there is a standard

procedure to provision user-access that requires data owner to approve the requested

access and data custodian to provision the approved access. Alignment of data

ownership and data custody will also be verified by reviewing documents detailing


roles and responsibilities. It is to be noted that data ownership and data custody is

aligned with different roles for segregation of duties purposes (“Separation of,”

2014). It will also be determined if this access was granted on the principle of least

access privilege (Langford, 2003). It will also be determined if user access is

monitored and logged each time data is accessed and/or modified. It will also be

examined if data is classified appropriately, indicating data sensitivity, storage

location and log details (“Online Trust,” 2014, p. 10). Furthermore, data retention

policy will be reviewed to determine if data will be destroyed when no longer

required as per data management lifecycle and prevailing legislation(s) in effect

(“Retention Period”, 2014). Please note that above controls relate to the capability to

protect organizational data from unauthorized access, and sending and receiving

protocols in place, hence this satisfies both the Confidentiality [emphasis added] and

the Non-Repudiation [emphasis added] aspects of information assurance governance

practices.

Incident response

By examining communication plan/notification plan, it will be determined if there

are protocols in place in case of data breach. Evidence of effective coordination between

organizational stakeholders and external support personnel (e.g., Law enforcement) will

be determined based on periodic joint exercises simulating emergency drills. These drills

will be confirmed by reviewing detailed reports listing date, time, venue, simulated

scenario(s) and participants.

In addition, evidence relating to the execution of Disaster Recovery Plan (DRP)

and Business Continuity Plan (BCP) will also be examined (“United Kingdom,” 2004, p.

35). Concerned departments will be expected to produce satisfactory evidence noting


successful completion of the drill and issues encountered, if any. Since this area

highlights system’s capability to provide access to network resources and data despite

disruptive events or conditions, hence above controls satisfy the Availability [emphasis

added] aspect of information assurance governance practices.

User-training & attestation

Users will be expected to play a critical role in supporting organizations’

information assurance governance practices. They will be expected to participate in both

formal and informal learning activities (See Figure 1) by participating in awareness,

literacy, training and education sessions (“United Kingdom,” 2004, p. 37). Each phase

will have various activities within it; some of those activities will be audited. After

completing each activity they will be issued a certificate of completion, record of which

will be verified during audit examination. For sampled users, record of completion for

various activities will be compared against the established benchmark to determine if a

minimum number of users have completed mandatory training which will enable them to

effectively safeguard and protect organizational assets against possible abuse/misuse.

Figure 1. Information assurance learning continuum (Maconachy, Schou, Ragsdale,

Welch) 2001

Finally, a user listing will be produced noting user compliance (vis-à-vis


mandatory training) below the acceptable threshold. Subsequently, user’s manager will

be communicated, who will be responsible to ensure that users successfully complete all

required training sessions within an agreed upon timeframe. Record of all completed

training and audit activities will be examined to close audit findings, if any. This area

highlights the emphasis on user education continuum, preparing users to ensure that

organizational system is capable to provide services and process data with the assurance

that it is accurate and uncorrupted. This satisfies the Integrity [emphasis added] aspect of

information assurance governance.

Periodic reviews

Record of system vulnerability testing will be examined to determine if any gaps

exist. (Based on vulnerability testing results, administrators are expected to close the gaps

by addressing audit assertions. This is knows as system hardening.)

Subsequently, results of system hardening will also be examined to determine if

any gaps exist. In the event of reported gaps, auditor will verify their successful closure.

Audit will also examine the result of external penetration testing. The result will help

determine if any gaps need to be addressed.

In the event where organization is dependent on a service organization for their

computing needs, the vendor will be requested to produce a Service

Auditors Report (Statement on Standards for Attestation Engagements (SSAE) No.16) to

determine if all controls relating to the data center are designed appropriately and

operated effectively over a period of time (“SSAE 16,” 2014). It is important to note that

in case the organization chooses to engage a third-party vendor for its computing needs,

its responsibility for governing security has not been removed, it is merely different.

(Kirkpatrick, 2011).


Please note that SSAE 16 Type I report only lists the design of a control at a given

point in time, whereas, Type II lists the design of control and its operational effectiveness

over a period of time.

All of the controls detailed above will be examined in detail and documentary proofs will

have evidence of management review and sign-off. Absence of documentary evidence relating to

the activities, tasks or review & sign-off will lead to audit assertion(s). Audits will be planned as

per the audit schedule and performed on a periodic basis.

Review of Feasibility

Management/stakeholder support (Anhal, 2002) is the main criteria for any governance

program to be successful. This section discusses the feasibility of the concept idea presented to

determine if it is feasible to conduct a formal scientific study to audit an organization’s

information assurance governance practices.

The feasibility is ascertained by breaking down the main concept into four main

governance areas and then listing critical operational activities aligning with each one of these

areas. Each activity also lists internal controls that ensure its governance at a more granular level.

Subsequently, review approaches relevant to each activity are listed along with corresponding

audit activities.

Review approach describes the evidence to be examined for each internal control. It is

also meant to assess the design and implementation of internal controls and comment on their

operational effectiveness over a period of time.

In summary, by reviewing the methodology presented above, it is feasible to audit an

organization’s information assurance governance practices.


Conclusion

This concept paper evaluates the feasibility of conducting a formal scientific study to

audit an organization's information assurance governance practices. Four critical areas (data

governance, incident response, user-training and attestation, and periodic reviews) are examined

to assess their suitability for inclusion in this study. Confidentiality, Integrity, Availability and

Non-Repudiation aspects of information assurance are also reviewed in this context.

Corresponding review approaches for internal controls aligned with each aforementioned

area is also discussed. Based on the discussion in conjunction with review approaches, there is

ample support for feasibility of auditing an organization's information assurance governance

practices.


References

Anhal, A. (2002). Information Assurance and Corporate Governance: Engaging Senior

Management. SC Magazine. Retrieved July 22, 2014 from

http://www.scmagazine.com/information-assurance-and-corporate-governance-engaging-

senior-management/article/30725/

Arora, V. (2013). Comparing different information security standards: COBIT vs. ISO 27001.

Unpublished manuscript. Carnegie Mellon University, Doha, Qatar.

Open Security Foundation. (2014). Data Loss Statistics [Data file]. Retrieved July 22, 2014 from

http://datalossdb.org/statistics?utf8=%E2%9C%93&timeframe=current_year

Jaspal, S. (2011). Fraud Symptom 10 – Lapses in Information Assurance. Sonia Jaspal’s

RiskBoard. Retrieved July 22, 2014 from

http://soniajaspal.wordpress.com/2011/09/30/fraud-symptom-10-lapses-in-information-

assurance/

Kirkpatrick, J. (2011). Governance in the cloud. ISACA Journal, 5, 1-2. Retrieved July 22, 2014

from http://www.isaca.org/Journal/Past-Issues/2011/Volume-5/Documents/11v5-

Governance-in-the-Cloud.pdf

Langford, J. (2003). Implementing Least Privilege at your Enterprise. SANS Institute InfoSec

Reading Room. Retrieved July 22, 2014 from http://www.sans.org/reading-

room/whitepapers/bestprac/implementing-privilege-enterprise-1188

Maconachy, W., Schou, C., Ragsdale, D., & Welch, D. (2001). A model for information

assurance: An integrated approach. Proceedings of the 2001 IEEE Workshop on

Information Assurance and Security, US Military Academy, West Point, NY, USA.


Retrieved July 22, 2014 from

http://it210web.groups.et.byu.net/lectures/MSRW%20Paper.pdf

Online Trust Alliance, (2014). 2014 Data Protection & Breach Readiness Guide. Retrieved July

22, 2014 from

https://otalliance.org/system/files/files/resource/documents/2014otadatabreachguide4.pdf

Ponemon Institute LLC, (2013). 2013 Cost of Data Breach Study: Global Analysis. Retrieved

July 22, 2014 from

http://www.ponemon.org/local/upload/file/2013%20Report%20GLOBAL%20CODB%2

0FINAL%205-2.pdf

Retention Period. (2014). In Wikipedia. Retrieved July 22, 2014 from

http://en.wikipedia.org/wiki/Retention_period

Separation of duties. (2014). In Wikipedia. Retrieved July 22, 2014 from

http://en.wikipedia.org/wiki/Separation_of_duties

Sherwood, J. (2009). Historical Background: Information Assurance. SABSA Institute

Community Forum. Retrieved July 22, 2014 from http://www.sabsa-

institute.com/members/node/19

SOX-online: The Vendor-Neutral Sarbanes Oxley Site. (2012). Mapping COBIT to other

guidance. Retrieved July 22, 2014 from http://www.sox-online.com/cobit_mapping.html

Speed, R. (2011). IT governance and the cloud: Principles and practice for governing adoption

of cloud computing. ISACA Journal, 5, 1-6. Retrieved July 22, 2014 from

http://www.isaca.org/Journal/Past-Issues/2011/Volume-5/Documents/11v5-IT-

Governance-and-the-Cloud-Principles-and-Practice-for-Governing-Adoption-of-Cloud-

Computing.pdf


SSAE 16 Overview. (2014). Auditing Standards Board. Retrieved July 22, 2014 from

http://ssae16.com/SSAE16_overview.html

United Kingdom Cabinet Office. (2004). Information Assurance Governance Framework.

Retrieved July 22, 2014 from

http://www.sylviterma.com/Portals/0/resources/ia_governance_framework8ddbf733-

48c5-4056-807b-42a756dd4b05.pdf