- Email: [email protected]
Auditing the IT security function
Computers & Security, 17 (1998) 34-41
Auditing The IT Security Function Keith Osborne ICL, Lovelace Road, Bracknell, Berkshire, RG12
Introduction As many IT security functions are relatively new, it may be the first time that a formal audit of the IT security function has been undertaken.There is as yet little published material, either articles or reference guides, on the audit of the IT security function, so there may be little knowledge or experience on which to proceed. Another complication is that the IT security function may be staffed by former peer (IT audit) colleagues, which may give rise to unusual or difficult working relationships. The audit of the IT security function should be the same as the audit of any other line function. Auditors will have a number of aspects that they will wish to examine.The principal interest will be to see whether the IT security function’s approach is aligned with the five key pointers for effectiveness. From a management perspective, audit will want to determine whether the IT security function is effectively communicating IT security policies and requirements to the organization as a whole. On the technical side, audit will be interested in examining the IT security function’s responsibilities for security products, both hardware and software, and seeing how effectively the function has defined its requirements, evaluated and selected products, and implemented them. As education, training and awareness are important responsibilities of the IT security function, audit will want to examine the public face of the IT security
34
SSN, UK.
function, to see how outward facing the function is. The important point in a review or audit of the IT security function, is that the review will be primarily a management review. In this respect, as with any other function, audit will be interested in aspects such as internal controls, cost-effectiveness and value-formoney.
Contemporary IT Security Functions Today, an increasing number of organizations have separate IT security functions, though the presence of a separate IT security function is still the exception, rather than the rule - a recent survey showed that in UK organizations, less than a quarter had such a function. However, while there is an increasing (and noticeable) trend to have a separate IT security function, this trend is still comparatively recent - another survey showed that a third of identifiably separate IT security functions had been established for less than one year. Predictably, the development of such functions has varied across different sectors. As is to be expected, results from the survey showed that IT security functions predominate in the financial services sector, with almost three quarters of organizations in this sector having a separate IT security function. An IT security function will vary in size between organizations - in some, it may be one person work-
0167-4048/98$19.00 0 1998 Elsevier Science Ltd
Computers & Security, Vol. 17, No. I
ing part-time on IT security while undertaking other activities, particularly in IT, while at the other extreme there may be dedicated teams of IT security personnel, each tackling different security aspects. As IT security functions are often fairly new, they are often staffed by former computer auditors, as they have often had substantial experience of dealing with IT security issues. However, other sources of staff for IT security functions are: site and environmental security, risk analysts, contingency planning, fraud investigation, as well as IT. The activities of an IT security function will vary according to the type of organization - for example, whether the organization is in the public or private sectors, whether it is a financial or non-financial organization. The activities will also be related to the size of the organization - generally, the larger the organization, the larger the IT security function, and the wider the range of activities. It is not, however, always quite as clear-cut as that, as a smaller financial organization may have a larger IT security function than a larger non-financial organization.
recognition of the purpose of the IT security function, there will inevitably be a degree of uncertainty and confusion within the organization. This uncertainty and confusion may also be present in the IT security function itself. In either case, this will be detrimental to the effectiveness and performance of the IT security function. There is another reason why it is important for management especially senior management - should be aware of the roles and responsibilities of the IT security function: IT security and audit are often still conducted by individuals who are not closely involved in either of these activities. This is, of course, partly historical: as shown above, the separation of IT security functions from composite computer audit functions which began in the 1980’s is still continuing. It is certainly true to say that there are still organizations where IT security issues are tackled only by the computer audit function, and this is likely to subsist for some time yet. In summary, the characteristic roles of the separate IT Security function are: l
Even though the activities of the IT security function will vary, according to the criteria of size and sector, as described above, there are a number of core activities that are likely to be found in most IT security functions. These core activities will include: l
l
l
l
l
l
l
l
l
l
l
IT security policy creation and maintenance. Risk assessment and analysis. IT security planning and strategy. Production and maintenance of IT security standards. IT security operations (key management, monitoring of logs). Product assessment selection and implementation. IT security education, training awareness and advice. Computer virus prevention, detection and resolution schemes. Ensuring compliance with laws and regulations. Vulnerability exercises: ‘tiger’ teams. Future threat identifications.
It is important for management within the organization to be aware of the specific roles and responsibilities of the IT security function. Unless there is a clear
l
l
l
l
.
It It It It It It
is a line function. has operational responsibilities. may be part of the computing function. maintains awareness of control weaknesses implements recommendations. is subject to separate internal audit.
The roles of the IT security function differ significantly from those of the computer audit function.The principal difference is that IT security is a line (i.e. operational) function, whereas computer audit is not; it is a review and appraisal function. The position of the IT security function will be discussed later, but one of the roles that IT security will have in common with computer audit is that they will both need to be aware of weaknesses in control over computing systems and facilities. Like any other line function, IT security is responsible for implementing and taking action on audit recommendations. Finally, like any other line function, IT security is subject to internal (and possibly external) audit. The positioning of the IT security function within the organization has been the subject of some consider-
35
Auditing The IT Security Function/Keith Osborne
able debate, which revolves around the question: should it be part of the overall IT function? The answer is: it depends. It depends on a number of factors, which include the size of the organization, the type of organization, the approach and culture of the organization, its attitude to risk, the maturity of the IT security function and the overall requirements of the organization. It is impossible to generalize about the location of the IT security function, save to state that it will be either within the overall IT function, or as part of a control function, such as risk assessment, fraud, or investigation.
Major Aspects of IT Security Practice That Auditors Need to Consider Earlier in the article a number of areas that are likely to be common to most IT security functions were given. This section will look at some of the more important aspects of IT security operations, and indicate why they are the most important aspects for auditors involved in the audit of an IT security function. There will be three areas considered: IT security policy; risk assessment, analysis and management; and training, education and awareness. IT security policy will be covered some considerable detail, as it is, for the most part, the most important part of IT security practice for all IT security functions. The other two areas will also be examined in some detail, as all computer functions will also be undertaking these aspects. Wherever appropriate, references will be made to areas where there could be an impingement on the effectiveness of the IT security function, although these aspects will be covered more fully later. IT
Security Policy
IT security policy will be, for almost every IT security function, the single most important aspect of operations.This is because IT security policy, like any other policy of the organization, will determine all subsequent actions. Policy points the direction, and from policy follows procedures. An IT security policy will
36
be a relatively concise document, which includes a series of more detailed sub-policies on specific topics, and devolving from these sub-policies will be various procedures. Overlying and constraining the procedures will be standards, which act as the boundaries within which procedures and products operate. Until an IT security policy is in place, and approved by senior management, any actions undertaken by the IT security function will always be less effective, because they will be outside an agreed framework for operating, and therefore may be subject to change or cancellation. To summarize, the need for an organization to have a formal, agreed, IT security policy is to: l
l
l
l
Provide direction and understanding of IT security. Put in perspective risks to an organization’s IT assets. Ensure that risks to IT assets are adequately and appropriately dealt with. Achieve the right level of IT security
One of the major reasons - perhaps the major reason - why an organisation may have ineffective IT security is because it does not have an IT security policy. Having examined the need for an IT security policy, it is pertinent to identify the functions of the policy: Explains to employees and others the need for computer security. Outlines the roles and responsibilities of management regarding IT security. Guides management on the selection, use and control of appropriate IT security products, procedures and standards. Explains the IT security concepts and methods to the professionals working in IT security. The creation of an IT security policy is a major project and needs to be treated as such. Therefore, adequate resources, in terms of both time and manpower, need to be allocated to the security policy, as it is the major first step in ensuring that an organization does have cost-effective IT security While an IT security policy would usually be created by the organization’s IT security function, for an organization that does not
Computers & Security, VoI. 17, No. 1
have an existing IT security function, or where such a function is new, it may be appropriate to use computer audit resources to help in the creation of the policy.There will probably also be a need to involve various parts of the IT function, and, where there is little specialist internal resource available, it may be necessary to use external consultants. To gain maximum advantage, and to ensure that the developed policy maximizes the effectiveness of the IT security function, it is preferable that the policy is developed by a senior manager within the IT security function. The additional reason for having senior manager involvement is to give the policy a high profile, as well as to add weight and to ensure the profile of the policy within the organization is at a high level. Apart from the involvement of the IT security function in developing the policy, there will be other functions involved - principally, but not exclusively, the IT function. As computing continues to devolve throughout organizations, away from a centralized IT function, the need for involvement by business functions in developing an IT security policy becomes more important. It is obviously necessary to understand the dependence of such business units and functions on computing, which will vary from function to function. Without their input, the effectiveness of the policy and hence the IT security function is reduced. It is imperative that the computing assets of the organization are known. Unless this is the case, the policy will be built on sand, and there could be a severe mismatch between good intentions expressed in the policy and what actually exists in the organization. For example, if the organization has important telecommunications networks, and the policy says nothing about telecommunications, the workings of the IT securihr function will be rendered less effective. Followmg from this, it is important that the policy states how threats (to computing systems and facilities) will be identified, and equally, how such threats will be managed, in terms of avoidance, transfer and mitigation. It is not the purpose of this article to describe all aspects of an IT security policy. However,
in detail as an IT
security policy is probably the most important consideration in determining the effectiveness of a IT security function, the typical contents of a IT security policy will be summarized below. While it is difficult to generalize across organizations, experience has shown that for organizations that have cost-effective IT security, their IT security policies will contain most or all of the items detailed below.
Contents of an IT Security Policy . . . . . . . . . . . . . . . . .
Mission statement. IT Security policy objectives. The scope of the policy. Who it is applicable to. What is covered by it (IT Assets). Roles and responsibilities for IT security. Dependence of the organization on its computing assets. The threats to those assets. Use of risk assessment and analysis. How computing assets will be secured. The different controls that need to be in place. Classification of data/information. Physical security. Logical security. People aspects. Documentation. Implementing and achieving IT security.
Once the security policy has been created, it requires agreement across business functions. ‘Business functions’ means not just the IT function, unless there is no dependence on computing assets outside the IT function.This is itself can be a major logistical exercise, and the investigation of this will be a prime area for auditors involved in the audit of the IT security function. Once the policy has been agreed, it needs to be signed, supported and endorsed at the highest level, so that everyone in the organization can see and understand that it is an organization-wide policy, supported from the top. It is important to realise that once the pohcy has been agreed, two further aspects need to be considered. One of these is the implementation of the policy, and the other is the need to maintain the policy.The strat-
37
Auditing The IT Security Function/Keith Osborne
egy and plans for the implementation of the policy are largely outside the scope of this article, except to note that to ensure the continuing effectiveness of the IT security, there needs to be a mechanism to ensure that there is a demonstrable relationship with policy requirements, and achieved practical implementation. The other aspect is that the IT security policy should not be static: it should change, according to changes in the organization. There will be a number of factors affecting the policy: l
l
l
l
Changes Changes Changes Changes
in in in in
information technology. the organization’s structure. the organisation’s culture. control/security requirements.
Risk Assessment, Analysis and Management The next major area to be considered is that of risk assessment, analysis and management (RAA). Some reference to this should be included in the IT security policy. Typically there will be numerous references to it. Essentially, RAA is about identifying the threats to computing assets, classifying those threats according to a range of criteria, and quantifying the threats in order to arrive at measured levels of risk. Included in this process will be consideration of vulnerabilities of computing assets according to the environments in which those computing assets are located. Until a formal RAA has been undertaken, it is meaningless to talk about protecting IT assets, as each IT asset will have a different level of risk allocated. Obviously, those IT assets with identified higher levels of risk will be deserving of higher levels of protection, and those IT assets with lower risk levels will only require lower levels of protection. One of the main factors in IT security practice that has historically led to ineffective ways of working has been the inappropriate levels of protection afforded to computer assets e.g. highrisk assets being under-protected (causing potential exposures), and low-risk assets being over-protected (causing wasted expenditure).That is why undertaking a formal, structured RAA is so important, as it determines the translation of the IT security policy into working methods, procedures and products to ensure
38
levels of protection of IT assets commensurate their identified levels of risk.
with
Undertaking the RAA is often a continuous process, as IT (hardware, software, data, people and documentation) is constantly changing. There are numerous methodologies and products available to assist in the process, but it is often important to understand at the outset what the purpose of a RAA is, and what is expected from it. As with work involved with a IT security policy, undertaking an RAA involves considerable resources, and it is true to say that a substantial part of the activities of a IT security function are involved with undertaking RAA. For maximum effectiveness, it is very important for the IT security function to be able to demonstrate to senior management not only what the threats to IT assets are (the risk assessment), but also where those threats are coming from, how serious they are, and what the consequences might be if the threat occurred (the risk analysis). Additionally, to make this meaningful in business terms, a quantification of the threats is necessary
Training, Education and Awareness The third major area in which auditors involved in the audit of the IT security function will be particularly interested in is that of training, education and awareness. Organizations that have cost effective IT security do so for a number of reasons which will be examined in the next section. One of the main criteria of such organisations is that their IT security functions devote considerable resources to improving IT security awareness. IT security effectiveness is closely related to the efforts put into raising awareness about IT security within the organisation. The more individual staff appreciate the need to practise an IT security ‘culture’, the more likely they will act in a way which minimizes the likelihood of breaches of IT security exposures. In effect, they will act as individual devolved IT security fimctions - it is obvious that a (centralized) IT security function cannot be in every part of the organization at the same time.Thus, there are tremendous benefits for both the IT security function and the organization as a whole in undertaking IT security awareness ‘cam-
Computers & Security, Vol. 17, No.
paigns’, as well as more formal education and training. Awareness campaigns can taken many forms including information issued to all employees, workshops, management briefings, question and answer sessions, newsletters, articles in the organization’s journal/newspaper, input to management circulars, discussion groups, ‘awareness days’. The more that staff understand about the need for IT security, the more that the organization as a whole will benefit, and the more productive the IT security function will be.
Reviewing and Auditing the IT Security Function for Cost-Effectiveness There is another, more wide ranging aspect of the IT security function to consider, and that is its cost effectiveness. What is it that distinguishes one IT security function from another in terms of cost-effectiveness? Audit will be particularly interested to see to what extent the IT security function adheres to the five fundamental tenets of cost-effective commercial IT security. Many of the early IT security functions, particular the ‘pathfinders’, concentrated on technical issues rather than business issues. While technical issues are important, the sense of proportion was often flawed. ‘Technical issues’ means areas such as cryptography, key management, and systems software - all of which are legitimate areas for IT security functions to consider and deal with. However, even with the presence of dedicated IT security functions, senior management was often unhappy about the amount of resources being used for what seemed to be a straightforward business demand: the protection of computing systems and facilities. Even with an IT security function, there were still breaches of an organization’s security some of them highly publicised.The highly publicised cases include those where computer fraud has been either attempted, or successfully perpetrated. In either case, the organization has attracted unwelcome and often embarrassing publicity. Financially, a number of organizations have also suffered considerable exposure where a computer fraud has been successful. Other highly publicised cases have involved outsiders ‘hacking’ into the organizations computers and computer
1
networks - not necessarily at any financial cost to the organization, but nonetheless demonstrating the ease with which the organization’s IT security could be breached. More recently, a number of organizations have also suffered IT security breaches by failing to comply with relevant legislation pertaining to computing systems and facilities. As a result of instances such as these, senior management were - and still are - increasingly questioning the cost-effectiveness of their IT security functions. Their concern, succinctly put, was “If we are resourcing an IT security function, why are we still suffering from IT security breaches, with possible serious adverse consequences for the organization as a whole? What is the IT security function doing, if it is not protecting our computing assets? Are we wasting our money having an IT security function?” It is important to keep the overall picture in perspective. By no means was every IT security function being questioned with regard to its cost-effectiveness. But there were sufficient similar concerns raised over a relatively short time scale to give grounds for legitimate concerns. In some organizations, senior management become concerned about the relative lack of cost-effectiveness of their IT security functions: resources are provided for such a function, and yet there are still breaches of IT security. The reason for this is that the approach taken by some IT security functions is flawed - they approach IT security from a technical perspective, rather than from a business perspective. This highlights the first pointer to costeffective IT security: “IT security is first and foremost a business matter, and secondly a technical matter.” For an IT security function to be effective, and to be seen to be effective, it is vitally important that this is understood. One of the principal reasons why organizations may have poor cost-effectiveness in their IT security functions is because those functions have addressed IT ssecurity in technical terms first, and only considered the business issues subsequently. This is often manifest by IT security functions being overconcerned with issues such as encryption, at the
39
Auditing The IT Security Function/Keith Osborne
expense of addressing more business-oriented issues such as ensuring that an IT security policy exists.The point to make is that technical issues can be important, but they should never take precedence over the business requirements. The second pointer towards cost-effective IT Security is ensuring that the IT Security function is aware of the organization’s computing assets.To elaborate on the summary definition given earlier, the definition of computing assets is shown here.
Definition of the Five Classes of Computing Assets 1. Hardware: computers themselves; computer peripherals such as printers and disk drives; telecommunications and networks. 2. Software: both applications software and systems software, including operating systems and utilities. 3. Data, in whatever form it is held. 4. People involved in computing. 5. Documentation
supporting computing activities.
All IT assets can be classified in one of these five groups. In the past, some IT security functions have not always put resources into encouraging awareness of the organization’s computing assets, and inevitably this adversely affected their effectiveness. Today, it is even more incumbent on an IT security function to maintain current and accurate records of the organization’s IT assets.The reason for this is that the bottom line for IT security functions is that they are protecting the organization’s IT assets. For an effectively performing IT security function, the resources required to maintain the assets will be typically 10% of the overall IT security manpower.This leads to the second pointer for cost-effective IT security: “Always know what the organization’s current IT assets are.” Earlier, a detailed consideration was given to the importance of audit understanding the IT security policy of an organization. Having shown how impor-
40
tant it is, this leads immediately to the third pointer for cost-effective IT sSecurity: “Ensure that there is a formal, agreed, approved and supported IT security policy that is relevant to the organization’s culture and requirements.” In addition to stressing the importance of having an IT security policy, the need to undertake Risk Assessment and Analysis was noted. For the IT security function to be demonstrably cost-effective (and indeed, for the organization as a whole) it is imperative that resources for the protection of IT assets are allocated according to need - in this case, identified risk. Hence the fourth pointer for cost effective IT security is: “Before spending any resources on protecting IT assets, ensure that the comparative risks to those assets has been identified, by undertaking a Risk Assessment and Analysis.” Finally, those organizations that have cost-effective IT security have defined methodologies for the implementation and practice of IT security The foremost amongst these methodologies is the layered (or ‘onion-skin’) approach.This gives the fifth pointer for cost-effective IT security: “Ensure that there is a clear and easily understood mechanism for translating the IT security policy into practice, and that there is a defined and preplanned methodology for the implementation of IT security procedures and products.” While the above pointers are not an infallible guide to the cost-effectiveness of an organization’s IT security function, experience shows that those organizations that do abide by these five pointers do have, in the main, noticeably more cost-effective IT security than those that do not. In reality, of course, some organizations will abide by all five, pointers, some by four, and so on. Audit will be particularly interested in the extent to which the IT security function adheres to these pointers.
Computers & Security, Vol. 17, No. 1
Others Areas in the IT Security Function of Interest to Audit In addition to examining the areas detailed earlier, computer audit may also be interested in other aspects of the IT security function - for example, in looking at the public face of the IT security function - to see how outward facing the function is, and whether it is effectively communicating its policies and requirements to the organization as a whole. On the technical side, computer audit will be interested in examining the IT security function’s responsibilities for security products, both hardware and software, and seeing
how effectively the function has defined its requirements, evaluated and selected products, and implemented them.This will, of course, be in addition to a review of the operational status of such products, which can include an evaluation of the effectiveness of the IT security function in identifying potential breaches and violations, and their subsequent investigation and resolution.
Keith Osborne IS Principal IT Security Consultant with ICL. Hc pmvides both IT secunty md IT audit consultancy and trammg to a wldr range of chents. This paper was first presented at Compwr ‘OX , m London last November.
41
Auditing The IT Security Function Keith Osborne ICL, Lovelace Road, Bracknell, Berkshire, RG12
Introduction As many IT security functions are relatively new, it may be the first time that a formal audit of the IT security function has been undertaken.There is as yet little published material, either articles or reference guides, on the audit of the IT security function, so there may be little knowledge or experience on which to proceed. Another complication is that the IT security function may be staffed by former peer (IT audit) colleagues, which may give rise to unusual or difficult working relationships. The audit of the IT security function should be the same as the audit of any other line function. Auditors will have a number of aspects that they will wish to examine.The principal interest will be to see whether the IT security function’s approach is aligned with the five key pointers for effectiveness. From a management perspective, audit will want to determine whether the IT security function is effectively communicating IT security policies and requirements to the organization as a whole. On the technical side, audit will be interested in examining the IT security function’s responsibilities for security products, both hardware and software, and seeing how effectively the function has defined its requirements, evaluated and selected products, and implemented them. As education, training and awareness are important responsibilities of the IT security function, audit will want to examine the public face of the IT security
34
SSN, UK.
function, to see how outward facing the function is. The important point in a review or audit of the IT security function, is that the review will be primarily a management review. In this respect, as with any other function, audit will be interested in aspects such as internal controls, cost-effectiveness and value-formoney.
Contemporary IT Security Functions Today, an increasing number of organizations have separate IT security functions, though the presence of a separate IT security function is still the exception, rather than the rule - a recent survey showed that in UK organizations, less than a quarter had such a function. However, while there is an increasing (and noticeable) trend to have a separate IT security function, this trend is still comparatively recent - another survey showed that a third of identifiably separate IT security functions had been established for less than one year. Predictably, the development of such functions has varied across different sectors. As is to be expected, results from the survey showed that IT security functions predominate in the financial services sector, with almost three quarters of organizations in this sector having a separate IT security function. An IT security function will vary in size between organizations - in some, it may be one person work-
0167-4048/98$19.00 0 1998 Elsevier Science Ltd
Computers & Security, Vol. 17, No. I
ing part-time on IT security while undertaking other activities, particularly in IT, while at the other extreme there may be dedicated teams of IT security personnel, each tackling different security aspects. As IT security functions are often fairly new, they are often staffed by former computer auditors, as they have often had substantial experience of dealing with IT security issues. However, other sources of staff for IT security functions are: site and environmental security, risk analysts, contingency planning, fraud investigation, as well as IT. The activities of an IT security function will vary according to the type of organization - for example, whether the organization is in the public or private sectors, whether it is a financial or non-financial organization. The activities will also be related to the size of the organization - generally, the larger the organization, the larger the IT security function, and the wider the range of activities. It is not, however, always quite as clear-cut as that, as a smaller financial organization may have a larger IT security function than a larger non-financial organization.
recognition of the purpose of the IT security function, there will inevitably be a degree of uncertainty and confusion within the organization. This uncertainty and confusion may also be present in the IT security function itself. In either case, this will be detrimental to the effectiveness and performance of the IT security function. There is another reason why it is important for management especially senior management - should be aware of the roles and responsibilities of the IT security function: IT security and audit are often still conducted by individuals who are not closely involved in either of these activities. This is, of course, partly historical: as shown above, the separation of IT security functions from composite computer audit functions which began in the 1980’s is still continuing. It is certainly true to say that there are still organizations where IT security issues are tackled only by the computer audit function, and this is likely to subsist for some time yet. In summary, the characteristic roles of the separate IT Security function are: l
Even though the activities of the IT security function will vary, according to the criteria of size and sector, as described above, there are a number of core activities that are likely to be found in most IT security functions. These core activities will include: l
l
l
l
l
l
l
l
l
l
l
IT security policy creation and maintenance. Risk assessment and analysis. IT security planning and strategy. Production and maintenance of IT security standards. IT security operations (key management, monitoring of logs). Product assessment selection and implementation. IT security education, training awareness and advice. Computer virus prevention, detection and resolution schemes. Ensuring compliance with laws and regulations. Vulnerability exercises: ‘tiger’ teams. Future threat identifications.
It is important for management within the organization to be aware of the specific roles and responsibilities of the IT security function. Unless there is a clear
l
l
l
l
.
It It It It It It
is a line function. has operational responsibilities. may be part of the computing function. maintains awareness of control weaknesses implements recommendations. is subject to separate internal audit.
The roles of the IT security function differ significantly from those of the computer audit function.The principal difference is that IT security is a line (i.e. operational) function, whereas computer audit is not; it is a review and appraisal function. The position of the IT security function will be discussed later, but one of the roles that IT security will have in common with computer audit is that they will both need to be aware of weaknesses in control over computing systems and facilities. Like any other line function, IT security is responsible for implementing and taking action on audit recommendations. Finally, like any other line function, IT security is subject to internal (and possibly external) audit. The positioning of the IT security function within the organization has been the subject of some consider-
35
Auditing The IT Security Function/Keith Osborne
able debate, which revolves around the question: should it be part of the overall IT function? The answer is: it depends. It depends on a number of factors, which include the size of the organization, the type of organization, the approach and culture of the organization, its attitude to risk, the maturity of the IT security function and the overall requirements of the organization. It is impossible to generalize about the location of the IT security function, save to state that it will be either within the overall IT function, or as part of a control function, such as risk assessment, fraud, or investigation.
Major Aspects of IT Security Practice That Auditors Need to Consider Earlier in the article a number of areas that are likely to be common to most IT security functions were given. This section will look at some of the more important aspects of IT security operations, and indicate why they are the most important aspects for auditors involved in the audit of an IT security function. There will be three areas considered: IT security policy; risk assessment, analysis and management; and training, education and awareness. IT security policy will be covered some considerable detail, as it is, for the most part, the most important part of IT security practice for all IT security functions. The other two areas will also be examined in some detail, as all computer functions will also be undertaking these aspects. Wherever appropriate, references will be made to areas where there could be an impingement on the effectiveness of the IT security function, although these aspects will be covered more fully later. IT
Security Policy
IT security policy will be, for almost every IT security function, the single most important aspect of operations.This is because IT security policy, like any other policy of the organization, will determine all subsequent actions. Policy points the direction, and from policy follows procedures. An IT security policy will
36
be a relatively concise document, which includes a series of more detailed sub-policies on specific topics, and devolving from these sub-policies will be various procedures. Overlying and constraining the procedures will be standards, which act as the boundaries within which procedures and products operate. Until an IT security policy is in place, and approved by senior management, any actions undertaken by the IT security function will always be less effective, because they will be outside an agreed framework for operating, and therefore may be subject to change or cancellation. To summarize, the need for an organization to have a formal, agreed, IT security policy is to: l
l
l
l
Provide direction and understanding of IT security. Put in perspective risks to an organization’s IT assets. Ensure that risks to IT assets are adequately and appropriately dealt with. Achieve the right level of IT security
One of the major reasons - perhaps the major reason - why an organisation may have ineffective IT security is because it does not have an IT security policy. Having examined the need for an IT security policy, it is pertinent to identify the functions of the policy: Explains to employees and others the need for computer security. Outlines the roles and responsibilities of management regarding IT security. Guides management on the selection, use and control of appropriate IT security products, procedures and standards. Explains the IT security concepts and methods to the professionals working in IT security. The creation of an IT security policy is a major project and needs to be treated as such. Therefore, adequate resources, in terms of both time and manpower, need to be allocated to the security policy, as it is the major first step in ensuring that an organization does have cost-effective IT security While an IT security policy would usually be created by the organization’s IT security function, for an organization that does not
Computers & Security, VoI. 17, No. 1
have an existing IT security function, or where such a function is new, it may be appropriate to use computer audit resources to help in the creation of the policy.There will probably also be a need to involve various parts of the IT function, and, where there is little specialist internal resource available, it may be necessary to use external consultants. To gain maximum advantage, and to ensure that the developed policy maximizes the effectiveness of the IT security function, it is preferable that the policy is developed by a senior manager within the IT security function. The additional reason for having senior manager involvement is to give the policy a high profile, as well as to add weight and to ensure the profile of the policy within the organization is at a high level. Apart from the involvement of the IT security function in developing the policy, there will be other functions involved - principally, but not exclusively, the IT function. As computing continues to devolve throughout organizations, away from a centralized IT function, the need for involvement by business functions in developing an IT security policy becomes more important. It is obviously necessary to understand the dependence of such business units and functions on computing, which will vary from function to function. Without their input, the effectiveness of the policy and hence the IT security function is reduced. It is imperative that the computing assets of the organization are known. Unless this is the case, the policy will be built on sand, and there could be a severe mismatch between good intentions expressed in the policy and what actually exists in the organization. For example, if the organization has important telecommunications networks, and the policy says nothing about telecommunications, the workings of the IT securihr function will be rendered less effective. Followmg from this, it is important that the policy states how threats (to computing systems and facilities) will be identified, and equally, how such threats will be managed, in terms of avoidance, transfer and mitigation. It is not the purpose of this article to describe all aspects of an IT security policy. However,
in detail as an IT
security policy is probably the most important consideration in determining the effectiveness of a IT security function, the typical contents of a IT security policy will be summarized below. While it is difficult to generalize across organizations, experience has shown that for organizations that have cost-effective IT security, their IT security policies will contain most or all of the items detailed below.
Contents of an IT Security Policy . . . . . . . . . . . . . . . . .
Mission statement. IT Security policy objectives. The scope of the policy. Who it is applicable to. What is covered by it (IT Assets). Roles and responsibilities for IT security. Dependence of the organization on its computing assets. The threats to those assets. Use of risk assessment and analysis. How computing assets will be secured. The different controls that need to be in place. Classification of data/information. Physical security. Logical security. People aspects. Documentation. Implementing and achieving IT security.
Once the security policy has been created, it requires agreement across business functions. ‘Business functions’ means not just the IT function, unless there is no dependence on computing assets outside the IT function.This is itself can be a major logistical exercise, and the investigation of this will be a prime area for auditors involved in the audit of the IT security function. Once the policy has been agreed, it needs to be signed, supported and endorsed at the highest level, so that everyone in the organization can see and understand that it is an organization-wide policy, supported from the top. It is important to realise that once the pohcy has been agreed, two further aspects need to be considered. One of these is the implementation of the policy, and the other is the need to maintain the policy.The strat-
37
Auditing The IT Security Function/Keith Osborne
egy and plans for the implementation of the policy are largely outside the scope of this article, except to note that to ensure the continuing effectiveness of the IT security, there needs to be a mechanism to ensure that there is a demonstrable relationship with policy requirements, and achieved practical implementation. The other aspect is that the IT security policy should not be static: it should change, according to changes in the organization. There will be a number of factors affecting the policy: l
l
l
l
Changes Changes Changes Changes
in in in in
information technology. the organization’s structure. the organisation’s culture. control/security requirements.
Risk Assessment, Analysis and Management The next major area to be considered is that of risk assessment, analysis and management (RAA). Some reference to this should be included in the IT security policy. Typically there will be numerous references to it. Essentially, RAA is about identifying the threats to computing assets, classifying those threats according to a range of criteria, and quantifying the threats in order to arrive at measured levels of risk. Included in this process will be consideration of vulnerabilities of computing assets according to the environments in which those computing assets are located. Until a formal RAA has been undertaken, it is meaningless to talk about protecting IT assets, as each IT asset will have a different level of risk allocated. Obviously, those IT assets with identified higher levels of risk will be deserving of higher levels of protection, and those IT assets with lower risk levels will only require lower levels of protection. One of the main factors in IT security practice that has historically led to ineffective ways of working has been the inappropriate levels of protection afforded to computer assets e.g. highrisk assets being under-protected (causing potential exposures), and low-risk assets being over-protected (causing wasted expenditure).That is why undertaking a formal, structured RAA is so important, as it determines the translation of the IT security policy into working methods, procedures and products to ensure
38
levels of protection of IT assets commensurate their identified levels of risk.
with
Undertaking the RAA is often a continuous process, as IT (hardware, software, data, people and documentation) is constantly changing. There are numerous methodologies and products available to assist in the process, but it is often important to understand at the outset what the purpose of a RAA is, and what is expected from it. As with work involved with a IT security policy, undertaking an RAA involves considerable resources, and it is true to say that a substantial part of the activities of a IT security function are involved with undertaking RAA. For maximum effectiveness, it is very important for the IT security function to be able to demonstrate to senior management not only what the threats to IT assets are (the risk assessment), but also where those threats are coming from, how serious they are, and what the consequences might be if the threat occurred (the risk analysis). Additionally, to make this meaningful in business terms, a quantification of the threats is necessary
Training, Education and Awareness The third major area in which auditors involved in the audit of the IT security function will be particularly interested in is that of training, education and awareness. Organizations that have cost effective IT security do so for a number of reasons which will be examined in the next section. One of the main criteria of such organisations is that their IT security functions devote considerable resources to improving IT security awareness. IT security effectiveness is closely related to the efforts put into raising awareness about IT security within the organisation. The more individual staff appreciate the need to practise an IT security ‘culture’, the more likely they will act in a way which minimizes the likelihood of breaches of IT security exposures. In effect, they will act as individual devolved IT security fimctions - it is obvious that a (centralized) IT security function cannot be in every part of the organization at the same time.Thus, there are tremendous benefits for both the IT security function and the organization as a whole in undertaking IT security awareness ‘cam-
Computers & Security, Vol. 17, No.
paigns’, as well as more formal education and training. Awareness campaigns can taken many forms including information issued to all employees, workshops, management briefings, question and answer sessions, newsletters, articles in the organization’s journal/newspaper, input to management circulars, discussion groups, ‘awareness days’. The more that staff understand about the need for IT security, the more that the organization as a whole will benefit, and the more productive the IT security function will be.
Reviewing and Auditing the IT Security Function for Cost-Effectiveness There is another, more wide ranging aspect of the IT security function to consider, and that is its cost effectiveness. What is it that distinguishes one IT security function from another in terms of cost-effectiveness? Audit will be particularly interested to see to what extent the IT security function adheres to the five fundamental tenets of cost-effective commercial IT security. Many of the early IT security functions, particular the ‘pathfinders’, concentrated on technical issues rather than business issues. While technical issues are important, the sense of proportion was often flawed. ‘Technical issues’ means areas such as cryptography, key management, and systems software - all of which are legitimate areas for IT security functions to consider and deal with. However, even with the presence of dedicated IT security functions, senior management was often unhappy about the amount of resources being used for what seemed to be a straightforward business demand: the protection of computing systems and facilities. Even with an IT security function, there were still breaches of an organization’s security some of them highly publicised.The highly publicised cases include those where computer fraud has been either attempted, or successfully perpetrated. In either case, the organization has attracted unwelcome and often embarrassing publicity. Financially, a number of organizations have also suffered considerable exposure where a computer fraud has been successful. Other highly publicised cases have involved outsiders ‘hacking’ into the organizations computers and computer
1
networks - not necessarily at any financial cost to the organization, but nonetheless demonstrating the ease with which the organization’s IT security could be breached. More recently, a number of organizations have also suffered IT security breaches by failing to comply with relevant legislation pertaining to computing systems and facilities. As a result of instances such as these, senior management were - and still are - increasingly questioning the cost-effectiveness of their IT security functions. Their concern, succinctly put, was “If we are resourcing an IT security function, why are we still suffering from IT security breaches, with possible serious adverse consequences for the organization as a whole? What is the IT security function doing, if it is not protecting our computing assets? Are we wasting our money having an IT security function?” It is important to keep the overall picture in perspective. By no means was every IT security function being questioned with regard to its cost-effectiveness. But there were sufficient similar concerns raised over a relatively short time scale to give grounds for legitimate concerns. In some organizations, senior management become concerned about the relative lack of cost-effectiveness of their IT security functions: resources are provided for such a function, and yet there are still breaches of IT security. The reason for this is that the approach taken by some IT security functions is flawed - they approach IT security from a technical perspective, rather than from a business perspective. This highlights the first pointer to costeffective IT security: “IT security is first and foremost a business matter, and secondly a technical matter.” For an IT security function to be effective, and to be seen to be effective, it is vitally important that this is understood. One of the principal reasons why organizations may have poor cost-effectiveness in their IT security functions is because those functions have addressed IT ssecurity in technical terms first, and only considered the business issues subsequently. This is often manifest by IT security functions being overconcerned with issues such as encryption, at the
39
Auditing The IT Security Function/Keith Osborne
expense of addressing more business-oriented issues such as ensuring that an IT security policy exists.The point to make is that technical issues can be important, but they should never take precedence over the business requirements. The second pointer towards cost-effective IT Security is ensuring that the IT Security function is aware of the organization’s computing assets.To elaborate on the summary definition given earlier, the definition of computing assets is shown here.
Definition of the Five Classes of Computing Assets 1. Hardware: computers themselves; computer peripherals such as printers and disk drives; telecommunications and networks. 2. Software: both applications software and systems software, including operating systems and utilities. 3. Data, in whatever form it is held. 4. People involved in computing. 5. Documentation
supporting computing activities.
All IT assets can be classified in one of these five groups. In the past, some IT security functions have not always put resources into encouraging awareness of the organization’s computing assets, and inevitably this adversely affected their effectiveness. Today, it is even more incumbent on an IT security function to maintain current and accurate records of the organization’s IT assets.The reason for this is that the bottom line for IT security functions is that they are protecting the organization’s IT assets. For an effectively performing IT security function, the resources required to maintain the assets will be typically 10% of the overall IT security manpower.This leads to the second pointer for cost-effective IT security: “Always know what the organization’s current IT assets are.” Earlier, a detailed consideration was given to the importance of audit understanding the IT security policy of an organization. Having shown how impor-
40
tant it is, this leads immediately to the third pointer for cost-effective IT sSecurity: “Ensure that there is a formal, agreed, approved and supported IT security policy that is relevant to the organization’s culture and requirements.” In addition to stressing the importance of having an IT security policy, the need to undertake Risk Assessment and Analysis was noted. For the IT security function to be demonstrably cost-effective (and indeed, for the organization as a whole) it is imperative that resources for the protection of IT assets are allocated according to need - in this case, identified risk. Hence the fourth pointer for cost effective IT security is: “Before spending any resources on protecting IT assets, ensure that the comparative risks to those assets has been identified, by undertaking a Risk Assessment and Analysis.” Finally, those organizations that have cost-effective IT security have defined methodologies for the implementation and practice of IT security The foremost amongst these methodologies is the layered (or ‘onion-skin’) approach.This gives the fifth pointer for cost-effective IT security: “Ensure that there is a clear and easily understood mechanism for translating the IT security policy into practice, and that there is a defined and preplanned methodology for the implementation of IT security procedures and products.” While the above pointers are not an infallible guide to the cost-effectiveness of an organization’s IT security function, experience shows that those organizations that do abide by these five pointers do have, in the main, noticeably more cost-effective IT security than those that do not. In reality, of course, some organizations will abide by all five, pointers, some by four, and so on. Audit will be particularly interested in the extent to which the IT security function adheres to these pointers.
Computers & Security, Vol. 17, No. 1
Others Areas in the IT Security Function of Interest to Audit In addition to examining the areas detailed earlier, computer audit may also be interested in other aspects of the IT security function - for example, in looking at the public face of the IT security function - to see how outward facing the function is, and whether it is effectively communicating its policies and requirements to the organization as a whole. On the technical side, computer audit will be interested in examining the IT security function’s responsibilities for security products, both hardware and software, and seeing
how effectively the function has defined its requirements, evaluated and selected products, and implemented them.This will, of course, be in addition to a review of the operational status of such products, which can include an evaluation of the effectiveness of the IT security function in identifying potential breaches and violations, and their subsequent investigation and resolution.
Keith Osborne IS Principal IT Security Consultant with ICL. Hc pmvides both IT secunty md IT audit consultancy and trammg to a wldr range of chents. This paper was first presented at Compwr ‘OX , m London last November.
41