(PDF) Improving the IT Security Audit Framework: Standards, Common Ground, and Strategic Alignment

Improving the IT Security Audit Framework: Standards, Common Ground, and Strategic Alignment Rolf von Roessing

Partner, Advisory KPMG Frankfurt, Germany Abstract The abstract should contain complete but concise description of your work. Do not forget to mention your participation. Keywords: . 1 Introduction 2 Current State of IT Security and Related Audit Practices As IT security has matured over the past years, practitioners and auditors are facing formidable challenges. The frequency and severity of security-related events is increasing, as are the time and effort spent on implementing countermeasures. Both the private and public sectors show a significant dependency on information technology in the widest sense, due to the fact that at all levels within an organisation, electronic data repositories and the use of electronic devices has multiplied. In practice, the pervasive nature of information technology has led to rapid advances in business IT, while the public sector has initiated comprehensive infrastructure projects to sustain the pace of change in Europe and elsewhere [1, 2]. On a global scale, the strategic significance of the IT environment as such has become decisive: the popular term “information warfare” [3, 4, 5] and subsequent exercises involving critical IT infrastructures highlight the fact that in the post-industrial countries of Central Europe, the presence of pervasive and all-encompassing information technology is a potential high-risk issue to be addressed. In order to adequately control the aforesaid IT environment across countries and sectors, the audit paradigm has undergone various changes. While audit as such is quite simply the presence and activity of an impartial third party (the four-eye principle), concepts and implementation vary in accordance with regulatory frameworks, statutory provisions, and strategic priorities. Whereas large parts of IT audit activity in Europe are privatised, a proportion of specialised IT audit remains under government or semi-public control, for instance in the banking and finance sector. Regardless of the legitimising sources or mandates, IT security audit has matured in line with the growth of IT environments in business and in government, as have regulations and standards that support the auditor. 3 Audit-Related Problems in IT Security The risks and threats now common in day-to-day business present a number of audit-related problems. In many practical cases, it is no longer feasible to perform full-scale, comprehensive audit procedures when facing a sufficiently complex IT environment. Hence, the degree of uncertainty increases – the reliability and assurance provided by an audit decreases. In practice, this can be illustrated by a straightforward example: a business or organisation is planning end-to-end security tests (perhaps penetration tests) against a set of 50 data centres. For safety and business continuity reasons, these tests are planned on weekends only. Given an average of 50 available weekends during a standard year, the security audit procedures compete with other activities (for instance, user acceptance testing, bringing new releases into production, etc.). On the assumption that unlimited audit personnel and unlimited budgets are available, it is still doubtful whether an adequate coverage of security testing could be achieved. If additional limits on audit resources are imposed – as would be expected in an environment of tight budgets and lean audit departments – the resulting audit programme will almost certainly have to apply a selection mechanism to optimise the trade-off between available audit targets and reasonable assurance. Security and Protection of Information 2005 1 It follows that the traditional audit paradigm of retrospective, reactive procedures cannot be maintained. Modern audit practices are therefore proactive, relying to a large extent on pre-defined priorities and existing standards and frameworks, often combined with gradual self-assessments carried out by the audited organisation. Once more, interesting problems arise with regard to the concept of “reasonable assurance” and strategic selection of audit targets. In many cases, IT security audit programmes and procedures tend to rely on standards and commonly accepted frameworks. Historically, the number of proprietary and published security standards has increased by several orders of magnitude. Likewise, institutions and organisations offering security guidelines have multiplied. From an audit perspective, this poses the problem of identifying and applying an appropriate sets of methods and tools. A secondary problem arising from the variety of standards is their inherent credibility and validity: as the security standardisation process has been elaborated at national and international levels, the number of standards to be acknowledged by the auditor has become difficult to manage. Again, a selection and optimisation mechanism is needed to provide the desired level of reasonable assurance with regard to the standards, regulations, and guidelines covered by an audit. 4 Scope of Paper The following sections will first examine security standards, frameworks and regulations in IT security. This analysis serves as a first step towards identifying the underlying thinking and fundamental audit objectives to be applied to subsequent design and deployment of an audit programme. Having thus “set the landscape” for an IT security audit, strengths and weaknesses of current audit models will be considered in terms of methods, models, and applicability. Having identified the “common ground” and the adequacy of audit models, strategic priorities (both in the private and public sector) will be considered as key factors of influence. 5 Commonalities in Current Standards Security standardisation has been the target of international initiatives for a considerable number of years. While early standards were pragmatic in nature, often in the shape of simple “how to” documents, growing maturity led to a more formalised approach that eventually resulted in formal international recognition under the ISO process. Today, the ISO catalogue includes many managerial and technical IT security standards [6], and 2005 is likely to further extend the scope of normative publications. The fully formalised standard lends itself to direct application by the auditor, as requirements and evaluation criteria are well-defined and properly cross-referenced. Similarly to the international accounting standards, the new IT security standards offer a comprehensive set of tools for full or limited security audit. 6 ISO Standards in Security The available set of ISO security standards addresses both managerial and technical aspects of IT security. From an audit point of view, they may be used hierarchically. When applying the top-down principle to audit, the more general ISO documents [7, 8, 9] should be applied first. Subsequent audit procedures could then make reference to the standards of a more technical nature, for instance [10, 11]. It should be noted that part of the ISO documentation is published in the format of Technical Reports (TR), thus representing a less stringent, and more indicative type of audit guidance. Audit as a function and as an instrument of good governance is an in-built feature of all managerial ISO standards. [7] specifically requires the verification of compliance with external provisions, and mentions audit activities to be performed. [12] and [13] focus on techniques to apply when evaluating systems or IT environments. The task of auditing an existing implementation of systems, applications and infrastructure elements must not be confused with formal evaluations, as described in [9, 12, 13]. An evaluation, for instance under the Common Criteria, usually refers to the conceptual or certification level of information technology products. Only recently have the evaluation criteria been applied to operational environments, see [13]. Future developments are likely to elaborate on the basic security standards now in the public domain. The more specific normative content should be used for limited scope audits, or as a means for drilling down into specific technical questions often encountered in application or process control audits. Security and Protection of Information 2005 2 Standard Security Management Perspective Technical Security Perspective TR 13335 Guidance for the management of IT security offers some guidance in terms of applying / IT security techniques technical security TR 14516 Use and management of trusted 3rd parties 15408* Common Criteria product evaluation criteria, some technical guidance TR 15443* Framework for IT Security Assurance 17799* Code of practice for information security management TR 18044 Information security incident management TR 18045* IT security evaluation related to 15408, some technical guidance TR 19791* IT Security assessment of operational systems 24742* IT Security metrics and measurements 24743* Information security management systems – requirements specification 7064 Check character systems 9796 Digital signature schemes w/ message recovery 9797 Message Authentication Codes 9798 Entity Authentication 10116 n-bit Block cipher 10118 Hash functions 11770 Key management 13888 Non-repudiation 14888 Digital signatures w/ appendix TR 15446 Protection profiles and security targets 15816 Security information objects for access control 15945 TTP for digital signatures 15946 Cryptography w/ elliptic curves 15947 some management guidance with regard to IT intrusion detection framework intrusion detection 18014 Time-stamping services 18028* IT network security 18031* Random number generation 18032 Prime number generation 18033* Encryption algorithms 18043* Deployment and operation of intrusion detection systems 19790* Security requirements for cryptographic modules 19792* Security Evaluation and Testing of Biometric Technology 21827 SSE-CMM SSE-CMM Table 1: Overview of ISO security standards. * denotes new standards or updates 7 CobiT and Related Works The Control Objectives for Information and Related Technologies [14] are the foundation for auditing IT in general, including systems security as a distinct control objective. As a mature audit framework, CobiT addresses related topics such as incident management, risk management or continuity of IT operations. Whilst providing an invaluable structuring aid for the IT auditor, the CobiT suite of publications does not in itself address security at a detailed level. It is supported by a systematic catalogue of other audit instruments: audit standards [15], the new security baseline [16], and the recently published controls paper in relation to the Sarbanes-Oxley Act 2002 [17] and the PCAOB standard no. 2 [18]. The main tool for auditing within CobiT and related documents is the CobiT set of Audit Guidelines. Procedures, tests and evaluation steps for security-related questions are found in several sections of the Guidelines. CobiT Security and Protection of Information 2005 3 follows a uniform audit approach inasmuch as it maps the objectives, suggested audit steps and detailed audit procedures against the generic IT process model. CobiT Document Management Perspective Audit Perspective CobiT Executive Summary general management guidelines on IT controls CobiT Control Objectives Definition and description of IT control objectives CobiT Management Guidelines Definition of management objectives CobiT Audit Guidelines Specific audit guidance related to Control Objectives CobiT Security Baseline general management guidance on IT Further information on control security objectives related to security Standards, Guidelines and Detailed documentation on specific Procedures for Auditing and Control security aspects Professionals Table 2: Overview of CobiT documents 8 Other Standards and Regulations Depending on the geography and the business (or strategic) objectives of the organisation, several other IT security standards may apply, for instance [19] in Germany, [20] in Austria. For reasons of space and clarity, this array of security standards, regulations and guidelines cannot be discussed in detail in an overview paper. However, most of these standards follow the generally accepted understanding of “security” in the widest sense. Differences prevail in the strategic outlook on security, for instance in military environments, and in the minimum levels of IT security required. The general perception of security is subject to several basic assumptions, such as the threat level, the profile of a technical attacker, or the expected business impact of a security violation. From the security auditor´s point of view, this does not change the audit approach. Scoping and planning the audit programme may depend on the standards used as an audit benchmark. However, the tools and steps of a security audit remain essentially the same. In contrast to normative standards, national and international regulations represent binding rules for both audit and management. While any audit activity will have to ensure compliance, regulatory provisions primarily address the desired security levels, often in terms of making absolute statements. Where a regulation of this type prevails, it is often found that it requires complete and comprehensive IT security, at the same time refraining from giving any technical guidance. In the past, this has led to the frequently asked question: “how much security do we need?”, and to the theoretical and practical development of “return on security investment” (ROSI) [21]. It is often the regulator itself whose audit activities provide the answer. 9 Common Ground IT security standards seek to provide normative guidance, and a systematic model of IT security in general. They further explain the management, enforcement, and evaluation of security-related issues, in order to provide both auditors and managers with a common understanding of the security terminology, security processes, and subsequent assessment of the situation against an ideal model. For planning and deployment of an audit, the similarities and the “common ground” should be established in order to avoid duplication of work or gaps in the scope. The top-down approach towards reviewing IT security in an organisation or across organisations is often based upon the CobiT framework, as this lends itself to defining the scope and the audit programme. CobiT as an audit- specific standard sets the scene for applying more specific standards. For instance, the auditor might decide to focus on security management, thus using the appropriate control objectives and taking into consideration the audit guidance given in the CobiT Audit Guidelines. However, more detailed questions of security management would best be addressed by the ISO standards specifically dealing with managerial issues. These steps will often lead to an iterative scoping: once an ISO standard has been selected, it is likely that clauses within this standard will extend the auditor´s focus, for instance where ISO 17799 stipulates that business continuity management be addressed as part of IT security management. As a result, the originating control Security and Protection of Information 2005 4 objective in CobiT must be revisited, a step that will often lead to the inclusion of further control objectives or CobiT audit procedures. Each iteration of this cross-comparison between standards will identify further pieces of what has been termed “common ground” in this paper. The approach presented here applies to all standards and regulations, as well as to audit programmes or guidelines, for instance [22]. It is designed to address, from an audit perspective, all relevant aspects of IT security in different contexts. 10 Strengths and Weaknesses in Current Audit Models IT security audit work is traditionally technical in nature. Security risks and threats are perceived as technical, hence the solution, as expressed by the auditor´s recommendations, must by definition be technical. The risk- based audit approach includes technical vulnerabilities as well as the impact on financial statements, regulatory requirements, or operations. These individual dimensions of the review share the idea of compliance with rules, regulations or other pre-defined criteria. The situation as observed is matched against an ideal world of IT security that is expressed by the catalogue of audit criteria. The traditional audit model rarely allows for relative assessments, even where the concept of reasonable assurance is applied. However, most IT security audit programmes follow compliance thinking, often failing to recognise the relative significance of findings and recommendations. From a managerial perspective, the audit results may be seen as too technical, too detailed, and failing to address the priorities derived from the organisation´s objectives. While this traditional view of IT security audit may be limited by definition, it nevertheless represents a strong compliance model. Its weaknesses are apparent in that it is retrospective and difficult to adapt to dynamic process models of security, or controls in a broader sense as described in [17]. It has therefore been developed into a shared audit model where the organisation under review performs control self-assessments over IT security, to be complemented by a pre-defined independent audit programme. The ongoing audit activities, and the benchmarking against existing life cycles and related requirements, provide a higher level of effectiveness in a fast-changing IT security environment. Simultaneously, the robustness of conclusions decreases where self- assessment results are to be relied upon. In many cases, continuous audit models are applied to IT security. The complexity of security-related technology and its implementation, combined with the need for security monitoring, lead to a higher potential risk and a higher business impact than in the past. As a consequence, the risk of not auditing security has increased considerably. In a continuous audit, the strengths of ongoing monitoring may be combined with the advantage of addressing security issues even before they arise. In contrast, the major weakness is the amount of resources required when deploying the audit programme. 11 Aligning Security Audit with Strategic Priorities The purpose of the organisation and its process model determine where and how security is needed. It should be noted that this simple hypothesis is difficult to prove in large, complex organisations. The auditor´s primary task is to identify and verify security-critical elements of an IT environment. For the organisation being reviewed, criticality is seen in terms of its mission, purpose, or business success. More often than not, these two notions of criticality diverge considerably. The security mindset addresses specific threats and vulnerabilities, whereas the mission criticality mindset seeks to identify those areas of the organisation that will suffer from major impacts in the event of a security incident. This divergence leads to the problem of optimised selection of audit targets, or audit areas. Under a limited budget, limited resource regime, the auditor must select the subset of the IT environment that will maximise the degree of security assurance. In order to align IT security with the overall organisational objectives, the audit scope should be based upon a business impact analysis that clearly outlines criticality in terms of operational losses, or other impacts [23]. Priorities defined by means of the BIA could be absolute (e. g. avoid loss of life at all cost), or relative (e. g. reduce potential impact on sales, at reasonable cost) [24]. For the security-related IT infrastructure, such information will have to be obtained from other parts of the organisation, specifically senior management. Depending on the organisation´s strategic priorities, the security posture may vary: risk-averse management practices emphasise prevention, whereas those with a higher appetite for risk may rely – in the extreme – on a comprehensive incident management capability. It is obvious that the resulting IT security strategy must be taken into account when addressing the optimised selection problem as outlined above. An audit over IT security controls with an emphasis on preventive controls, formalisation and security processes may work well in a large organisation with a high maturity level, but not in an informal organisational unit whose purpose does not lend itself to formal IT security. Security and Protection of Information 2005 5 Strategic priorities therefore define the audit scope, its granularity, and the set of standards to be applied to individual aspects of security. The rigid, strictly formal audit against a single standard, for instance where certification to that standard is desired, will rarely be the appropriate audit perspective under a limited budget, limited resource regime. Only where IT security is seen as a certifiable value in itself can the traditional audit model be applied. Likewise, the retrospective, compliance-based audit is a prerequisite to satisfying broader criteria in formalised frameworks (year end financial statement audit, controls audit in accordance with the Sarbanes-Oxley Act). In the context of optimised selection and reasonable assurance, the priorities identified and quantified will determine the “interesting” audit targets as a function of operational impact, and operational risk. The selected audit scope will therefore satisfy both managerial priorities, and the minimum requirements that the auditor must apply. Once this overall alignment has been achieved, the audit programme can be designed in a manner that incorporates strategic priorities. These in turn will determine the “return on security investment”, as non-IT management will be able to directly compare the levels of security with the corresponding risk posture adopted by the organisation. The frequently asked question “what do I get out of security audits?” is much easier to answer if audit targets clearly address the primary risks to the organisation´s mission and objectives. In the practical example quoted above, the selection of data centres to be reviewed is simplified accordingly. Assuming that the planned IT security audit follows the fundamental audit objectives (confidentiality, integrity, availability, non-repudiation etc.), the relative importance of each objective is derived from the strategic mission or purpose of the organisation. The risk of breaches of confidentiality may be low, for instance where information handled by the IT environment is intended for later publication. The risk of security-induced integrity failures may be extremely high, for instance where financial statement data might be manipulated. This serves as an initial filtering criteria that is independent of any distinct IT elements. To the IT security manager, the application of typical filtering criteria may be, at first sight, a difficult task – traditionally, security has been regarded as an absolute value by those handling it. Consciously inserting areas of “limited security” will go against the grain of what security specialists would expect. When taking a second look, the relative weighting of security objectives is less problematic. The audit approach must match these priorities: in the given example, the use of in-depth audit procedures to verify confidentiality may not be appropriate if confidentiality has been identified as a low strategic priority. Another example, taken from an entirely different context, illustrates how strategic priorities will radically change the auditor´s perspective: consider two organisations, one of which is subject to an IT-based due diligence audit. The managerial objective is to determine how well the IT environments fit together, both in terms of technical feasibility (the security levels found in both organisations) and financial attractiveness (the investment required to adequately integrate both IT environments). If the traditional audit model were applied, the audit report might contain several sections on integration, and observations on multiple security weaknesses in the target IT infrastructure. From a strategic point of view, these security weaknesses are of limited relevance: the organisation carrying out the due diligence review may decide at any point not to pursue the integration, due to the cost of integrating two separate environments. Security weaknesses, although identified, are less likely to be the predominant rationale for such a decision. It is much more likely that the cost of change, the technical integration challenge, and other factors will influence the decision. A similar set of strategic priorities is usually applied when deciding on IT outsourcing or selecting a service provider. Again, the question to be answered by the audit is not determined within the IT security audit framework: it is answered in a managerial, strategic context that uses IT security as a means to an end. Notwithstanding the managerial perspective and its expectations with regard to audit, it is nevertheless necessary to include any “absolutes”, specifically regulatory requirements, into the strategic equation. As much as senior management may wish to obtain operational information, prevailing legislation and regulations often present an objective set of criteria that cannot be neglected in the audit scope and programme. When conducting the strategic impact analysis and evaluation of what is important in security, it is suggested here that any external requirements be treated as “absolutes” in the sense of [24]. It should be noted that even in the context of these formalised criteria, management often retains some discretion as to the actual implementation, for instance when ensuring a certain level of security. Having thus aligned the strategic priorities for the audit scope and the resulting programme, the auditor will be enabled to select the appropriate standards and frameworks to be applied. The commonalities in these standards, as outlined above, can be utilised to further increase efficiency. However, any element of the IT security audit has now been realigned, and derived directly from the strategic objectives of the organisation being reviewed. Security and Protection of Information 2005 6 12 Conclusions The growing importance of IT security as a professional field has given rise to similar developments in IT audit. Where traditional financial audit has been historically restricted to reviewing security compliance, an improved audit framework must incorporate additional criteria and a strategic vision. As IT security is often a prerequisite to the organisation´s mission or purpose, the strategic priorities form the foundation for determining audit scope and the audit programme. As a result of the complexity often intrinsic to modern IT security environments, management and audit have undergone a process of specialisation, with a corresponding tendency towards standardisation. The recent developments in the ISO standardisation process support this conclusion, since both managerial and technical standards expand into larger framework. Likewise, the ongoing development of the internationally recognised CobiT framework for IT controls and IT audit suggests that security audit is strategically significant. Despite the emergence of multiple national and international standards, a marked degree of convergence is visible, enabling the auditor to utilise the “common ground” found across standards and regulations. In future, it will no longer be sufficient to apply one single standard to an audit. Notwithstanding the conceptual starting point in managerial standards, the auditor must derive the areas where more detailed technical standards should be applied in order to support the audit programme. Auditors in IT security find themselves in a position where security-related reviews are no longer an adjunct to financial audit. The security of an IT environment plays an increasingly important role in multiple contexts, some of which are more strategic than financial in nature. As a consequence, variable audit models have taken hold, extending the paradigm of the retrospective, point-in-time audit. Self-assessments, continuous audit and other models serve the purpose of optimising the selection of audit targets under limited resource, limited budget conditions. They further optimise the audit programme and the detailed procedures in order to provide reasonable assurance in the given set of strategic priorities. Current developments have already improved the general framework for IT security audit. Standardisation, enhanced alignment with strategic priorities, and the emergence of new areas of specialisation will further strengthen the auditor´s role as an impartial and independent provider of security assurance. While the present audit standards may show some weaknesses in terms of addressing the growing needs of the IT security community, the initiatives outlined in this paper nevertheless demonstrate that security audit is embedded in a functioning maturity model, leading to continuous improvements. References [1] eEurope 2005 initiative of the European Union (various publications) [2] Marsh, R. T. Critical Foundations – Protecting America´s Infrastructures: Report of the President´s Commission on Critical Infrastructure Protection, 1997 [3] Schwartau, W. Information Warfare: Chaos on the Electronic Superhighway. 1 st ed., New York: Thunder ´s Mouth Press, 1994. [4] Washington, D. W. “Onward Cyber Soldiers”, in Time Magazine, vol. 146 no. 8, August 1995. [5] Cerny, D. Information Warfare – eine neue Bedrohung für Staat und Wirtschaft? [Information Warfare – a new threat for state and economy?]. Bonn: Bundesamt für Sicherheit in der Informationstechnik, 1997. [6] www.iso.org [7] ISO 17799 Information Technology: Code of Practice for Information Security Management. [8] ISO TR 13335 Security Techniques [9] ISO 15408 “Common Criteria” [10] ISO TR 18044 IT Incident Management [11] ISO 24742 ISMS Metrics (draft) [12] ISO 18045 [13] ISO 19791 Security Evaluation of Operational Systems [14] Information Systems Audit and Control Association. CobiT – Control Objectives for Information and Related Technologies. Rolling Meadows: ISACA, 2002. Security and Protection of Information 2005 7 [15] ______. IS Standards, Guidelines and Procedures for Auditing and Control Professionals. Rolling Meadows: ISACA, February 2005. [16] ______. CobiT Security Baseline. Rolling Meadows: ISACA, 2005. [17] IT Governance Institute (ITGI). IT Control Objectives for Sarbanes Oxley. Rolling Meadows: ITGI, 2004. [18] PCAOB Standard no. 2. [19] Bundesamt für Sicherheit in der Informationstechnik (BSI). IT Grundschutzhandbuch [IT Baseline Protection Manual]. Bonn: BSI, 2004. [20] A-SIT. Österreichisches IT-Sicherheitshandbuch [Austrian IT Security Manual]. Vienna: Austrian Centre for Secure Information Technology (A-SIT), 2001. [21] Karofsky, E. Return on Security Investment: Calculating the Security Investment Equation, in Secure Business Quarterly, 1. Jg., Nr. 2, 2001. [22] Federal Financial Institutions Examination Council (FFIEC). Information Security IT Examination Handbook. FFIEC, December 2002. [23] Rössing, R. v. Betriebliches Kontinuitätsmanagement [Business Continuity Management]. Bonn: MITP, 2005. [24] _____. A Quantitative Decision Support Model for Security and Business Continuity Management, in Paulus, S. et. al. (eds) Securing Electronic Business Processes. Proceedings of the Information Security Solutions Europe 2003 Conference. Wiesbaden: Vieweg, 2004. Security and Protection of Information 2005 8