The IT Security Review Part of the Yearly Financial Audit….
June 23rd, 2007 Drazen Drazic Posted in Dumb Security, Vulnerability Management |
All listed companies must be audited at least yearly by an independent Accounting Practice, but what is the relevance today for the IT Security review component that is generally tacked on as part of this Audit? Yeah, I know in the past the aim was to look at accounting systems controls and the like, but are these reviews still of value or are they potentially dangerous for some companies?
Let me clarify where I am coming from - I am yet to see a good job done by any of the large accounting firms undertaking such reviews. The danger to the client? The client accepting the results of the review as a true overall state of their security……..and I don’t need to expand on why that is a big problem.
What’s brought this to mind is two recent examples we’ve run into at new clients where we’ve been called in, and how do I put this nicely…..to double-check the work of the Big Auditing company. In previous years, the reports had been treated as gospel and IT management and the CEO have believed that things on the security front were good. New staff joining in recent times in both places cast doubt upon the true picture and thus the call to SA. Now this isn’t a plug for SA. It’s a plug for all good dedicated organisations who play in this space and have true expertise in their field.
Both organisations were shocked to put it mildly at the results of the subsequent review undertaken by us. From being secure (in their minds) to both now in a position of being in a pretty bad way - as bad as it can be in some parts of the IT environment. I’ll leave it to your imaginations. On a positive note, they at least now know what they are up against and have a more true picture. Both now have a long roadmap of activity planned to get to a level of being secure.
Unfortunately, these two cases are not out of the ordinary. We do still see it very often. In addition, I spent many years on the other side and dealt with the results of these external audits on behalf of the organisations I worked for at the time. It’s true to say that we, (the IT Security and IT teams) saw these audits as a pain in the backside, a yearly joke that took up a valuable few weeks. The same big talk before the event, auditors locked up in a room for 2-3 weeks, interviews by junior staff who had no idea what the questions they were asking actually meant, and then glowing reports delivered that generally had no more than 1-5 findings and a big congratulations that we were just brilliant. Hmmm….far from it in reality. But we at least knew the true picture. Many organisations didn’t and still don’t.
Companies who have these audits done yearly need to discuss what they are actually getting from the audits with their Auditors. Auditors in return need to ensure that they clearly state what is going to be delivered and support that with caveats, warnings and definitive statements for the client. But in reality, in most cases, they just need to deliver a better job! Are most capable?
June 23rd, 2007 at 11:52 pm
Is it a basic flaw of human nature that something *really* bad needs to happen before anything is done to solve a problem ? I suspect in many cases, the answer is ‘yes’.
Spectacular examples of the “someone should really do something about this” syndrome include; the Space Shuttle Disaster, 9/11, The Granville Train Disaster, the Hindenberg, etc.
For a more recent example, look no further than the recent Australian Sea King Helicopter Tragedy. A long history of maintenance failures tragically led to the death of all 9 lives on board. The problem ? A simple, missing, split pin (a .50 cent part) that held the crucial cyclic pitch control links together.
The inquiry found *recurring* maintenance errors and procedures as the primary cause for the crash. And disturbingly, a previous crash inquiry 10 years ago reccommended changes to seat harnesses, which had not been implemented.
A relative of the deceased later commented, “A tragedy like that had to happen before they made all these changes, you know. That is the tragedy, that is the tragedy of it.”
And for the rather predicatable human response to the tragedy: “I am personally committed to the implementation of the board’s recommendations. I will accept nothing but the highest level of commitment from those under my command in this regard. I want to ensure that as far as possible, Defence is doing everything we can to prevent an accident of this nature from occurring again.” - Angus Houston, Chief of Navy.
Are there parallells in these highly publicised disasters & contributing poor maintenance procedures with lacklustre IT Security ‘Audits’ ? In other words, are companies waiting for something *really* bad to happen before they do something ?
-Chappo.
June 27th, 2007 at 5:03 pm
And another thing on the topic of incentives for proper IT security audits….
“Security is 100% a matter of incentives. If the economic incentives aren’t aligned properly, even the best security solutions won’t be implemented. Align the economic incentives and security companies will fall over themselves trying to solve the security problem. In the computer world, I have long maintained that the correct incentives are liabilities. Software vendors need to be liable for insecure products. Organizations need to be liable if they expose our personal information. That’s the kind of economic incentive that will result in more security.”
- Bruce Schneier.
http://www.schneier.com/news-036.html