IT Assurance Framework

IT Assurance Framework - a professional practices framework for IT assurance is a new product - a ~70-page PDF document - from ISACA.

"ISACA has tapped its global network of leading IT governance, control, security, and assurance experts to develop a widely embraced framework to help ensure the quality, consistency, and reliability of IT assessments. ITAF also contains a helpful set of good practice-setting guidelines and procedures."

The ITAF content is largely a repackaging of existing ISACA standards and guidelines in the areas of IT audit, assurance and governance. I'm pleased also to note that the ISO27k standards merit a mention.

ITAF is free to ISACA members, $45 for infidels.

Canadian audit resources

The Auditor General in Manitoba has released high level guidance on the role of audit committees, the need for 'legislative' (legal compliance) audits and more on their website. They also offer some basic advice on policy development.

PS Sorry for the long blogging pause - I've been at an ISO conference in Kyoto.

BT uses spyware to audit broadband use

BT has admitted to secretly using spyware to monitor the web surfing habits of tens of thousands of its British broadband customers. According to BT, this was merely a technical trial. Allegedly no personal data were collected since machines were identified "by anonymous code numbers" (presumably IP addresses - hardly anonymous) and content keywords were recorded, not website addresses (so what? It's still unethical and possibly illegal inteception in my book).

Malware blamed for supermarket data breach

A supermarket security breach late last year/earlier this compromised over 4 million credit/debit cards and led to thousands of fraudulent transactions. The breach has been blamed on malware on the store's servers. The fact that the store systems were PCI DSS compliant, apparently, doesn't exactly inspire confidence in the system of independent security audits but on the other hand it's a reminder that malware is an omnipresent threat.

New module on IT audit

IT audit is probably not one of the first topics you'd think of when planning a security awareness program but it does add value. The latest batch of awareness materials from NoticeBored explain what IT auditors do, what interests them and how they work. If your only experience of IT audit has been SOX (Sarbanes Oxley) work, you have a lot to learn!

BCP auditing the IIA way

"During their planning cycles, many companies around the world evaluate how prepared they are to handle disasters as well as the effectiveness of their business continuity and disaster recovery plans. As part of this process, internal auditors can help organizations establish effective business continuity management (BCM) programs. To do this, auditors need to understand what is involved in developing a BCM program and the steps they should take to evaluate the effectiveness of existing programs that incorporate necessary business continuity, disaster recovery, and crisis management efforts."

I'd like for you to be able to read what the Institute of Internal Auditors, or more precisely author Mark T Edmead of Control Solutions International, advises IT auditors to look for when reviewing business continuity arrangements. Unfortunately, the IIA article has dropped off the Web in the past few days. Sorry.

Mark's advice is sound but stops well short of the audit-style Internal Controls Questionnaire provided in this month's NoticeBored security awareness module. Still, it validates and summarizes the approach detailed in our ICQ and is an interesting piece.

PCI DSS audit accreditation

An Australian security consultancy's blog entry on their failure to win PCI DSS audit assignments ably demonstrates a severe conflict of interest in this market. They have been losing out to competitors who promise to complete the audits much quicker and (implicitly at least) to certify the client compliant. The commercial pressure is clear: the process of applying and qualifying to become a PCI DSS auditor is expensive in both time and $$$$. If auditors who intend to audit clients properly against the standard consistently lose bids to those who (allegedly) will do a superficial audit and pass the client almost regardless of the findings, then they will eventually face a tough choice. Uphold their principles or compromise them just to recoup their costs and stay in the business.

The same pressures occur with other certifications and are generally handled by a rigorous accreditation process whereby certification auditors are carefully assessed to determine their suitability and rigour. I wonder whether PCI DSS has this? Are PCI DSS auditors re-assessed from time to time? Does the PCI consortium check the quality of their assessments, for example by independently re-auditing certified PCI compliant merchants to confirm whether they are truly compliant? If not, I doubt that the PCI DSS scheme warrants the confidence level it currently enjoys.

One in two Brits at risk of identity theft, admits HM Government

After two CD-ROMs containing personal data on 25 million Brits from Her Majesty's Revenue and Customs office failed to arrive at the National Audit office, questions were asked in Parliament. Yes, AFTER the event.

Both the BBC and the Grauniad report on the "gasps of astonishment" from MPs when told of the incident. Given the British tendency for understatement, this is about as close as you'll get to a public expression of outrage.

The officials who posted the CD-ROMs evidently did not "follow procedures". If the data hadn't been going to the auditors, there is a very good chance we would never have heard about this incident ... but I can't help asking whether the NAO would have created a stink if the CDs had simply turned up in the ordinary post, instead of being send by a secure courier. I'd be willing to bet that all sorts of juicy stuff turns up in their mail and email every day, but I can't recall seeing them jumping up and down about the risk.

Whether Chancellor Alistair Darling swings for this is presumably in Her Majesty's hands. I believe the death sentence is still on the cards for treason in the UK. Now that's what I call accountability.

Singapore sling

Here's a sad tale of woe. A good friend of mine in Singapore is suddenly facing redundancy through absolutely no fault of her own. Her employer is simply cutting costs, slashing the workforce it seems without considering their employees' net value (i.e. business benefits created less salary and other expenses). What makes this really sad is that the organization in question is a bank that really ought to have a better idea of basic economics.

So, if anyone out there in Blogoland knows of Singapore-based/regional openings for a highly qualified and experienced IT auditor cum information security manager cum IT governance expert, and understands that value equation, do please get in touch with me (email Gary@isect.com). My friend has a CISSP (with the ISSMP concentration), CISM, CISA and 2 decades in the field with globally-renowned financial services companies. She is also one of the most gracious, friendly and genuinely committed individuals I know. It's hard to think of a better definition of "asset".

ITCi Journal

The IT Compliance Institute's journal should be on your reading list if compliance is on your radar screen. The Fall 2007 issue has good articles on ISO/IEC 27001 & 27002 vs. NISTs SP800 series, symmetric encryption key management and eDiscovery.

The piece 'Holding auditors accountable for data security' is not about making internal auditors accountable for the organization's information security, but rather about the obligations on external auditors to secure privileged information they obtain during the course of audits. For a while it seemed de rigeur for big name auditors to lose laptops containing confidential client information but I can't recall any similar breaches since about 18 months ago. Did the audit firms clean up their act, or are these stories no longer newsworthy? Being of a cynical nature, I suspect the latter. Anyway, the article advises great caution when handing highly sensitive business records to the auditors, for example requiring that they are reviewed on-site and not taken away. I can almost feel the wave of horror passing across any auditors in the audience! If the organization has a strong information security policy, perhaps in response to its compliance obligations under SOX and PCI DSS, management should indeed be extremely cautious about handing information to any third party. On the flip side, though, the auditors need to be able to do their jobs and won't appreciate (further) constraints, although I guess they may just 'add it to the bill'. It is not unreasonable to insist that security compliance, confidentiality and liability aspects are incorporated in suitable clauses in the audit contract, for example by insisting that the auditors should be ISO/IEC 27001 certified. In fact, why not have your CEO formally express the importance of information security to the audit team before they start work? That's one way to make an impression ...

Boeing sacks whistleblower

A press report about Boeing firing an IT auditor for blowing the whistle on alleged mishandling of SOX compliance work by Boeing's IT Department is troubling on a number of levels:

1. If the allegations are true, Boeing may have internal control problems affecting its governance, financial accounting systems and/or reporting.

2. Nothing else matters as much as the truth of point 1.

Instead of firing the auditor, Boeing management should face up to the charge and clarify their position. Control problems that are acknowledged can be fixed. Sweeping things under the carpet, shooting the messenger of bad tidings and intimidating his (former) colleagues is hardly 'facing up'.

Auditors are professionally obliged to act in the best interests of their employers or clients. On rare occasions, this includes blowing the whistle on malpractice or incompetence. If employers/clients can simply dismiss whistleblowers, it is a very brave (and self-confident) auditor who has the nerve to speak out and risk losing hiss/her job ... so the question comes down to whether we believe in the professional integrity and ethics of the auditor or that of the employer/client. An honest disclosure of the facts of the alleged control issue will surely resolve this one way or the other?

Security awareness success in the US Army

Details of audits of US Army websites and blogs run by soldiers, disclosed under the Freedom of Information Act, reveals that far more security policy breaches occur on official Department of Defense websites than on blogs. The audits were conducted by the Army Web Risk Assessment Cell, a special unit with a remit (evidently) to minimize unauthorized disclosure of sensitive military information via the Web.

It seems to me the Army was absolutely right to highlight the information security risks relating to blogging. I believe the audit results reflect the outcome of a highly successful security awareness program. If this issue had not been addressed so effectively, I'm convinced there would have been far more noncompliance issues, in other words this is a lesson to us all.

In respect of security awareness programs and policy compliance, 'the military' have a significant advantage over most of us in that the workforce is specifically trained to respect authority and follow orders - or at least, that is the classical view. In fact, I understand modern soldiers are increasingly being taught to think for themselves and operate autonomously, albeit within a highly structured (literally 'regimented') operating framework and, when necessary, at gunpoint. The traditional approach to the blogging security issue would presumably have been to send out an order banning blogging. What actually happened was more subtle: Army bloggers were instructed to register their blogs with commanding officers and pre-clear what they publish. 'Blog responsibly' is a rather softer message but the audit results seem to indicate its effectiveness in this situation.

Boeing insider charged

A remarkable insider threat story involves allegations that an auditor at Boeing systematically trawled the network for sensitive data, copied it to a USB memory stick, took it off-site and disclosed it to newspaper reporters.

"A disgruntled Boeing employee was charged Tuesday with 16 counts of
computer trespass for allegedly stealing more than 320,000 company files
over the course of more than two years and leaking them to The Seattle
Times. Gerald Lee Eastman, who was a quality assurance inspector at Boeing at
the time of the thefts, is slated to be arraigned on July 17, according
to a spokesman for the King County Prosecuting Attorney's Office. He
faces up to 57 months in prison if convicted on all counts ... Eastman used what prosecutors called his "unfettered access to Boeing systems" to download large amounts of data from information stores he had no legitimate reason for accessing, according to the criminal complaint."

The article claims that the man was aggrieved at Boeing:

"The complaint noted that Eastman told detectives he was disgruntled with
Boeing because he had brought several issues related to parts
inspections to the attention of both the company and the FAA. He said
none of his concerns had been addressed to his satisfaction. The report
contends he said he collected data to back up his claims that there were
problems with the inspection process."

If that's true, passing proprietary information to the news media seems a rather unconventional way for an auditor to 'blow the whistle'.

EDPACS - The EDP Audit, Control, and Security newsletter

Now in its 35th year, EDPACS is the world's longest running IT audit newsletter. Published monthly, the newsletter supports the audit and control community with highly-regarded guidance in the fields of audit, control, and security. In addition, EDPACS regularly explores current and emerging issues around IT governance.

Unlike most of the glossies in this field, EDPACS is a peer-reviewed professional journal which means high quality articles with next to no marketing spin and fluff. All meat and no fat makes for good brain food.

Disclaimer: my pal Dan Swanson is EDPACS' new Editor in Chief and I'm on the editorial board. I'm just putting the finishing touches to an article on computer auditing for submission to EDPACS shortly and, yes, my piece has been reviewed and improved by Dan and the other editors just like anyone else's.

A little something to browse over lunch

"Today’s information systems are incredibly complex assemblages of hardware, software, firmware, and people, all working together to provide organizations with the capability to process, store, and transmit information on a timely basis to support various organizational missions and business functions. The degree to which organizations have come to depend upon these information systems to conduct routine and critical missions and business functions means that the protection of the underlying systems is paramount to the success of the organization. The selection of appropriate security controls for an information system is an important task that can have major implications on the operations and assets of an organization as well as the welfare of individuals. Security controls are the management, operational, and technical safeguards or countermeasures prescribed for an information system to protect the confidentiality, integrity (including non-repudiation and authenticity), and availability of the system and its information. Once employed within an information system, security controls are assessed to provide the information necessary to determine their overall effectiveness; that is, the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. Understanding the overall effectiveness of the security controls implemented in the information system is essential in determining the risk to the organization’s operations and assets, to individuals, to other organizations, and to the nation resulting from the use of the system.

... so starts the latest and greatest draft of NIST SP 800-53A "Guide for Assessing the Security Controls in Federal Information Systems - Building Effective Security Assessment Plans". What a neat way to sum up the whole of information security in just one paragraph!

The standard essentially comprises a large audit checklist for checking a broad range of information security controls against good practice advice in NIST SP 800-53, FIPS 200 and other standards (including ISO27k), topped-and-tailed with background/context, explanation, glossary and references. Being a typical NIST SP, it is well-written and comprehensive.

NIST is seeking feedback on the draft. I'm currently skimming my copy and scribbling a few notes while eating my lunch 'al desco'. We have until the end of July to respond but I'm sure project leader Ron Ross would appreciate comments sooner rather than later.

IT audit checklists

The IT Compliance Institute has so far published a set of four useful checklists providing practical guidance for IT, compliance, and business managers on preparing for successful internal audits of various aspects of their operations. In addition to helping managers understand what auditors look for and why, the checklists can also help managers proactively complete self assessments of their operations, thereby identifying opportunities for system and process improvements that can be performed in advance of actual audits. The four checklists are:
- information security audit checklist
- IT governance and strategy audit checklist
- IT risk management audit checklist
- PCI compliance audit checklist

Access to the downloads requires registration but if you are sufficiently interested in these checklists to download them, you would probably benefit from the occasional email updates and other information from the institute. They don't spam me, anyway.

More IT audit and IT governance links

Pop it in the post

How does Torbay Council in sleepy Devonshire, England, send confidential information about council workers (names, addresses, salary, banking details - that sort of thing) to the auditors. Why, they simply cut a CD and pop it in an envelope ... and when the first one goes missing in the post, they do it again and that one also goes missing in action.

More links on keeping secrets

Whistleblower hotlines work!

An excellent 36-page report by The Network ,Inc., a company that runs whistleblower services, and CSO Executive Council gives the results of their statistical analysis of 180,000 whistleblower hotline calls from 550 organizations over 4 years. That's quite a sample on a seldom-reported topic. Here are a few salient points from the 2006 Corporate Governance and Compliance Hotline Benchmarking Report - a Comprehensive Examination of Organizational Hotline Activity:

- 65% of calls were 'serious enough to warrant investigation' - that's management-speak for "Oh shit" - with nearly half resulting in 'corrective action';

- 71% of callers gave information that was 'news to management'. 71%! Managers I have known think they are well-connected to the workforce. "I'm all ears", they say. "My door is always open" or "I Manage By Walking About." Yeah, right;

- just over half of the callers prefer anonymity, with callers alleging corruption/fraud (10% of calls) less likely to remain anonymous than those reporting other things such as HR issues, policy/code violation, environment/health and safety concerns etc. In my experience, managers considering whistleblower policies seem overly concerned about anonymity, claiming that it encourages frivolous or scurrilous calls, and that they won't be able to investigate calls made anonymously. More poppycock! It seems to me they need to focus more on addressing the content of the calls than on the callers;

- What I would categorise as "blue collar workers" are more likely to use whistleblower lines than "white collar workers", with retail and transportation/comms/utilities employees leading the way.

Does your organization have a whistleblowers' policy, with or without a hotline? Was its introduciton driven by SOX, by Audit, as a result of a particular incident or for some other reason? Who answers the calls/emails and how do they handle them? How useful is the information obtained in relation to the effort/cost involved? If you could start over, how would you set it up? Comments and further links are very welcome. I'm eager to learn more.

POGO sticks at it

POGO (Project on Government Oversight) is a self-appointed activist body keeping a watchful eye on US government spending and governance issues. It encourages whistleblowers from public service to expose dubious fiscal and environmental practices or corruption, provides support and anonymity. It has been in existence since 1981. "In the beginning, POGO (which was then known as Project on Military Procurement) worked to expose outrageously overpriced military spending such as the $7,600 coffee maker and the $436 hammer. After many successes reforming the military, POGO expanded its mandate to investigate systemic waste, fraud, and abuse in all federal agencies."

POGO encourages and supports whistleblowers in public service: "Whistleblowing is often not easy. Exposed whistleblowers are almost always reprimanded, fired, and/or harassed, even if they have not "gone public" and even if their allegations are proven to be true. It takes a lot of courage and forethought to take on a powerful government agency or a private contractor. The mental, emotional, and fiscal hardships that a whistleblower may encounter should be fully understood before any steps are taken to disseminate information - publicly or not. In recent years, protections for federal employees have been unraveled by hostile judicial rulings. As a result, federal employees have little protections against retaliation."

More IT governance, fraud and audit resources

Audit checklist for information security management

The IT Compliance Institute has amassed an excellent collection of IT governance-related white papers, articles and resources. Their IT audit checklist for reviewing information security management, a new addition, has many potential uses [access requires you to register on the website]. It can be used directly by experienced IT auditors and compliance assessors as a checklist to guide a review of key controls, and it provides pointers on audit preparation, testing and reporting. Prospective auditees and managers will benefit from reading about and preparing for the kinds of things the auditors will be doing, especially the section on things the auditors will be looking for. Those designing and implementing Information Security Management Systems will appreciate the guidance on elements of an ISMS that auditors find particularly important. The checklist can even form the basis of a structured description or specification for a robust ISMS. All in all, a nice paper from the IT Compliance Institute. It's worth browsing the ITCi website for other similar resources including the biannual IT Compliance Journal [again, "free" to those who register].

More information security management, IT governance and IT audit resources

Risk management audit checklist

An audit checklist from the IT Compliance Institute (ITCi) explans what auditors would typically want to know about enterprise risk management practices. The checklist, written by the infamous Dan Swanson, offers practical advice to auditees as well as auditors. The ITCi "strives to be a global authority on the role of technology in business governance and regulatory compliance. Through comprehensive education, research, and analysis related to emerging government statutes and affected business and technology practices, we help organizations overcome the challenges posed by today’s regulatory environment and find new ways to turn compliance efforts into capital opportunities."
More risk management and IT audit resources

Australian tax office sacks 'spies'

The Australian Taxation Office has taken action against 27 employees for inappropriate access to taxpayers' personal data. Two were prosecuted under the Tax Administration Act. This story, coupled with last week's revelation about a similar issue at Centrelink and news of similar crackdowns at other Australian government bodies, presumably indicates a hardening of attitudes. Employees don't seem to realise that the database systems they access may record all sorts of incriminating evidence in their logs. Presumably the relevant audit functions have been looking closely at the records.
More identity theft links

Audit on a stick

WinAudit is a great little PC audit utility to load on your USB thumb drive. Plug in the drive, run the file and browse the voluminous output with a web browser. Find out all the usual hardware info plus details of installed software and system configuration. Look for unlicensed software or discover your user privileges, for examples.
More audit resources

Scanning for rogue Wi-Fi

Tools to help the overworked Security Manager identify wireless networks in their premises range from free to $thousands. At the bottom end are Wi-Fi snooping tools such as NetStumbler and kismet, and the cheap-n-nasty wLAN detectors given away as merchandising at computer shows. In the mid range is commercial software that uses standard wireless LAN cards to scan the normal Wi-Fi frequency bands, and wide range UHF/SHF scanners. High end tools use very expensive software to get more information from the wLAN cards, or use dedicated spectrum analyzer hardware to get even more gen, provided the user has the technical skills to control the machine and interpret the output. Read about (some of) the range on Informit's review of Wi-Fi audit tools.
More wireless networking security resources

ISACA drops audit name

To help cement its move away from IT auditing towards IT governance, ISACA will no longer be known officially as the Information Systems Audit and Control Association. This is a bit like British Petroleum, British Telecom and British Airways becoming BP, BT and BA, respectively: some of us traditionalists still recall the original names and all that they once stood for. Some of us can tell the difference between Personal Computer and Politically Correct.
More IT audit resources

ISACA draft Audit Evidence standard up for comment

The IS Audit and Control Association ISACA releases new or updated audit standards as 'exposure drafts' for public comment from time to time. The standard on Audit Evidence is out for review now with comments due back before November this year. If you have IT audit experience, why not take a moment to look at the draft and send in your thoughts? Contribute to the profession.
More IT audit resources

IIA Change and Patch Management Controls guide

The Institute of Internal Auditors’ final draft guide to change and patch management controls is “about managing risks that are a growing concern to those involved in the governance process. Like information security, management of IT changes is a fundamental process that can cause damage to the entire enterprise and easily disrupt operations if it is not performed well. This enterprisewide impact makes change management of interest to many audit committees and, as a result, to top management. The objective of this guide is to convey how effective and efficient IT change and patch management contribute to organizational success.”
More change management resources

Kevin Mitnick preaches social engineering awareness

In a keynote presentation at the Citrix iForum conference in Australia today, hacker Kevin Mitnick : said "social engineering appeals to hackers because the Internet is so widespread, it evades all intrusion detection systems, it's free or very low cost, it's low risk, it works on every operating system, leaves no audit trail, is nearly 100 percent effective, and there is a general lack of awareness of the problem."
More [anti-]hacking and social engineering links.

SOX puts audit costs up

A survey attributing $1.4 bn of additional costs to Sarbanes-Oxley compliance includes a subtle message. Banks, insurance and drug companies saw significant increases in their audit costs, but energy, utilities and retail companies saw even greater increases ... presumably implying that they had much more to do to reach compliance.
More IT governance links here