The Importance of IT Audits
How much is the information in your organization worth? That is, what is the cost (either quantitively or qualitatively) if your sensitive or valuable information was compromised? For example, your customer’s personally identifiable information (PII) is leaked to the dark web. Or your database is modified with erroneous information. Or your critical systems are subject to a denial of service (DoS) attacks rendering it unusable. Don’t underestimate “reputational risk.” We all cringed when Target announced 70 million customer data files exposed. For details click here for the link to this article. If this happened to you, do you think you could recover from that, reputation-wise? This is why performing an information technology (IT) audit of your IT controls is necessary to prevent, detect, and perhaps correct these exploitable weaknesses.
An IT audit is the examination and evaluation of an organization's information technology infrastructure, processes, policies, and operations. Information technology audits determine whether IT controls protect corporate assets, ensure data integrity, and are aligned with the business's overall goals and help to demonstrate good governance.
There is an increasing reliance on technology in business operations. Therefore, IT audits are critical to ensure information-related controls and processes are working properly. The primary objectives of an IT audit include:
- Evaluate the systems and processes in place that secure company data.
- Determine risks to a company's information assets and help identify methods to minimize those risks.
- Ensure information management processes are in compliance with IT-specific laws (regulations), policies, and standards.
- Determine inefficiencies in IT systems and associated management and more importantly provide both a justification and an opportunity to remediate the weaknesses found.
And it is much more than dealing with attackers from outside your company. Insider attacks are just as bad (and many times worse). Many cybersecurity experts will say that the insider threat is more serious because it’s harder to detect. If a user has legitimate access to a company’s files, it’s not easy to see if they may be using that access for illegitimate purposes, this is precisely why “Segregation of Duties” (SOD) controls are so critical to an organization.
In order to better visualize what is involved in an IT audit, I created the IT Audit Circle (see Figure 1).
If this circle is familiar, it is because it looks a lot like the layered security defense model (figure 2):
I’ve conducted many IT audits over the years. Some were for regulatory compliance (Sarbanes-Oxley, GLBA, or HIPAA). But many were for organizations that wanted to have some assurances that their organization was protecting their valuable information. That is, protecting these assets from breaches in confidentiality, integrity, or availability.
The Audit Layers (figure 1) are:
- Asset
- Database
- Application
- Operating System
- Physical System
- Network
Let’s look at each layer in detail:
Asset:
This is the information you want to protect. If this asset were subject to a breach (confidentiality, integrity, or availability), it can cause some damage to the organization. The risks include financial, operational, reputational, strategic, or compliance/legal risks. An exploit of these assets can lead to theft/fraud, operational impact, or confidentiality breaches.
Databases:
Depending on the database contents, confidentiality, integrity and availability are all risk concerns. Because the data is in a central depository, unauthorized access could provide access to significant amounts of data (think customer credit cards, PII data, etc.). In addition, databases are complex which increases the risk of data corruption. If the database is corrupted or not available, it will impact all the applications and end-users that use it. If database performance is slow, it could impact response time for a significant number of users.
Applications:
Some of the controls around applications include IT governance, logical security, change management, business continuity/disaster recovery, system development methodology, input controls, process controls, and output controls.
Operating System:
Example controls around operating systems include effective patch management vulnerability assessments (health checks) and restricting and monitoring privileged administrative access (the monitoring of privileged administrative access also applies to databases and network devices).
Physical System:
The goal is to prevent unauthorized physical access, damage, and interference to the organization’s premises and information. Access to restricted computing areas needs to be limited to authorized individuals on a need to know basis. Physical security controls protect the computer centers, server farms, telecommunication rooms, and support facilities. Let’s not forget environmental controls such as HVAC systems, fire suppression systems, and power failures. Risks include unauthorized use, modification, destruction, or theft of equipment and data media, access to sensitive information, and disruption of system and operational processing. In this space we also want to be mindful of datacenter physical location, in the event of a fire it is of no value if your BCP/DR program fails over to a data center in the same building or even the same geographical part of the country should you experience a broader event such as earthquake or fires such as the West is experiencing at present.
Network:
Organizations rely on networks as an essential part of doing business. The network management staff is responsible for keeping the network available, secure and performing well. Through various weaknesses (in the network, networked computers, applications, and user policies), the organization is susceptible to malware (malicious software) of all sorts.
The Bottom Line
Performing an IT audit is not a one-time activity. It is something that needs to be done on a continuous basis. IT Audits need to be embedded into your Business as Usual (BAU), not rolled out as projects at the end of the year as we did initially with SOX work, the mindset needs to be owned and embraced by the Line of Business (LOB) in order to be successful. There are 4 resources/variables that affect the timing and depth of the audit. They are People, Process, Information, and Technology. Anytime there is a change in one of these variables warrants a need to reevaluate the other three to determine if new risks have been introduced and make changes to the IT controls as needed. And from experience I’ve learned whatever controls you put in place; it will not be perfect. There will always be some amount of risk. This requires us to be vigilant at all times and make sure our valuable assets are protected.
About Mark Edmead
Mark Edmead is an IT transformation consultant and trainer. Over the past 28 years, he has provided IT transformation and business improvement services that align information technology with business goals to drive bottom-line performance and growth. Mark’s focus is on change management, process improvement, enterprise architecture, technology road mapping, strategic IT planning, IT organization analysis, IT portfolio management, and IT governance. Mark is TOGAF 9.2 certified a Lean IT accredited trainer, a DevOps trainer, a certified COBIT 5 assessor, a COBIT 2019 accredited trainer, a Business Relationship Management Professional (BRMP) and Certified Business Relationship Manager (CBRM) accredited trainer, a Certified Information Systems Auditor (CISA) trainer, and was a member of the Malcolm Baldrige National Quality Award Board of Examiners.