Sunday, September 19, 2010

IT Audit and IT Security Audits: Is There a Difference?

Posted by David Hoelzer on November 10, 2009 – 5:37 pm
Filed under Compliance, Security, Standards
Last week I had an interesting conversation with some principals in one of the Big Four. We were discussing some upcoming plans that we have for creating a course to assist non-IT folks to transition into IT Audit in addition to assisting non-Audit folks to take on more of an audit role.

During the conversation, we were asked by one person, “Well, are you teaching IT Audit or are you teaching IT Security Audit?” What an interesting question, we thought. We went on to explain our point of view.

The purpose of IT Audit is to ensure that all of the controls are functioning correctly to meet the objectives of the business. This includes operational matters like user creation process, active directory management, group policy settings, firewall configurations, router infrastructure configurations, etc. Almost all of the controls in IT today include security settings. In our view, there is no sense auditing these items to verify that the settings match the policies unless you are also validating that the processes governing the policies are correct.

In other words, if your IT Audit isn’t validating that, in addition to operating correctly, your organization is correctly applying security principles and controls, what exactly are you auditing??? The folks we were speaking with, fortunately, seemed to agree that this was the correct view even though they had posed the original question. It does give us pause to wonder, however.

For example, consider the recent findings regarding FISMA, specifically the notion that FISMA has failed because the IT auditors who are doing the evaluations have been tasked with verifying that everyone is doing what NIST says in terms of procedures without any consideration for where the actual risks are to the business!

This is also precisely the reason that Sarbanes-Oxley has language requiring that the IT systems support the accuracy of the financial results. In the past I have railed against the lack of specificity in Sarbanes-Oxley, but given what’s happened with FISMA it makes me wonder if it might be better in some respects.

In the end, determining the best strategy or standard to use to ensure security will always be a task best done as a retrospective, but it seems safe to say that the “right” answer falls somewhere between too much and too little. Like Goldilocks, we’re all looking for the “Just Right” level of detail in standards, forcing organizations to develop well thought out controls that connect to business and security objectives!

For a comprehensive course on how to identify critical controls, validate that the correct controls are in place and validate processes, consider the SANS 6 day course, “Advanced System & Network Auditing“. David Hoelzer is the SANS IT Audit Curriculum Lead and the author of several SANS IT Audit related courses.