Policy and audits

Policy & Audits: Getting it right

What's the best way to frame a security policy? Should this activity be conducted by the IT head or is the participation of business heads necessary? Are internal audits good enough? M P Badrinath answers these questions and more.

“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
—Bruce Schneier in Secrets & Lies

M P Badrinath

Security Policy is the foundation upon which all security is based and it is the first step towards a successful security process. Ironically, in this day and age, a majority of the C-Suite proponents see a one-off purchase of an anti-virus application or an intrusion prevention device as the panacea to all its security problems.

If there was a ‘best’ way to go about framing a security policy and if that could be patented, the patent would be worth a few billion dollars. Of course, there is a framework and within that framework, organisations have to evolve their own strategy and method to develop the security policy. But external assistance can add depth to policies reflecting the information security posture of an organisation. Now, what is this security posture all about? It is the perception of an organisation’s efforts to effectively protect itself against information security threats. In order to have an effective information security posture, organisations need to align their information security with their business objectives. To do this they must eliminate the hierarchical layers between the C-suite and the functional managers, who have historically viewed information security as a technology issue and not a business issue. Having the active involvement of senior management in security-related decisions is crucial in establishing this alignment.

There are three components of the security policy suite—the policy itself, standards and procedures. The approach followed in establishing a security policy is critical for a comprehensive and effective security regimen. The right approach serves as a strong foundation for effective information security governance. However, in many cases this aspect is overlooked with organisations implementing technical security without first creating the framework of policies, standards, guidelines and procedures.

First let us look at the lifecycle of policy development. It starts with the identification of assets and a risk assessment where the organisation’s assets, potential threats to said assets, points in the organisation where vulnerabilities may exist to those threats and the probability of threats materialising are considered.

Determining both the monetary value and the intrinsic value of an asset is essential in accurately gauging its worth. To compute monetary value, the impact of a threat materialising should be considered. However, to calculate the intrinsic value, the organisation should consider the security impact of the threat on its credibility, reputation and relationship with key stakeholders.

A tenable security policy must be based on the results of a risk assessment. Once it has been carried out, the next step is to prioritise risks. In these situations, the heads of business units can play a vital role. In the entire lifecycle of information security policies, the role of IT will be that of a facilitator during development and that of a custodian after deployment.

No one expects the organisation to achieve 100 per cent security. Information security is a human enterprise. Respondents to the Global Information Security Survey (GISS) conducted by Ernst & Young cite “lack of security awareness by users at all levels” as the top obstacle to effective information security. However, no amount of technology can reduce the overriding impact of human complexities, inconsistencies and peculiarities. Any strategy that overlooks this realisation is inherently flawed. With proper training and education, however, people can become the most effective layer in an organisation’s defence-in-depth strategy. It is imperative to make sure that they operate in a security conscious culture.

The principle of lowest common denominator

In the extended enterprise, the actual functional effectiveness of information security naturally gravitates to the lowest level achieved by anyone in the network. If one trading partner has a poor identity management programme, another never tests its disaster recovery plan, and a third does not regularly assess its IT outsourcers’ compliance with information security policies, one’s own security posture cannot logically rise above the lowest security stance adopted by these other entities.

Senior management must lead the charge in creating a security conscious culture.

The human factor

The key to creating awareness is communication. The entire organisation must be made aware of threats that exist and countermeasures that have been adopted. Awareness helps ensure that employees understand security and its importance in day-to-day activities. Earlier information security-related issues would hardly find a place in boardroom deliberations. Effective security must be directed and co-ordinated at the board level. Security governance is the responsibility of the board and discussion at this level should not be avoided because of the discomforting nature of the subject. The requirements of Clause 49 of the listing agreements in India and the Sarbanes Oxley Act worldwide is motivating senior managers to be more concerned with these critical issues.

By vigorously enforcing its policies, an organisation makes security the responsibility of everyone—not just its cadre of information security professionals. Controls should be straightforward, clear, enforceable and as instinctive as looking both ways before crossing the road.

Nature of information security audits

The specialised nature of information systems auditing and the necessary skills require standards that apply specifically to information systems auditing. Information Systems Audit and Control Association’s (ISACA) goal is to advance globally applicable standards to meet this need.

The efforts of creating a policy will be in vain unless it is enforced ruthlessly. A compliance programme will assist the organisation’s resolve to enforce the security policy. Towards this end, organisations must carry out compliance audits at least annually. Policy compliance audits can use BS 7799/ISO 27001 standards for benchmarking. There are two ways of handling compliance audits. One is internal and the other, external. Now let us analyse the benefits of each approach.

In-house internal auditors provide the advantages of possessing in-depth knowledge of the organisation’s policies and procedures; the ability to quickly respond to management concerns; continuity of staff who are better positioned to build trust and confidence with management and employees and the ability to provide outreach and training on concepts of information security at no additional cost to the institution.

External vs. internal audits

The advantages of the external audits are independence, specialised training, qualifications, access to leading practices or insight in to alternative approaches, professional standards followed by the external auditor and availability of suitably-trained resources.

Due to the lack of available resources in many IT departments, as well as the substantial cost and training required to perform security audits effectively, many companies turn to outsourcing. Audits, especially the external ones which focus on finding maximum number of vulnerabilities without determining if those vulnerabilities really impact the overall security posture of an organisation are bound to lose focus.

The most valuable security audits not only detail vulnerabilities, but include a clearly articulated executive summary. The report should highlight the overall level of risk to the business and include executive-level action items that are intended to improve and validate a consistent focus on information security.

An external audit offers more advantages vis-a-vis an internal one. However, the audited organisation needs to lay more emphasis on the scope of the audit and the remedial action on the audit findings. It is a combination of both types that provides the greatest benefit to an organisation. While internal audits have their merits, it is the external audit that proves comprehensive.

The co-sourcing option

Another dimension that can be considered is that of external auditors periodically training internal ones. This approach has potential benefits like shortening the learning curve and cost savings.

Whatever the approach, it is critical that the outcome of these audits be looped back to the management so as to provide an additional platform for the review and revision of the security programme to complete the cycle.

Policy is an essential and important part of any organisation because it identifies how the members of that organisation must conduct themselves. Security policy is the mainstay of security and in no way is this approach intended to be the endpoint of the journey to getting full enforcement of an information security policy.

M P Badrinath is Manager, Ernst & Young. He can be reached at mp.badrinath@in.ey.com