Security Think Tank: Preparation best way to avoid awkward security audits

What is the role of information security professionals in handling uncomfortable truths about data security from internal auditors?

The bane of the information security professional’s life is the internal auditor asking those simple questions that are just a little difficult to answer. Of course, there should not be any questions that the information security professional cannot confidently answer, but it is likely that person is part of the IT team and so has conflicting interests. 

Often the professional is balancing expediency (of getting a project done) against budget and current good security practice, with budget and expediency being the winner in most cases. What can the information security professional do in these circumstances?

A recommendation would be for each project team to document a security case describing the project, the threats and risks both to the data and to the organisation – including loss or corrupted data, bad publicity, loss of clients leading to loss of revenue – what recommended good practice security should be applied and the actual final system to be implemented, together with the reasons supporting that chosen system. 

It is important to document all meetings relevant to the project and identify pertinent emails and memos, as these will directly support the reasons behind the chosen system and why a recommended system was rejected. 

Additionally, the security case should be signed off by the information security professional’s managers and the project owner. In this way, any awkward auditor questions should be fully or adequately answered. 

It goes without saying that a security case should be done at the time of the project’s inception and not when the whites of the internal auditor’s eyes are seen coming through the door. 

A good, well-thought-out and documented security case might well lead to the funds being made available for the right system being implemented, thus avoiding the awkward auditor questions.

Read more about responding to internal audits

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on IT risk management

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Not sure who the think tank is but this isn't terribly ground-breaking research. Happens all the time in businesses every day. I often see IT getting in its own way, especially with security, like write I wrote about in this piece on CIOs:

And, also when IT or security has no clout, and legal counsel makes all the decisions, often disguised as poorly-backed promises like what I wrote about here:

I know that the majority of IT pros know what needs to be done and work tirelessly to see things through. Yet, more often than not, politics and negative human behaviors predictably get in the way...