The bane of the information security professional’s life is the internal auditor asking those simple questions that are just a little difficult to answer. Of course, there should not be any questions that the information security professional cannot confidently answer, but it is likely that person is part of the IT team and so has conflicting interests.
Often the professional is balancing expediency (of getting a project done) against budget and current good security practice, with budget and expediency being the winner in most cases. What can the information security professional do in these circumstances?
A recommendation would be for each project team to document a security case describing the project, the threats and risks both to the data and to the organisation – including loss or corrupted data, bad publicity, loss of clients leading to loss of revenue – what recommended good practice security should be applied and the actual final system to be implemented, together with the reasons supporting that chosen system.
It is important to document all meetings relevant to the project and identify pertinent emails and memos, as these will directly support the reasons behind the chosen system and why a recommended system was rejected.
Additionally, the security case should be signed off by the information security professional’s managers and the project owner. In this way, any awkward auditor questions should be fully or adequately answered.
It goes without saying that a security case should be done at the time of the project’s inception and not when the whites of the internal auditor’s eyes are seen coming through the door.
A good, well-thought-out and documented security case might well lead to the funds being made available for the right system being implemented, thus avoiding the awkward auditor questions.
Read more about responding to internal audits
- Security Think Tank: Engage with auditors early to improve security
- Security Think Tank: Internal audit an essential component of data security
- Security Think Tank: Avoid audit toxic cocktail of obfuscation and back-protecting
- Security Think Tank: Using audit reports as a communications tool
Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.