Conducting an Information Security Audit

If you're amazed— and maybe even a little alarmed—about how much Google seems to know about you, brace yourself. It's only getting harder to hide.

Google recently began to operate under a streamlined privacy policy that enables them to dig even deeper into the lives of its users. Organizations in many industries have similarly made significant investments to better get to know their customers and their activities in order to personalize service for them. To accomplish this, organizations need to collect large amounts of information—at least some of which is personally identifiable information (PII).

Some say the changes will make it easier for consumers to understand how Google collects personal information and allow companies to create more helpful and compelling services. Critics, including most of the country's state attorneys general and a top regulator in Europe, argue that Google and other companies are trampling on people's privacy rights in a relentless drive to generate business.

In capturing such a wealth of data, organizations are more at risk of a breach of that information. In addition to being accountable to individuals and regulators when information is breached, they can also run afoul of a host of privacy laws and regulations around the world.

The added value of strong information security practices is that they can reduce the risk of substantial regulatory fines and penalties (as well as the risk of reputational damage). Most of the privacy and data security laws allow for mitigation and protections if certain practices are in place such the existence of written information security policies and the active use of data encryption to safeguard sensitive information.

What is an Information Security Audit?

An information security audit is one of the best ways to determine how well your organization's information is protected. Further, you need to be confident that your company is capable of responding to a large-scale, high-impact privacy breach due to loss, theft, or other unauthorized access, use, or disclosure of customer PII and other sensitive information if one should occur.

The information security audit is a systematic, measurable technical assessment of how the company's security policies are employed across the organization. Such audits are part of the on-going process of defining and maintaining effective security policies.

The added value of strong information security practices is that they can reduce the risk of substantial regulatory fines and penalties (as well as the risk of reputational damage).

You may see reference to a "penetration test" used interchangeably with a "computer security audit." They are not the same. A penetration test is a narrowly focused effort to look for security holes in a critical resource, such as a firewall or Web server. Penetration testers may only be looking at one service on a network resource. They usually operate from outside the firewall with minimal inside information in order to more realistically simulate the means by which a hacker would attack the site.

Information security auditors perform their work though interviews, vulnerability scans, examination of operating system settings, analyses of network shares, and historical data. They are concerned with how security policies are actually applied. There are a number of key questions that security audits should attempt to answer:

Are passwords too easy to crack?

Are there access control lists in place on network devices to control who has access to shared data?

Are there audit logs to record who accesses data?

Are the audit logs reviewed?

Are the security settings for operating systems in accordance with accepted industry security practices?

Have all unnecessary applications and computer services been eliminated for each system?

Are these operating systems and commercial applications patched to current levels?

How is backup media stored? Who has access to it? Is it up-to-date?

Is there a disaster recovery plan? Have the participants and stakeholders ever rehearsed the disaster recovery plan?

Are there adequate cryptographic tools in place to govern data encryption, and have these tools been properly configured?

Have custom-built applications been written with security in mind?

How have these custom applications been tested for security flaws?

How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?

These are just a few of the kind of questions that can be assessed in a security audit. In rigorously answering these questions, an organization can realistically assess how secure its vital information is maintained.

Security Policy Defined

Performance of a security audit presupposes that the organization has a security policy in place—which, unfortunately, is not always the case. Security policies are a means of standardizing security practices by having them in writing and agreed to by employees who read and can sign-off on them. When security practices are unwritten or informal, they may not be generally understood and practiced by all employees in the organization. Written policies are not about questioning the integrity and competency of employees; rather, they ensure that everyone at every level understands how to protect company data and agrees to fulfill their obligations to do so.

Tensions often exist between workplace culture and security policies with the natural tendency for employees to choose convenience over security. For example, users may know that they should create difficult-to-guess passwords, but for convenience also want those passwords to be close at hand. So auditors know to check for sticky notes on the monitor and to pick up the keyboard and look under it for passwords. In healthcare it is common practice to check trash bins for patient information that should have been shredded. IT staff may know that local administrator accounts should have a password; yet, in the haste to build a system, may just bypass that step, intending to set the password later, and therefore place an insecure system on the network.

The security audit should seek to measure security policy compliance and recommend solutions to deficiencies in compliance. Do the policies accurately reflect how the organization protects IT assets on a daily basis? Does the policy reflect industry standards for the type of IT resources in use throughout the organization? Some key areas:

Is there a clear data classification in place to categorize the organization's information (sensitive, confidential, public, etc.)? And have employees been trained or received communications on how to differentiate between sensitive and other data, and how to treat each type?

Are there clear data retention and destruction policies in place tied to the information's data classification (not saving everything forever) as well as litigation hold policies?

Does your organization address the potential legal and compliance implications of managing data across borders? In the cloud, data could be stored in multiple locations, or be moved among multiple locations, making conducting an investigation or searching data for e-discovery purposes difficult unless you know where all the data resides.

Not having policies and practices on classification and retention creates unnecessary risks to information security and regulatory compliance. Deficiencies can result in higher-than-necessary data management costs while the unnecessarily maintaining information can prove to be fodder for litigation and negative publicity.

The Audit is a Process

As organizations evolve, their security structures will change as well. The information security audit is not a one-time task, but a continual effort to improve data protection. The audit measures the organization's security policy and provides an analysis of the effectiveness of that policy within the context of the organization's structure, objectives, and activities. The audit should build on previous audits and related activities to refine the policies and practices, and to correct deficiencies that are discovered through the audit process.

KPMG, which developed an audit protocol for Health Insurance Portability and Accountability Act audits it is performing on behalf of the federal government, suggests the following steps to consider:

Conduct a robust security risk assessment with an annual or bi-annual reassessment for compliance.

Determine lines of business affected by privacy laws and regulations such as HIPAA.

Map the movement of customer PII and other sensitive and confidential information within your organization, as well as flows to and from third parties.

Perform data discovery to find all of your PII and other critical data.

Clearly auditing the state of your IT security and privacy practices has become more critical in this era of collection of sensitive information. Such audits can better ensure that the organization truly understands the difference between sensitive information and other types of data. The basic understanding of what constitutes “sensitive” data is critical because it sets the tone for how your data is treated in every phase of its lifecycle from collection to destruction. Data with different sensitivity needs to be treated differently from an information security perspective. Without this foundation, companies open themselves to needless costs and legal, regulatory and reputation risks.