Internal Audit Should Play Bigger Role in IT

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://ww2.cfo.com/risk-management/2014/10/internal-audit-play-bigger-role/

The rise of emerging markets, rapid shifts in information technology,
privacy, cybersecurity, changing consumer and market demands, rapid shifts
in global laws and regulations and heightened investor pressures have
produced a new environment of uncertainty, complexity and risk.

Faced with those new realities, management, audit committees, boards, and
other stakeholders have begun asking internal audit (IA) to provide them
with comfort as well as insight into these risks. However, it is becoming
increasingly difficult for IA departments to staff the requisite skills to
effectively meet stakeholder demands.

The need for IA to embrace an expanded advisory role is acute, because the
risk landscape keeps shifting, and IA functions are expected to keep pace.
While top executives surveyed for the PricewaterhouseCoopers 2013 Risk in
Review study cited potential economic shocks and increased political and
regulatory pressures as top risks, those executives’ attention had shifted
significantly by the time we conducted our 2014 study. Today, our executive
respondents’ most oft-cited concern is technological change and information
technology (IT) risk.

In December 2013, hackers stole 40 million credit card numbers from the
records of a retail giant. A month earlier, data from some 152 million user
accounts had been stolen from a major technology company, along with source
code to several of the company’s software products.

Many organizations have been scrutinized by regulators for privacy
concerns. For example, regulators closely monitor how companies collect,
store, use, share, and destroy data, and whether or not they are complying
with their own privacy notices.

Meanwhile, other news stories are showing that threats arise not only from
beyond company walls but also from within the corporate sphere. Recent
massive leaks of classified documents provide a prime case in point,
exposing the dangers of giving third-party contractors access to sensitive
information or failing to properly control employee access to confidential
or sensitive information.

Beyond the potential for catastrophic data breaches and privacy incidents,
businesses are also concerned about the broader disruptive effects of
technological change, including the potential for system failures,
exposures stemming from cloud storage or mobile device usage, third-party
data risks, reputational risks from social media, and the tendency of rapid
innovation to drive customer demand and thereby shorten the shelf life of
new products and services.

Consumers’ expectations also continue to evolve. For example, the TRUSTe
2014 U.S. Consumer Confidence Index (registration required) showed that 89%
of consumers say they avoid doing business with companies they think do not
protect their privacy online.

At least 50 countries have enacted data privacy laws, and more are expected
to follow. While some countries (including the United States) lack general
data-privacy laws covering all industries, they often have regulations that
apply to certain sectors.

Regardless of industry, all companies that collect consumer data must
comply with the privacy and security commitments made to their customers in
their privacy policies/notices or face potential regulatory action from
agencies such as the Federal Trade Commission.

So, where does IA come in?

Everywhere.

With the confluence of cyberthreats, rapid technology and process change,
and evolving consumer and regulatory privacy and security expectations, IT
isn’t just about keeping the lights on anymore.

Today, IT, privacy and information security can be either value enhancers
or brand killers—depending on an organization’s skills and focus. But where
do those skills live and how robust are they?

With so many businesses moving to solutions involving the cloud, managed
hosting or outsourced services, the need for in-house IT capabilities has
been reduced, potentially leading to a collateral reduction in the
company’s level of control over its IT environment.

As that environment continues to evolve, businesses need IA to take the
initiative and be more involved in the entire lifecycle of data. For
example, IA should be strengthening processes and controls before a
security or privacy problem emerges.

Post-breach, IA can provide objective assessments of IT systems, privacy
notices, processes, and procedures, offer assurance around controls, and
recommend improvements in IT and privacy control structures and governance.

Even at companies whose in-house IT and privacy resources remain robust, IA
can add value by performing regular, managed assessments of controls and
providing an assertive voice on upping the company’s game in IT, privacy
and cybersecurity.

The name of that game? Guarding against security and privacy weaknesses,
ensuring the uptime of operations, protecting the brand and increasing
shareholder value through innovation.

The Changing IT Risk Profile

At a high level, IA needs to ask such questions as: Are we as a company
thinking about IT, security and privacy strategically—the way we think
about the business?

Are our IT, privacy, and information security strategies aligned with our
business strategy?

And are we managing our IT portfolio and setting our resource allocations
in ways that align with our IT and business strategies? For example, if we
have an IT strategy that involves implementing a new
enterprise-resource-planning (ERP) system and a new data warehouse during
the current fiscal year, do we have sufficient personnel with ERP
specialization and data-warehouse experience? If not, what is the strategy
to fill this critical gap?

If the gap is to be filled with third parties, how does that affect the
company’s risk profile? If we make a change to an IT system or process,
have the privacy and security implications been considered?

At a granular level, IA can provide assessments of:

IT, privacy and cybersecurity program maturity and capabilities.
Threat and vulnerability management (TVM) programs.
Infrastructure security.
Potential for attacks and penetrations.
Cloud computing, mobile devices, and social media.
Third-party security and privacy.
Regulatory and industry standards adherence.
Advanced data discovery and mapping.
Product development life cycle.

The Need for Security Assurance



In the face of persistent IT privacy and security threats, accelerating IT
infrastructure demands and market pressures for constant technical
evolution, businesses’ need for security assurance is profound.

Even if an organization has strong IT and data- security policies and
controls, it shouldn’t be satisfied with the adequacy of those defenses if
it doesn’t continually verify that they’re sound, uncompromised, and
applied consistently. Making those assessments, providing that assurance,
and offering recommendations for improvement is where IA comes in.

Clearly, IA has a significant role to play in helping their company
understand, monitor and mitigate IT related risks of all kinds. The
question then becomes, does your IA department have the capabilities to
make a difference?

Frequently, IA functions do not have the technical capabilities to complete
thorough security and privacy assessments. Assigned a wider mandate over
data and systems, some IA functions take a can-do stance that belies their
limited skill sets.

For instance, an internal auditor might perform a perfunctory, one-off
website security audit that tests only against known threats and leave
unaddressed certain risks from emerging threats and zero-day system or
application vulnerabilities.

With so much at stake, such low-level audits fail to fulfill even IA’s
basic mandate of value protection, much less an expanded mandate of value
creation and innovation. They also run the added risk of giving companies a
false sense of comfort.

With both the present and the future so clearly dominated by technology,
it’s no wonder executivesexpressed deep concern about capability gaps
around risk data and analysis, deficient cybersecurity and a lack of
technology skills to support new digital strategies in PwC’s 2014 Risk in
Review study .

To correct those gaps and meet stakeholders’ expanded expectations, IA
leaders must reevaluate their talent models and bring in resources with
specific skills around such critical business risk areas as cybersecurity,
data privacy, specific IT platforms, and business continuity.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!