In March 2011, RSA – EMC’s security division – sent shockwaves through the industry as it announced a sophisticated cyber-attack on its SecureID system. Theft of unspecified information from SecureID has left marring scars and lot of red faces. But at the same time it has raised a lot of questions for IT industry as a whole.
Prior to the attack, SecureID was a benchmark in two-factor authentication system. But the attack proves that just having a strong security mechanism is not enough. We cannot just deploy a security system and hang up our boots expecting it to take care of everything. We have to be vigilant at all times and keep testing the security of our IT setup. In other words, we need to regularly conduct an IT audit.
Now here’s another shocker. Protiviti’s 2011 IT Audit Benchmarking Survey has brought out shocking results. The survey, which included chief audit executives, audit directors, and IT audit directors and managers from across the globe, showed that 1 in every 4 companies does not conduct periodic IT risk assessment. And 42% of the respondents agreed that they do not have sufficiently trained resources to fully implement their IT audit plans.
What’s more shocking is that this comes at a time when we have widespread and unfettered use of technology like social media and iPads across enterprises. Do we want to take a chance with embarrassing security breaches? Do we want to keep our doors wide open for the bad guys? Not really! So let’s take IT audit seriously.
In a broad sense, an IT audit will evaluate the following for you:
- Availability of the enterprise systems
- Confidentiality of the information stored on these systems
- Integrity of the systems
But to get into more details, we would say that an IT audit should evaluate the following at enterprise level.
Data is your biggest asset. It is what keeps the enterprise running. You do not want to go wrong here. So try to carry out a detailed data analysis and verify it for authenticity. Try to evaluate the data from 4 different perspectives – business, division, processes and control. Identify duplicated data and consolidate it for better management. Also make sure that the data stored in the systems is periodically updated. A well maintained data bank will have a direct impact on your enterprise performance graph.
This is the backbone of your enterprise. It houses all your systems and solutions. Even your business processes and operations are mapped to this architecture. Your IT architecture is what really converts data into valuable information for your business. So assess this IT architecture for its robustness and stability. Map out who owns the enterprise IT, who operates it, who influences it, and who adopts it. Identify the information resources that require varying level of protection and document the technical vulnerabilities and their potential business risks. The organizational top brass can then use this risk assessment to define policies and controls around information assets and ensure their compliance.
Your IT architecture shall also include your network and operating systems. If you have a layered architecture, make sure that you audit every single layer for potential security threats. Test, review, and document your operating systems and environments to make sure that intruders do not bypass your access controls and lay their hands on your business data.
ERP system is another valuable component of your enterprise IT. It brings all your projects, customers, suppliers, investors, and employees on a single page. All these parties use your ERP to draw out valuable insight from your business operations. So assess your ERP system for data processing and reliability. Make sure that you assess your business processes for changes and see to it that they are streamlined. Examine your projects carefully to identify any latent risks. You also need to audit your development and testing environments for potential threats. Another good thing to do is to hold your ERP’s data conversion process under a magnifying glass. This way you can identify if something malicious is hiding in your ERP and contaminating your business data.
IT Policy Framework
IT governance has always been a management level prerogative. A top-down approach is what will really inspire commitment towards your IT audit initiative from all enterprise levels. So include your IT policies and procedures in your audit task list. Examine your policy carefully and see to it that it clearly defines roles and responsibilities for people dealing with business applications and systems. Your policy should define access rights to different applications and identify the job roles authorized to use these rights. The policy should lay out in definite terms the enterprise’s risk tolerance and penalties for mala-fide access. The next thing to do is to make sure that this policy is effectively communicated and strictly enforced within the enterprise.
Another important aspect that calls for extra attention during IT policy audit is compliance. Make sure that there are no regulatory gaps in your policy framework. These regulatory gaps can invite government sanctions or cause mistrust within your customer base. So we would advise that you audit your IT policy for not only things to do and not to do but also for compliance with regulations.
We know that IT audit has a number of benefits to it. But more than anything, we recommend IT audit as a reputation builder. You don’t want newspapers flashing your enterprise name for some embarrassing security breach. You don’t want to be a victim to bad press or publicity. So start taking IT audit seriously. The bad guys are certainly getting smarter and we need to outsmart them!