Internal audit has to play a far more substantial role in information security to ensure organizations are following proper security procedures, according to the latest security whitepaper from PricewaterhouseCoopers.
In the paper "Fortifying your defenses: The role of internal audit in assuring data security and privacy," PricewaterhouseCoopers said that most companies have comprehensive security controls and privacy policies, but all too often, no one is checking to ensure the protocols are being followed. Also, new threats are often overlooked, so the organization is not developing new procedures or investing in new tools to address the risks, the report said.
"No company, no matter how well it has secured its data, is ever 'ﬁnished' maintaining information security and privacy," the report said.
The growing number and severity of data breaches—there were 1,037 publicly reported incidents of loss, theft, or exposure of personally identifiable information in 2011—may suggest that most organizations are lax about the threats facing them, but that is hardly the case, PwC wrote in its report.
Companies across industries spent an average of 19 percent of their IT budgets on security, PwC said, citing a 2007 IDC study. "Yet the investments have not been enough to keep the attackers in check," the report found. Companies should construct three lines of defense, with internal audit playing a critical role, PwC recommended. The other two lines including empowering management to have ownership, responsibility, and accountability for accessing and mitigating risk, as well as having functions in place to monitor compliance and risk management to ensure the procedures are being followed when reporting risk-related information. Internal audit be "at least as strong" as the other two lines of defense, according to the report.
PwC described how LexisNexis, an information broker, set up the lines of defense in its paper. The top of the organization set the tone about the importance of protecting customer data and ensured the message reached employees, contractors, vendors, and any other person or entity that may come across the data. LexisNexis also established a three-tier process to develop and approve policies. Data security policies and controls are first developed by a working group, and then reviewed by a security review board. A senior management committee has to evaluate the policies and approve the policies before they can be implemented. There is an independent monitor in place to track the ongoing effectiveness, PwC said.
“A company won’t really know the adequacy of its defense if it doesn’t continually verify that those defenses are sound, uncompromised and applied in a consistent manner,” said Jason Pett, PwC's U.S. internal audit services leader.
The information audit and compliance tasks at LexisNexis are handled by the Privacy, Security, and Compliance Organization, according to the report. PSCO follows the guidelines established by ISO 27002 for its information security program and also a process of "customer credentialing" to address situations not covered by the standard. When a customer wants to access the company's product, LexisNexis checks that the customer has a legitimate business and legal reason for doing so and that they are who they claim to be. PSCO also continually evaluates the firm's policies and procedures.
PSCO also conducts annual risk assessments to identify areas of risk and controls available to mitigate the risks, a thorough assessment before any new applications or products are deployed, and audits existing security controls to measure effectiveness, according to the report. Internal audit has to "stay ahead of the threat curve" and keep the audit committee apprised of increasing risks and effective ways to address them, Pett said. If internal audit stays on the sidelines, the company could launch a new process, product, or system, without putting adequate controls in place, he said. Internal audit must also understand internal and external changes to the business and conduct special audits for new information security threats, as necessary.
“Internal audit has to play a far more substantial role in information security," Pett said, noting that audit committees also need to start focusing on data security and privacy concerns.
Organizations with three lines of defense, which include internal audit, have the best safeguards in place to deal with critical risks, said Dean Simone, leader of PwC's US risk assurance practice. Internal audits provide objective feedback to the board and senior executives on how effectively organizations are assessing managing the risks, PwC said in its report.
PwC found that many organizations have become less secure over the past three years. In 2011, only 39 percent of nearly 10,000 executives in 138 countries said they reviewed their privacy policies annually, a dramatic drop from the 52 percent who said they do back in 2009. Only 41 percent of the respondents said they had an identity management strategy in 2011, compared to the 48 percent in 2009, PwC found.
Internal audit has certain obstacles within the organization, the PwC report found. There may be a mindset among other managers and executives who believe the controls in place are adequate and there is no need to audit them. Senior managers may also balk at the expense, since achieving and maintaining effective security can be costly.
"Companies with inadequate controls should realize that many disastrous security breaches have occurred in companies that had strong firewalls and seemingly tight access controls, and that were in compliance with the latest regulations," the report said.
Many organizations may also have low expectations in internal audit's capabilities in data privacy, the report noted. Internal audit may be competent in assessing financial controls, but the organization may not believe the auditors would be able to assess information privacy in a holistic manner. That perception is not helped by the fact that the job of maintaining security controls are split among various groups within the company. IT may have some controls, but legal and finance are also part of the effort. Organizations need to have a single point of responsibility for information security, and give that person access to the right resources to assess the risks and the authority to address them, the report said.
There are financial repercussions to not tracking whether the organization's security controls are adequate and being followed. Government bodies are increasing the penalties they impose on companies whose security flaws allow data breaches, PwC found. At least 50 countries have enacted data privacy laws, and more are expected to follow, PwC wrote in its report.
“To battle the ever-changing hacker profiles and accelerating rate of technological change, companies need to constantly re-evaluate their privacy and security plans," Simone said.
The full paper can be found here.
Related Reading: Sophisticated Threats Require An Advanced Persistent Response
Related Reading: The Value of Security Event Correlation
Related Reading: Effective Security Requires Context
Related Reading: Attackers Place Command and Control Servers Inside Enterprise Walls
Related Reading: Attacks Using Command & Control Servers Inside Compromised Networks