WWHHAAATTT TAARRREEE TTHHHEEE …vurore.nl/images/vurore/downloads/1089_Jatin-Sehgal.pdf ·...

Author: Student number: E-mail address: Phone number: University counselor: Company counselor: Thesis Number:

Jatin Sehgal 2160145 (W) [email protected] / (P) [email protected] +31 (0) 6 2908 4825 Dr Abbas Shahim RE CGEIT (Partner Atos Consulting & Technology Services) Martin Wijnmaalen ( Partner, Ernst & Young Advisory) 1089

WWWHHHAAATTT AAARRREEE TTTHHHEEE BBBUUUSSSIIINNNEEESSSSSS

BBBEEENNNEEEFFFIIITTTSSS OOOFFF IIINNNFFFOOORRRMMMAAATTTIIIOOONNN

SSSEEECCCUUURRRIIITTTYYY AAAUUUDDDIIITTTSSS???

What are the business benefits of Information Security Audits?

of 51

Table of Contents

1 PREFACE 3

2 EXECUTIVE SUMMARY 4

3 THESIS INTRODUCTION 6

3.1 PROBLEM DEFINITION 6

3.2 OBJECTIVE OF THIS RESEARCH & RESEARCH QUESTION 8

3.3 RESEARCH APPROACH 9

3.4 SCOPE LIMITATIONS 10

3.5 ASSUMPTIONS 10

3.6 LAYOUT OF THIS THESIS 10

4 HOW TO PROTECT BUSINESS INFORMATION? 12

4.1 WHY IS INFORMATION SECURITY MANAGEMENT SYSTEM IMPORTANT? 12

4.2 HOW CAN A MANAGEMENT SYSTEM BE AUDITED TO ENSURE PROTECTION OF BUSINESS INFORMATION

(DESIGN CHECK)? 17

5 HOW TO MEASURE IF INFORMATION SECURITY MEETS BUSINESS OBJECTIVES? 22

5.1 INFORMATION SECURITY COVERAGE IN THE ORGANIZATION 22

5.2 ACHIEVING OPERATIONAL EFFECTIVENESS WITH INFORMATION SECURITY CONTROLS 23

5.3 VERIFYING & VALIDATING THE INFORMATION SECURITY CONTROLS 24

6 WHAT BENEFITS CAN INFORMATION SECURITY AUDITS BRING TO AN ORGANIZATION? 27

7 WHAT ARE THE POSSIBLE WAYS TO MAKE INFORMATION SECURITY BENEFITS MORE

VISIBLE IN THE ORGANIZATION? 32

8 HOW CAN AN INFORMATION SECURITY AUDITOR HELP? 35

8.1 RAISING POTENTIAL OF AN INFORMATION SECURITY AUDITOR IN A TELECOM COMPANY 36

8.2 RAISING POTENTIAL OF AN INFORMATION SECURITY AUDITOR IN A BANK 39

9 SUMMARY 42

9.1 CONCLUSION 42

9.2 RESULT DISCUSSION 44

9.3 FURTHER RESEARCH 45

APPENDIX A TERMS & DEFINITIONS 46

APPENDIX B BIBLIOGRAPHY 49

APPENDIX C INTERVIEW QUESTIONS 50

APPENDIX D AN EXAMPLE KEY PERFORMANCE INDICATOR (KPI) 51


of 51

1 Preface

This document is the result of the thesis of the postgraduate study programme on EDP auditing at VU

University Amsterdam. This thesis covers an interesting topic that is relevant to the IT Auditing field and is

often challenged in reality being the business benefits of information security audits.

I have been involved with the field of Information Security for the past 12 years and have been often faced

with the challenge to promote confidence in the field of information security and the information security

audits. This raised my interest in writing this thesis on the topic.

I would like to thank my supervisor at VU University Amsterdam, Dr. Abbas Shahim, and my supervisor at

Ernst & Young, Mr. Martin Wijnmaalen for their support and feedback. Also I wish to express my sincere

thanks to all the interviewees from various organizations for taking the time to do the interviews despite their

busy schedules.

Jatin Sehgal

Author: Student number: E-mail address: Phone number: University counselor: Company counselor: Thesis Number:

Jatin Sehgal 2160145 (W) [email protected] / (P) [email protected] +31 (0) 6 2908 4825 Dr Abbas Shahim RE CGEIT (Partner AtoS Consulting & Technology Services) Martin Wijnmaalen ( Partner, Ernst & Young Advisory) 1089

mailto:[email protected]

mailto:[email protected]


of 51

2 Executive Summary

So, what are the business benefits of information security audits?

It’s a question many information security professionals and

information security auditors are asking themselves, without a

clear answer. There are many reasons for this struggle, one

being a traditional misalignment with the business so this

topic never found its place in the top management’s agenda,

another that the benefits were neither measurable nor visible

enough.

In order to try and answer this question, it is important to realize what role information security plays in the

organization, how the business information is protected and why it is important that an information security

auditor reviews the protection mechanism. The idea is to understand the information flow within business

processes, and elevate information security (and its audits) as a business enabler rather than just a cost to

the organization.

Let’s start with identifying why information is so critical to an organization in this Information age, before

realizing the benefits of information security and audits.

Recent global trends have shown that organizations are more successful when they manage their business

information in a manner that provides them with a competitive advantage and use this information to drive

business benefits and growth. Information is thus the lifeblood for most of the organizations across the globe,

and its flow through-out the organization by means of business processes, creating value.

As the global economies struggle in these turbulent times, organizations and the related regulators,

customers, partners and other stakeholders are continuously looking for ways to get re-assured that this so

called lifeblood (i.e. organizational information) is protected with utmost importance and care.

As seen in the media and as result of industry surveys, many businesses have suffered huge losses due to

loss of critical business information in the wake of rising security incidents and frauds. Information security is

thus vital to promote the confidence and trust about organization’s policies, processes and its reputation.

However, it can be quite a challenging task to stay out of the headlines and operate securely without having

someone to assess the information security environment regularly. This is where information security audits

can be beneficial to an organization.


of 51

Since organizations are changing rapidly, so does the need to be continually monitored. Information Security

audits provide a means to ensure that business processes remain secure, repetitive and concurrent with

business and are therefore highly beneficial for any organization to overcome business challenges. These

audits should be considered as a strategic asset or a driver of business value. In this thesis I discuss the real

business benefits that one can achieve by means of regularly performing information security audits and

therefore the focus of this thesis is mainly on the following question:


Business benefits of Information Security Audits have been defined in a qualitative way for the purpose of this thesis i.e. to identify and

assess if information security meets identified goals (such as compliance, performance improvements, strategic alignment etc.) instead

of calculating the benefits on a numeric value. It is consciously decided not to aim for the quantitative value of information security audits

in terms of a currency number (such as Euro or Dollar etc.). It is realized that it is far too complex to obtain quantitative value of the

information security audits, and hence it has been kept out of scope for this thesis.

Throughout this thesis, the qualitative benefits of performing the information security audits are discussed in

the context of how an organizational (management) system for information security can be assessed. To give

more practical touch to this thesis, several interviews have been conducted with a few selected members of

premier organizations across different industries in countries such as Netherlands, Norway, Luxembourg,

Belgium etc. It was noted that although information security influences them in the same way, the

requirements to audit these varied organizations and their goals for conducting these audits diverge

significantly.

The interviews have also shown how information security (and its audits) can be customized to achieve the

overall business vision and that slowly but steadily organizations are realizing the deep potential of

performing these audits from a risk management perspective.

Summarizing the results of this thesis, it can be said that information security audits indeed provide huge

business benefits and can be instrumental in helping an organization meet its business goals by improving

efficiency and aligning with business objectives. It also helps avoid the losses due to negligence and provide

an independent evaluation of the security environment. However, these audits should be well planned and

managed through a formal audit programme. In the end, it benefits an organization in several ways, albeit the

need is to make these benefits more visible and measurable.


of 51

3 Thesis Introduction

3.1 Problem definition

In today's high technology environment, we are becoming more and more dependent on information and

information systems. Masses are increasingly concerned about the proper use of information, particularly

personal data and client information. The threats to information and information systems from natural

disasters, human error, disgruntled employees, hackers, criminals and terrorists are ever increasing. No

wonder that information is one of the most valuable assets in an organization and must be protected with

utmost importance and care.

Information has both financial and non financial characteristics, so the impact due to the loss of information

can be financial and non financial as well. For a typical organization, both apply. The impact on business due

to the loss of information with financial characteristics also has a correlation with the information security as

an internal control for financial reporting. Information Security audits1 are therefore highly important for an

organization to realize the true potential and business benefit of the information security controls and the

urgency for their effectiveness and efficiency to manage information security and business risks.

But where does information exist within an organization? Information exists in many different forms and

shapes, it can be printed or written on a paper, spoken in conversation or shown in films, sent in an email or

using other electronic means. Which-ever form information takes it must always be appropriately protected2.

An organization needs to identify which information is critical for its business activities (processes), how it is

audited and what impact might damage to this information bring to its business. For example, during the

interviews I was informed that information security might be most required in an organization’s procurement

process depending on the type of its business, or it may be critical for its accounting systems or may be

mandated as a legal requirement. The bottom line is to understand how the impact on business information

impacts business and similarly, how information security auditing can bring business advantage and help to

protect critical information.

But should the information security audits focus on technical (ICT) security, data security or the

information security? Most of the interview participants mentioned that in practice many organizations

struggle to spot the real difference between data and information. Whereas, information is the processed

data that provides meaning to its reader so he/she can understand the communication. What is also

1 Information Security audits are referred from a perspective of only Internal Audits as a key component of

the overall risk management framework (external or certification audits are not the main focus of this thesis). 2 Definition as per ISO/IEC 27001:2005 standard.


of 51

important is to realize the difference between the various aspects/definitions of information security topics

prevalent in the industry. These so called aspects can be defined in three categories:

► Data Security: Focus of Data security is to ensure that

data is safe from corruption and that access to it is suitably

controlled. It cannot alone be termed as information

Security since the focus is only on the protection of data

and not mainly on the other characteristics of information

(such as availability). As per the definition on WIKIPEDIA,

Data Security means protecting a database from

destructive forces and the unwanted actions of

unauthorized users.

► IT Security: Focus of IT security is securing the underlying IT Infrastructure (network, OS, database,

applications) to ensure Information/Data security. Thus, IT security ensures that IT infrastructure

such as a server is secured so that information that resides in this server is always protected.

► Information Security: Focus of Information security is broader in a way that it demands the

protection of information (in electronic or non electronic form) from unauthorized disclosure

(Confidentiality), unauthorized modification (Integrity) and unauthorized Loss (Availability). Clearly,

the data security aspect just focuses on the protection of data integrity, whereas IT security focuses

on the protection of only the technical containers like servers, applications etc. in which the

information lives. However, information can also exist in the non-technical/non electronic form such

as paper or even in the minds of people and hence the scope of information security is to protect the

electronic and non electronic information in whichever form it exists.

There is definitely a degree of complexity in understanding the real difference between the above three

definitions as there is a very thin line between them. IT security and data security may be considered as

integral parts of the Information Security, but should not be misunderstood as the information security

domain as a whole, which is far bigger in scope. Information Security is the protection of Confidentiality,

Integrity and Availability of Information (and not just data) and that should be the focus of an (internal) auditor

reviewing the information security environment.

It is possible that an organization may wish to implement the information security project within the IT

department, there-by protecting the business information (and IT information) that resides only within the IT


of 51

containers such as servers, applications etc. However, this does not protect the same information that

resides within HR or Legal departments, or even in the other operational unit. That is where most of the

organizations underestimate the real benefits of implementing information security and the business benefit

of information security audits. Therefore, by becoming a partner with the business, information security

auditors can point out what information needs more protection, identify the gaps in implementation of

information security controls and leverage their expertise to help business grow and achieve its goal.

So, do you know what are the true business benefits of the information security audits and how deep is its

untapped potential within your organization?

3.2 Objective of this research & research question

The objective of this research is to provide an answer to the primary research question. When there is no

doubt that information is critical to running business and loss of Confidentiality, Integrity and Availability of

information might impact the business, the primary research question for this thesis is:


Business benefits of Information Security Audits have been defined in a qualitative way for the purpose of this thesis i.e. to identify and

assess if information security meets identified goals (such as compliance, performance improvements, strategic alignment etc.) instead

of calculating the benefits on a numeric value. It is consciously decided not to aim for the quantitative value of information security audits

in terms of a currency number (such as Euro or Dollar etc.). It is realized that it is far too complex to obtain quantitative value of the

information security audits, and hence it has been kept out of scope for this thesis.

To be able to provide a detailed answer to the main research question, this question has been broken down

into the following sub-questions:

1. How to Protect Business Information?

- Why is having an Information Security management system important?

- How can a management system be audited to ensure the protection of the business information

(Design check)?

2. How to measure if information security controls meets business objectives?

- Information Security Coverage in the organization

- Achieving operational effectiveness with information security controls


of 51

- Verifying & validating the information security controls

3. What benefits can information security audits bring to an organization?

4. What are the possible ways to make information security benefits more visible in the

organization?

5. How can an information security auditor help?

- Raising potential of an auditor in a telecom company

- Raising potential of an auditor in a bank

3.3 Research Approach

To be able to provide answers to the above sub-questions, a step-by-step gradual approach was used that

consisted of five phases. Phase 1 was to set the scope and boundaries of the research and to define the

research questions. In phase 2 a literature review was performed to gain the in-depth knowledge of the

information security and information security audit topics required to answer the sub-questions.

To ensure that the thesis is not just a theoretical investigation but also contain a relation to practical

examples, some case studies have been performed in phase 3 (together with interviews) on the current

setup of information security audits within various organizations. To gather an overall answer to the primary

research question, interviews were conducted in phase 4 with the executives of some selected organization

(s) and references were made to surveys conducted on this topic (phase 3 & 4 were combined during

interviews). The goal of the last phase, phase 5, was to draw a conclusion for all previous phases and thus

answer the main research question. The answer to the main research question ultimately follows from the

answers to all previous questions.

Figure: 1 Research approach


of 51

3.4 Scope limitations

This thesis only strives to provide qualitative reasons in identifying business benefits of performing

information security audits. A reference is made to the ISO27001 framework and similar management

systems, which are most commonly used for information security. The information provided in this thesis is

aimed to be generic and used for most types of the businesses, however does not provide an exhaustive list

of benefits that can be achieved through tailored information security audits. Pointing out any industry

specific benefits (other than mentioned in this thesis) is beyond the scope of this thesis. In addition, this

thesis does not cover research into information security risks, vulnerabilities and threats.

Further, it is important for the reader to note that information security audits are defined from an internal audit

point of view and not from compliance audits (e.g. ISO/IEC 27001:2005 certification audit) or infrastructure

security audits like a penetration/vulnerability assessments. The main focus of this thesis is to define the

business benefits of information security audits performed by an internal auditor there-by elevating their role

from being just assessor of gaps to being partners in business growth by way of risk management.

3.5 Assumptions

Throughout this thesis, it is assumed that the reader possesses the generic knowledge of management

systems and their functioning thereof. In addition, the reader is expected to be aware of the concepts of

auditing in general. Further, it is assumed that an individual or an organization that is interested in learning

the business benefits of information security audits, has practical knowledge of implementing the information

security controls through an information security management system (ISMS).

3.6 Layout of this Thesis

This first chapter (chapter 1) provides a preface to this thesis document. Chapter 2 gives an executive

summary of this thesis starting with the primary question. Chapter 3 includes the introduction, the research

question and the approach to answering the research question. The following chapters (Chapter 4 till

Chapter 8) are related to the sub–questions. The chapter 4 discusses the first sub-question about how to

protect the business information? In this chapter, definition and importance of implementing and auditing an

information security management system (ISMS) has been detailed. This chapter also provides details of a

typical audit process within an organization.

Chapter 5 covers the second sub-question and provides answers on how to measure if information security

meets business objectives by means of internal information security audits. The details of achieving

operational effectiveness with information security controls, validating and verifying these controls as well

making them more visible have been discussed in this chapter.


of 51

The next chapter, chapter 6, relate to what benefits can information security audits bring to an organization

whereas chapter 7 describes the possible ways to make information security benefits more visible in the

organization by means of an internal information security audits. Chapter 8 explains how to raise the deep

potential of an information security audit. In this chapter, the main highlights of the interviews being

conducted have also been shown. To understand that different way of thinking in the organization, interviews

have been conducted with a CISO of a premier telecom organization having operations in LATAM and Africa,

an IT manager of a government organization in Norway, a Finance Director of a banking organization in

Belgium, a head of procurement in a technology company in Germany and a HR professional of a utility

company in The Netherlands. Finally, chapter 9 provides the summary of this thesis including the conclusion,

a reflection on and discussion of the research, the results and topics for further research.

Appendix A defines various terms & definitions used through-out this thesis, Appendix B provides

the bibliography and Appendix C details the questions being asked in interviews. Appendix D

provides an example of a key performance indicator for an information security control.


of 51

4 How to Protect Business Information?

Almost every organization depends on information. It can be about its

operations, business processes, trade secrets, intellectual property,

employees' names, salaries, and so on. Depending on the type of

organization, this dependency may vary. E.g. a governmental office

may require personal information about citizens, residential

addresses, car licenses registration etc, a bank requires information

about its customers' accounts, their money transactions, ATM

machine access codes, and so on. Much of this information is

confidential, should stay integral and must be available at the time of

use.

Just as the type of information may differ from organization to organization, the way it needs to be protected

differs as well. The challenge is how to implement the different protection measures to protect the business

information by still following a standardized common practice to provide a comfort level to stakeholders. The

answer lies in following a best practice framework for management system for information security that takes

your organization towards a continuous improvement path. Lets dive deeper into why such an information

security management system is important for the protection of business information.

4.1 Why is Information Security management system Important?

Information security can be implemented in more than many ways for the protection of critical information,

however for it to be effective, efficient and repeatable it is important to follow a proven framework of a tested

management system (like one endorsed by ISO/IEC 27001:2005). A management system is a proven

framework and is a means by which business processes remain concurrent with business and are

repeatable.

In order to understand the importance and meaning of an information security management system, lets

break it down into two words i.e. “information security” and “management system”.

Information Security means protecting information and information systems from unauthorized access, use,

disclosure, disruption, modification, perusal, inspection, recording or destruction. The terms information

security, computer security and information assurance are frequently used interchangeably. These fields are

interrelated often and share the common goals of protecting the confidentiality, integrity and availability of

information;


of 51

Figure: 2 CIA Triad explaining core principals of information security

Management System provides a structure for doing things properly, attempting to systematize and

standardize whatever is possible in order to do things efficiently and effectively, using validated

methodologies that lead an organization toward the achievement of its objectives. A management system is

a proven framework that directs and controls an organization in a transparent manner for managing and

continually improving an organization's policies, procedures and processes. Management system provides

company management with the required information to anticipate the future and determining the best course

of actions to achieve organizational objectives.

Management systems provide a structure for doing things properly, attempting to systematize and

standardize whatever is possible in order to do it efficiently and effectively, using validated methodologies

that lead an organization toward the achievement of its objectives.

During the interviews, I have asked participants to point out some of the benefits of adopting a management

system approach, their responses in terms of the benefits are listed as follows:

► Increased operational efficiency by learning from mistakes/error rectification

► Overall performance improvement by following a process approach

► Reduced risks as responsibilities become clearer

► Reduced cost, time and disruption of audit


of 51

► Consistent objectives, planning, and document management.

Combined with the information security objectives, information security management system (ISMS) is

defined using a Plan- Do-Check-Act cycle (also known as DEMING cycle). Following this cycle puts an

organization into a continuous improvement path, as with each iteration one can expand the policy and

objectives, and the scope of the ISMS.

Figure: 3 ISMS explained using a Plan-Do-Check-Act cycle

PLAN: Establish an ISMS: Planning is the most important phase in building an Information Security

Management System. An ISMS framework follows a risk based approach and hence it is vital that before the

information security controls are selected and implemented, the risks to an organization or any of its part are

known.

This phase involves establishing an ISMS policy for an organization, its objectives, processes and

procedures relevant to managing risk and improving information security to deliver results in accordance with

organization’s overall business objectives. A risk assessment provides results in form of identified risks to the

organization management which they can decide to either accept, reject, mitigate or transfer. In case risks


of 51

are accepted, then it must meet the acceptance criteria of organization and must be approved by

management. However, if management decides to mitigate the risks, then controls are selected from a

bucket of information security controls that are implemented to mitigate specific risks as identified during risk

assessment and thus a risk treatment plan is created.

DO: Implement & Operate the ISMS: This phase includes implementing and operating with the

organization ISMS policy, controls, processes and procedures. The objective of this phase is to prepare a

risk treatment plan to mitigate the identified risks (through risk assessment performed during the Plan

phase). Organization management should provide enough resources and commitment for the

implementation of the controls.

It might be a case that organization already has a certain level of implementation of the selected controls,

then it is vital to recognize the current level of implementation of those controls an identify what additional

efforts are required to mitigate the risks to bring them to an acceptable low level. The end result of this

phase is the implementation of selected controls.

CHECK: Monitor & Review the ISMS: Now that organization has established the ISMS design and has

assessed its risks and the controls have been implemented to bring the risks down to an acceptable level,

this phase concentrates on Checking if the implemented controls are working as effectively as desired and

are performing at a certain level. Therefore, it required to assess and, where applicable, measure process

performance against ISMS policy, objectives and practical experience and report the results to management.

ACT: Maintain & Improve the ISMS: After checking the implantation level of controls, organization might

observe certain gaps in the implementation of the selected controls. This phase concentrates on the

corrective and preventive actions, based on the results of the internal ISMS audit and management review or

other relevant information, to achieve continual improvement of the ISMS.

As explained above, an information security management system provides a systematic way to manage

information security risks and implement the controls. As mentioned by interview participants, following can

be the business benefits that an organization can obtain by implementing an information Security

Management System (that includes conducting internal information security audits as part of CHECK phase):


of 51

Information Security Management System helps you to

Manage risks By consciously investing in information security controls or

accepting, transferring and avoiding risks.

Contribute to operational effectiveness

By ensuring that business operations are securely performed

without breach of confidentiality, integrity and availability

improving the overall effectiveness & efficiency of your business

processes.

Increase stakeholder satisfaction

By delivering what is expected in a timely and secure manner

and providing stakeholder with information regarding the

organization’s ability to meet its management system

related business objectives.

Protect your brand and reputation By keeping you out of negative headlines.

Continual improvement

By following Plan-Do-Check-Act cycle, one identifies new

risks, manages changes and builds upon the last

information security implementation towards a continuous

growth path.

Remove barriers to trade By providing trust and confidence to business partners

and promoting trade of information and resources.

Manage compliance

By providing you a platform to demonstrate due diligence

& due care for complying with laws, regulations and

contractual obligation. In Australia, for example, every

company, by law, must have an official (Information)

Security Policy and Acceptable Internet Usage Policy in

place

Table: 1 Benefits of implementing an Information Security Management System


of 51

4.2 How can a management system be audited to ensure protection of business

information (Design Check)?

In the above section it was defined why an information security

management system is important. This section describes how an ISMS can

be audited to ensure protection of business information. This is important

because through an information security audit an organization can

determine whether its activities and related results comply with planned

arrangements to deliver customer, stakeholder and regulatory requirements

for information security. It can determine whether these arrangements are

implemented effectively, and are suitable to achieve the stated objectives.

As an audit outcome, the organization can understand risks and

opportunities to inform future changes and improvements to protect

business information & grow their business.

But the bigger question is how do you audit an ISMS to ensure protection of business information?

Typically, an information security management system audit involves reviewing the ISMS design, its

existence and the operational effectiveness of the information security controls. In order to organize audit

in a structural manner the top management should start by establishing clear audit objectives and end results

by means of an audit program and assign one or more competent persons to manage the audit program. The

extent of an audit program should be based on the size and nature of the part of the organization being

audited, as well as on the nature, functionality, complexity and the level of maturity of the ISMS to be audited.

The audit program should include information and resources necessary to organize and conduct ISMS audits

effectively and efficiently within the specified time frames.

However, to align these audits to the overall satisfaction of the top management, the following questions

could be asked:

► What are the expectations of the stakeholders from the audit?

► Are the goals of information security audit aligned with those of the business?

► How can the information security audit improve efficiency and effectiveness of the implemented

ISMS?

► Do you have the right staffing mix to provide the advice and expertise your business seeks?


of 51

► What has your organization done to adjust information security to address the changing

environment?

Based on the guidance of ISO/IEC 19011:2011, an audit program can be prepared to answer the above

questions and may include the following topics:

► Audit Objectives:

► top management priorities;

► commercial and other business intentions;

► legal and contractual requirements and other requirements to which the organization is

committed;

► needs and expectations of interested parties, including customers;

► auditee’s level of performance, as reflected in the occurrence of failures or incidents or

customer complaints;

► risks to the auditee, etc.

► Extent/number/types/duration/locations/schedule of the internal information security audits;

► Audit program procedures:

► assuring the competence of information security auditors and audit team leaders;

► selecting appropriate information security audit teams and assigning their roles and

responsibilities;

► conducting information security audits, including the use of appropriate sampling methods;

► conducting information security audit follow-up, if applicable;

► reporting to the top management on the overall achievements of the audit program;

► Audit criteria including:

► ISO/IEC 27001:2005 or CoBIT or any other framework;

► applicable policies, procedures, standards, legal requirements;

► contractual requirements;

► sector codes of conduct etc.

► Audit methods:

► conducting interviews;

► completing checklists and questionnaires with auditee participation;

► conducting document review with auditee participation;

► sampling;

► observation of work performed;

► analyzing data, etc.


of 51

► Selecting audit team: In deciding the size and composition of the audit team for the internal ISMS audit,

consideration should be given to the following:

► the overall competence of the audit team needed to achieve audit objectives, taking into

account audit scope and criteria;

► complexity of the audit;

► the audit methods that have been selected;

► legal and contractual requirements and other requirements to which the organization is

committed;

► the need to ensure the independence of the audit team members from the activities to be

audited and to avoid any conflict of interest;

► the ability of the audit team members to interact effectively with the representatives of the

auditee and to work together;

► the language of the audit, and the auditee’s social and cultural characteristics. These issues

may be addressed either by the auditor’s own skills or through the support of a technical

expert.

Once an audit programme is developed, an information security audit is conducted using the 6 steps process

as described in the figure:4 below, and detailed in the figure:5 using a flow diagram. Organisations could

initiate the internal information security audit as per the audit schedule. The first step (Step-1) in initiating the

audit is to appoint an audit team leader and assign responsibility for conducting the audit. The audit team

leader performs the steps to conduct audit activities as part of the ISMS audit programme.

Thereafter, audit scope, objectives and criteria’s are defined & documented. Feasibility of conducting the

audit is determined taking into account time and resource requirements. When the audit can be declared

feasible, an audit team should be selected, taking into account the competence needed to achieve the

objectives of the audit. If there is only one auditor, the auditor should perform all applicable duties of an audit

team leader. Once the audit team is defined and selected, the initial contact for the audit should be made

with the auditee in an informal or formal manner to make audit arrangements and request documentation.

Upon receipt of the documentation (Step-2), prior to the on-site audit activities, the auditee’s documentation

should be reviewed to determine the conformity of the system, as documented, with audit criteria. The next

step (Step-3) after the documentation review is preparing for the on-site visits. This starts with preparing an


of 51

audit plan to provide the basis for the agreement among the audit team and the auditee regarding the

conduct of the audit and continues to assigning each team member responsibility for auditing specific

processes, functions, sites, areas or activities. Such assignments should be made by the team leader taking

into account the need for the independence and competence of auditors and the effective use of resources,

as well as different roles and responsibilities of auditors, auditors-in-training and technical experts. Changes

to the work assignments may be made as the audit progresses to ensure the achievement of the audit

objectives. The audit team leader also assigns responsibilities to prepare the work documents such as

check-lists, sampling plans, forms etc for recording audit trails.

Step-4 begins with conducting the on-site audit activities. During the on-site visit, an opening meeting is

conducted to set the tone for the information security audit. The audit activities are conducted following the

agreed criteria to identify audit findings. At the end of the on-site audit activities, audit findings are

documented in form of a report and communicated to the auditee to complete the audit (Step-5). The audit is

completed when all activities described in the audit plan have been carried out and the approved audit report

has been distributed (Step-6).

The conclusions of the audit may indicate the need for corrective, preventive or improvement actions, as

applicable. Such actions are usually decided and undertaken by the auditee within an agreed timeframe and

are not considered to be part of the audit. Any follow-ups required to be performed based on audit results are

done (Step-7). The completion and effectiveness of corrective action should be verified. This verification

may be part of a subsequent audit.

Figure:4 Steps of an audit activity


of 51

Figure:5 Details on steps of an audit activity


of 51

5 How to measure if information security meets business objectives?

Practical experience has shown that Information security as a topic has

been faced with the difficulty to objectively evaluate its maturity and

communicate its value to the business. In a business minded culture,

where numbers play a big role, how would you justify ongoing budget

requests and resource requirements? Thus, organizations need a better

way and a measurement mechanism to demonstrate that efforts and

investments have positive results regardless of changing external factors.

Measuring the information security environment through internal

information security audits uncovers areas where maturity efforts are either

surprisingly behind or surprisingly ahead. These results help you bring

everyone up to the same level and even highlight certain teams that may

be examples for others to emulate. In addition, the higher levels of maturity

in many components require support for business objectives, which may

also help to justify further investment.

In the forthcoming section, I discuss how to measure if information security meets the business objective by

looking at the information security coverage in the organization and detailing how the Information Value

Chain can lead to defining information security risks and required controls. Finally, I describe a method for

measuring the implementation of information security controls using the CMMI model.

5.1 Information Security Coverage in the organization

Most of the organizations that are facing challenge with implementing information security would admit that

there is a cultural gap in the organization and a lack of commitment at all levels in the organization. To

measure if information security meets business objectives, it is very important to realize how deep is the

involvement of staff regarding information security activities. If only a 10-20% of the staff is involved in

information security activities, it is going to take a lot of time and effort before the organization could call itself

secure. In many cases on senior management and specifically on Board level, information security is seen as

a technical issue, which must be delegated to the IT section, and forgotten about. Without this management

support, information security managers fight a very difficult, and often losing, battle in implementing and

rolling out a organization-wide information security plan in the company, taking into account all the different

dimensions of information security like the human (personnel) dimension, the awareness dimension, the

legal dimension, the policy dimension, the measurement and monitoring dimension etc.


of 51

Information security efforts that fail to consider how humans react to and use technology often do not deliver

intended benefits. Information security programs need to take into account how the organization and its

people, processes and technologies interact, and how organizational governance, culture, human factors and

architectures support or hinder the ability of the organization to protect information and to manage

information security risks.

5.2 Achieving operational effectiveness with information security controls

One of the ways to confirm that the information security controls achieve operational effectiveness is to first

define the “Information Value Chain”. The information value chain can be defined as the flow of business

information that contributes to the business activities being performed in order to meet the business

objectives and goals leading an organization towards the growth path. In simpler terms, it is the way

business information flows to perform business operations. Information flows vertically and horizontally

within the organization. It flows vertically when this information flows between the different levels within an

organization or between the organization and third parties, however, it flows horizontally when it flows

between different departments or organization units. The information flow also depends on the internal and

external factors. Internal factors include internal processes, policies, an Organizational structure, governance

etc while the external factors include geography, political and economical environment etc.

Once the information value chain has been identified and clearly defined, it becomes evident what type of

information and in what shapes and forms is critical to business and more precisely how protection of the

confidentiality, integrity and availability can support business operations. To make it more visible in the

organization, it is vital to identify what could go wrong if the business information is not protected, so the

business decisions can be made regarding its protection, i.e. clear Information Security objectives must be

formulated to reflect how business activities depend on the critical information and how it should be

protected. Similarly, the information security strategy must also align with business strategy.

The information security goals must be very clear and the objectives should be approved by management.

For example, business objective of a pizza company may be to become best pizza brand in the country and

to provide fastest delivery of pizzas to your location. Information security goals may support this business

objective by ensuring that critical information such as pizza orders, location details and delivery time are

correctly available to deliver pizzas in time and customer credit card numbers are well protected so that the

customer loyalty is established, ultimately making the pizza company the best brand in the country and

profitable in its business.


of 51

As discussed earlier, Information is everywhere in an organisation, the higher management needs

information about their products or services whereas lower levels need to know information about the status

of inventory or service level compliance. The IT department needs information from business to know the IT

services demanded, where as the HR department needs salary information to process payroll. Since the

information resides in different forms and shapes in different parts of the organisation, the demand for

protection various differently as well. This demand can be very clearly described by means of formulating

clear information security objectives. The information security objectives must be able to ultimately support

the business activities to reach organisation goals and thereby meeting business objectives as well.

To establish information security objectives, it is of utmost importance to realize what type of information is

critical for business and what impact the business might have due to loss of confidentiality, integrity and

availability of information.

Lets take an example of another organisation which is a production house in which a sales person depends

on the correct information about a certain quantity of a product in the warehouse and its demand in the

market based on which he can make a decision to buy a certain quantity from its vendor. If the stock

information from the warehouse is incorrect or unavailable, or the demand figures are fudged, the business

might suffer losses due to either underproduction or over production of goods.

Thus, very clearly information security controls support the achievement of business objectives and

operational effectiveness.

5.3 Verifying & validating the information security controls

It has been clarified that the information security controls are important for the business functioning of the

organization. Further, these information security controls contribute to the protection of information which is

required to conduct the business activities. Verifying & validating (i.e. measuring) these information security

controls facilitates decision making, non-compliance identification, and performance improvement and verify

how well selected security requirements, which are based on risk assessment and applicable legal and

regulatory requirements, have been met.

The following can be defined as main objectives of measuring the information security controls:

► to evaluate the effectiveness of implemented security controls and control objectives;

► to evaluate the effectiveness of the ISMS including the cycle of continual improvement;


of 51

► to provide security indicators to assist management review

► to facilitate improvement of information security

► to communicate the effectiveness of information security to the organization;

► to serve as an input into the risk management process

► to provide output for an internal comparison and benchmarking of effectiveness

Now that it is clear why measurement is required for the information security controls, lets identify how this

measurement can be performed. One of the many common methods applied for the measurement of

information security controls is using the CMMI3 (Capability Maturity Model Integration) model. Using CMMI

levels it can be easy to verify and validate if these information security controls are doing their job properly,

thereby keeping the organization out of trouble.

These CMM levels have been defined as below:

CMMI Level Meaning

1 Initial An initial information security control exists but it is being performed on an Ad-

Hoc basis

2 Repeatable The information security control is repetitive but based on intuition

3 Defined The information security control is surrounded by a defined process

4 Managed The information security control is being managed and is measurable.

5 Optimized The information security control is optimised to the current environmental

factors.

Table: 2 CMMI Levels and their meaning

Using the CMMI levels as defined in the table above, an internal information security auditor can provide

scores to each individual information security control based on the audit findings supported by an audit trail.

3 CMMI is only one of the many maturity models commonly used to measure maturity of information security

controls. There are various other models such as CoBIT Maturity model, INK-model or the KAD model that

may be used to perform maturity assessment.


of 51

For making the measurements more objective, Key Performance Indicators (KPIs)4 should be defined at

each individual control level to benchmark if the controls are working as per the desired level of performance.

Those controls mitigating higher risks should be looked at more carefully than those mitigating medium or

low risks. The measurements produced through the application of CMMI model, resulting in the output from

internal audit, could contribute as inputs to the process of reviewing the extant controls and determining

whether they should be changed or improved.

An organization can decide what maturity level it desires to achieve on an individual control level or for the

security program as whole and in what time frame and can build an information security strategy around it.

By means of the information security strategy clear Information Security objectives can be formulated to

reflect how business activities depend on the critical information and how it should be protected. Similarly,

the information security strategy must also align with business strategy.

The information security goals must be very clear and the objectives should be approved by management.

For example, business objective of a pizza company may be to become best pizza brand in the country and

to provide fastest delivery of pizzas to your location. Information security goals may support this business

objective by ensuring that critical information such as pizza orders, location details and delivery time are

correctly available to deliver pizzas in time and customer credit card numbers are well protected so that the

customer loyalty is established, ultimately making the pizza company the best brand in the country and

profitable in its business.

4 An example of the Key Performance Indicator (KPI) has been given in Appendix D.


of 51

6 What benefits can information security audits bring to an organization?

As such Information Security audits bring many benefits to an organization, some of them are more of the

essence than others. As an outcome of the information security audits, you get to know how good or bad the

security condition of your organization is so you can make a decision whether to rely on the information

provided to the management or not. It makes you take controls of your business processes so that better

business decisions can be made based on a reliable set of information. Information security audits can also

provide a better outlook of any gaps between what an organization management wants versus what is

delivered.

Before I get into the nitty-gritty of what benefits can an information security audit bring, it is important to

understand the basic principles of auditing for sake of clarity. These principles make the information security

audit an effective and reliable tool in support of management policies and controls, providing information on

which an organization can act to improve its performance, protect itself from business risks and direct itself

towards growth. Adherence to these principles is a prerequisite for providing audit conclusions that are

relevant and sufficient and for enabling auditors working independently from one another to reach similar

conclusions in similar circumstances.

The following principles relate to information security auditors:

► Ethical conduct: the foundation of professionalism detailing that trust, integrity, confidentiality and

discretion are essential to information security auditing.

► Fair presentation: the obligation to report truthfully and accurately detailing that audit findings, audit

conclusions and audit reports reflect truthfully and accurately the audit activities.

► Confidentiality: discretion in the use and protection of information acquired. This concept includes

the proper handling of sensitive or confidential information.

► Due professional care: the application of diligence and judgment in auditing detailing that auditors

exercise care in accordance with the importance of the task they perform and the confidence placed

in them by auditee/interested parties.

► Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions

detailing that auditors are required to be independent of the activity being audited and are free from

bias and conflict of interest.


of 51

► Evidence-based approach: Provides the rational method for reaching reliable and reproducible

audit conclusions in a systematic audit process.

Assuming that an information security auditor adheres to the basic auditing principals as mentioned above,

several benefits can be materialized through an information security audit to enable organizations drive

growth and profitability. In an information security audit, typically an auditor should look at how the

information security controls are working and at what level of maturity comparing to business requirements

(as described in the above chapter).

Based on the outcomes of the literature research and interviews, following can be described as the main

benefits that information security audits can bring to an organization:

a) Identification and assessment of risks: Information security audit helps companies identify the

information security risks and barriers they might face in the path to achieving their business objectives.

Information security audit also assesses the likelihood of the security risk materializing and its possible

consequences, thereby giving a perspective of what risks are “key” and therefore require more urgent

management attention. Information security audits can help companies be better prepared to prevent certain

adverse events from occurring and also to provide an adequate response should such events occur. This

means that an organization is likely to face fewer surprises or crises situations and be better prepared for

most eventualities.

b) Evaluating information security controls: Using the information security audits, companies can assess

whether the information security controls and procedures they have put in place are adequate to mitigate the

identified information security risks. This enables companies to improve controls procedures and make

course corrections where needed. Evaluation of controls through experts in this field can help remedy gaps

in information security controls.

c) Ensuring compliance with regulations: Compliance with related regulations as well as internal

information security policies and procedures is a key result of the involvement of information security audit. A

constant focus on this area through the internal information security audit function can help management

promote a culture of “compliance consciousness” where compliance occurs as a part of everyone’s daily

work rather than as a separate process.


of 51

d) Improve effectiveness and efficiency of processes: When management extends the internal

information security audit scope to include evaluation of organization risks, this can enhance the

effectiveness and efficiency of business processes by identifying duplication and redundant activities.

Internal information security audit may also identify the key areas for improvement, leading to mature

business processes.

e) Uncover fraudulent or other illegal activities within your company: Using the information security

audits, companies can identify any illegal activities that are taking place due to improper access control and

monitoring. By analyzing logs and trends, an information security auditor can alert the top management of

any frauds taking place within the organization.

f) Provide comfort to management, the Board and other stakeholders: One of the most important

benefits of information security audit is to provide assurance to management and a level of comfort to the

internal and external stakeholders that the organization has a strong information security environment that

sufficiently mitigates the risks it might be exposed to, e.g. information leakage or hacking activities, thereby

contributing towards meeting business objectives.

Management must actively utilize the services of information security audit function to act a sounding board

for strategies under development, to anticipate information security risks before they materialize and take

appropriate and timely action. If used effectively, information security audits can become a tool that helps

creates significant business value.

During a recent Global Information Security Survey conducted by Ernst & Young, where many CIOs, CISOs,

CFOs, CEOs and other information security executives (in total 1836 participants) invited in 64 countries and

across all industry sectors, were all asked questions related to the speed of change and widening gap in

information security. 68% of the survey participants agreed that assessments performed by the internal audit

function are ways to assess the efficiency & effectiveness of the information security. Below is the output of

one such question asked during the survey:


of 51

Figure 6: 15th Annual Ernst & Young Global Information Security Survey Output

To make an information security auditor’s report more useful, he/she can specify in report the exact gaps in

the information security controls that could make business suffer and could lead to:

► Lost productivity.

Based on auditor’s report, business executives can quantify how many employees would be unable

to get work done because of a security breach, and for how long? What if their computing equipment

were seized by law enforcement for forensic analysis? How much time would be spent by IT staff

repairing damage caused by the breach as opposed to doing other work?

► Loss of revenue during outages.

As an outcome of the auditor’s report, business could determine how much revenue might you lose

per minute, per hour, or per day in a scenario if your corporate website does not work? What if you

lost Internet connectivity?

► Loss of data, temporary or permanent.

Restoring from a backup can be costly. An auditor’s report could provide details if an insider can or

cannot destroy company backup.


of 51

► Compromise of data through disclosure or modification. Strategic and product plans, as well as

sensitive financial information, are just a couple of examples.

► Repair costs. You might need to buy new hardware or use disk-recovery services, for example.

► Loss of reputation. Think about how you’d feel reading about the breach on the front page of a

newspaper. Many countries have or are considering laws that require disclosure of incidents that

compromise customer data. Do you do business in these countries?


of 51

7 What are the possible ways to make information security benefits more visible

in the organization?

As the wise adage goes “a penny saved is a penny earned”, it applies perfectly well to the field of

information security. In the field of information security, benefits cannot be correctly and quantifiably

measured as a concrete gain, but rather as a reduction in risk and losses. It is not an investment that

provides a return, like a new product or a service, it's an expense that, hopefully, pays for itself in cost

savings and risk aversion. Ultimately, information security provides benefit in terms of risk management &

loss prevention and not through tangible earnings.

The bigger question to ask is “Is information security really necessary?” one has to think in terms of averted

risks or losses by having compliance with various legislation, regulations and contractual requirements. Think

about the penalties you would have to pay if you did not invest in information security, and if it is quantifiable,

make it appear in the form of a management dashboard. E.g. if you saved €500.000,- of penalties by

implementing the controls worth €100.000,-, there is a tangible & visible benefit, however this is not as clear

in most of the cases.

Another way to make information security benefits more visible is by showing how it helped achieve

competitive advantage in the marketplace e.g. number of contracts won because of the security capabilities.

One can even measure how the expenses/costs were saved by decreasing the number of incidents year on

year or quarter on quarters. Even demonstrating how the business operations were optimized can be an

efficient way to demonstrate the benefits of information security. Additionally, find out how information

security can underpin certain elements of company’s corporate strategy.

The key to making these information security benefits more visible is making a clear and approved

measurement system (e.g. through KPIs) which can define how to the company achieved the set objectives

due to information security initiatives. The problem is not that management doesn’t want to invest in

information security, but that it is either uninformed about it, or that you have no instrument to make it visible.

The dashboard below shows one of the instruments that management can get on a regular basis so they can

see the real benefits of information security.


of 51

Security Management Dashboard

Security

breaches/Frauds

detected& avoided

Successful

securitybreaches

Compliant

40%

Minor Gaps

20%

Major Gaps

10%

Concept

3040

30 10

10

3

0

20

40

60

80

28

39

22

9

40

Sales

HR & Admin

Technology

Legal & Finance

OperationsSecurity Audit Findings

2-20%

3-20%

4-20%

5-20%

1-20%

2-20%

3-20%

4-20%

5-20%

1-20%

Overall new-joiners access registered

99%

Accomplishment of 92% of Security Objectives

Staff change passwords regularly

Security Changes unregistered

Assets clasified

8%

6%

Learning

8 Security

Trainings

Conducted

across

organization

97% staff

successfully

completed

Control Maturity Score Training Pace

Incidents Frauds

Prevented Corrected Detected

93%

3%

83%

No. Of

Critical

Security

Assets per

department

Observations

30%

Figure 7: Management dashboard (example) highlighting summary of audit results

Using a dashboard, like shown above, an internal auditor can provide the information that management

expects to see to continue its interest in information security investments. As a concept, this dashboard

shows how many information security breaches or frauds were detected and avoided due to presence of

information security controls. This could be also shown in-terms of Euros (€) or Dollars ($) saved by avoiding

security breaches. It also provides details of how information security trainings keep employees sharp and

business information safe. Control maturity scores (as calculated using the CMMI maturity model discussed

above) can also be shown in this dashboard. The dashboard also presents details of the cultural aspects or

discipline towards risk management policies in the organization, as shown above, it demonstrates how many

employees have changed passwords regularly, or how many information assets are classified etc. It provides

scores per department on the number of critical security assets that business processes depend on and so

on.


of 51

With this kind of an output from internal audits, management can decide whether it is in control of the

organizational information and its flow or not. It serves as an important input during the management review

meetings to drive organization towards a growth trajectory. Hence, is a perfect way to make security more

visible in the organization.

During the interviews, participants were asked what different methods and techniques they have used in their

organization to make information security and their benefits more visible in the organization, their response

together with the research on public domains has resulted in following methods & techniques that can be

used in an organization to make information security more visible:

Figure 8: Methods & Techniques to make Information Security & Audit Benefits visible in the organization


of 51

8 How can an information security auditor help?

An organization needs to conduct information security audits to the determine the effectiveness of their

management system. An information security auditor can help an organization in finding out how risks have

changed from the time it was last assessed, if there is any lack of funding, identifying cultural issues, and any

internal and external threats to business information and processes. Further, the risk of being exposed

before the eyes of- management- induces staff to keep within the compliance of organizational policies and

procedures, to avoid errors of omission or commission.

In addition, an auditor can help in understanding the cross communication that often results in different

departments speaking different languages, resulting in inconsistencies through-out the business. For the

financial manager, information security may equate to minimizing financial risk and loss, while to the sales

manager, it is ensuring that nothing interferes with sales efforts and achieving targets. The legal department

sees it as a function of regulatory compliance, while a board member regards it as protection from personal

liability. To resolve this issue, an auditor helps an organization create a culture that is supportive of

information security. An auditor fosters a systematic thinking approach to understand the interactions and

consequences of addressing a particular situation, thereby avoiding a problem greater than the one being

addressed. An auditor can also help ensure that departmental isolation is reduced so the top management

gains a better picture of information risk and how it relates to overall organization risk.

Below, role of an information security auditor is explained taking examples of a Telecom organization and a

banking organization. During the interviews and literature research, it was realized that both these

organizations are so different from each other in terms of their information sets and type of information

systems for business operations, however the common element is that they both depend on a satisfactory

customer service for their existence. It is explained in these examples how maximum value can be derived

by raising the potential of an information security auditor in two different and yet so common information

security environments.


of 51

8.1 Raising potential of an information security auditor in a telecom company

Telecommunications companies are considered the back bone of any country’s economy. The amount of

information flow that takes place through the telecom companies is humongous, and hence they have a very

important place in our society. The telecom companies are designated to provide telecommunications

services by intermediating communications of others through facilities for the use of others communications,

hence, telecom companies operators have a complex network, which comprises of network elements

belonging to different vendors which are mostly proprietary applications, operating systems, and protocols,

which remains an unknown for telecom operators. The scenario is more complex when there is outsourcing

of network management through contracts with multiple network vendors.

Typical services provided by a telecom operator fall under three categories Mobile, Fixed Line and Data

Services. Information security management in telecommunications organizations is required regardless of

the service or method. If information security is not implemented properly the extent of telecommunications

risks regarding confidentiality, integrity and availability, may be increased. During the interviews it was

mentioned that most of countries have security requirements as part of the telecom operator’s license terms

and conditions which refers to enhancing security in telecom operator environment and conducting

mandatory internal/external information security audits. Not adhering to these requirements could jeopardize

the license to operate.

Looking at the service portfolio of a telecom service provider, it can be said that if any of these three services

were to be attacked or impacted due to information security incidents, it also impacts the day-to-day lives of

many people relying on the telecom services, taking the affects beyond the boundaries of the telecom

organization. E.g. if the mobile/data services were impacted, the subscribers would not be able to make

mobile calls, send messages, make mobile payments and/or use GPRS/3G/4G services. In such a situation,

the telecom operator not only have the direct financial loss, but also the reputation loss combined with many

replicating after affects.

Therefore, it is of paramount interest of the top management to keep information security control updated

and accurately implemented according to the risks. The methods for protection of business information and

related assets for a Telecommunications company must be appropriately audited in order to avoid significant

interference to telecommunications services delivery.

The figure below shows the organizational processes of a typical telecommunications organization, it is

important for an information security auditor to understand the functioning of these processes which support

the customer services delivery and how they rely on information and Information Systems to a very large

extent. Knowledge of these business processes and related risks enables an information security auditor to


of 51

correlate the impacts of information security risks to the business processes, thereby enabling the top

management to understand the gaps.

Figure 9: Typical services & related business process in a telecom organization

As described in the figure above, there are typically three types of services provide by a telecom

organization. The landline services which is still considered as main communication facility for many

businesses and govt. institutions, the Mobile services that provides increased mobility to subscribers, and

the data services enabling access to information anywhere and anytime. Irrespective of the services, the

main processes within these remains almost similar as described above.

By understanding the deep relationship between the business activities and the related information security

risks, an auditor can help the top management of the telecom company understand how the information

security controls influence the flow of information through-out the organization amidst increased size &

complexity of operations, changing technology and complexity of services, evolving regulatory requirements

and increasing demands of end customers.

As an information security auditor, one provides expert advice on how the business is impacted in case the

information is compromised. E.g., if the information about the development of new services & products is

leaked before their launch, a competitor might take competitive advantage and launch the similar product or

service before the organization, leading to loss of finances and market position. Similarly, if the business

information in supply chain and logistics business process (comprising of Procurement, Purchasing, Logistics

and Stock Management sub processes) is unavailable, it could delay the delivery of telecom services to

subscribers.


of 51

The business process revenue generation is typically a set of sub-processes such as Interconnect and

Roaming Agreements set up, Cash Management, Financial Statement Close and Taxes activities etc. The

role of an information security auditor in such a business process is to ensure any regulatory requirements

and contractual obligations pertaining to information security are fulfilled.

Billing process is related to the production of timely and accurate bills, for providing pre-bill use information

and billing to customers, for both prepaid and postpaid subscribers. In addition, the customer care part of this

process handles customer inquiries about bills, provides billing inquiry status and is responsible for resolving

billing problems to the customer's satisfaction. An information security auditor can verify that access to critical

customer information is restricted only on a need to know basis and that customer bills are accurately

charged based on correct data set.

By taking another example, it could be explained that all processes dealing with CDRs (Call Detail Records)

are critical in terms of confidentiality and integrity of sensitive personal information of customer. It is a legal

requirement to protect this sensitive information from unauthorized disclosure and unauthorized modification

in most of the countries due to stricter privacy laws. An internal information security auditor’s report may

provide confidence to the stakeholders that the sensitive information is protected appropriately.

Summarizing the arguments above, it can be implied that an information security auditor can indeed be

indispensable for the telecom companies, the trick is to realize its true deep potential.


of 51

8.2 Raising potential of an information security auditor in a bank

A banking institution is a combination of various complex business processes (such as Insurance,

Investments, retail etc.) aiming at exchange of money by accepting money deposits and channelizing it into

lending activities, either through loans or through capital markets. In this way of working, a typical bank

depends heavily on information and information systems to provide its services.

Due to their influence within a financial system and an economy, banks are generally highly regulated in

most countries. That means not only do they have to comply with the stricter regulations, but also survive in a

market where the customers expect banks to be secure and manage their information (personal information,

but also most importantly financial/transactional information) with utmost care. Due to the complexity and

variety of the business models in a bank, only Internet banking has been discussed in this thesis and chosen

as an example to explain the potential of an information security auditor.

Internet banking (or online banking or E-banking) allows customers of a banking institution to conduct

financial transactions on a secure website operated by the institution. However the rapid pace of

technological innovations has changed the scope, complexity and magnitude of risks that banks face in

providing internet banking. Security of a customer's financial information is very important, without which

online banking could not operate, therefore banks across the world are required to have resilient operations

and processes that enable them to manage and respond to existing risks and to adjust to new risks.

During the case studies research, it was noted that in March 2012, 1.5 million VISA and MasterCard records

were hacked where as in April 2012, a hacker stole 200,000 PayPal accounts, 2,701 bank card numbers in

U.K. Although these threats are growing, the electronic medium and Internet also creates new business

opportunities to attract customers and sustain growth. In such a high paced information world, no wonder

that demand for assessing information security implementations is at peak.

An information security auditor in a bank can help avoid any major impact on its Internet banking by

assessing the risks to the entire information flow (and related components), exposure to which could have

severe ramifications for the bank. Typically, information flow in an internet banking service can be classified

into three categories namely information service, interactive information exchange service and

transactionalservice.

Information service is the most basic form of online internet service. It is a one-way communication whereby

information, advertisements or promotional material are provided to the customers. Although the risks

associated with such online services are low, these services are often the targets of hacking.


of 51

A bank may suffer reputational harm resulting from its website being hacked and vulgarized. An information

security auditor could help in identifying the vulnerabilities at the infrastructure level and avoiding any impact

to bank’s business.

Interactive information exchange service offers slightly more bank-customer interactions compared with the

former. Customers are able to communicate with the bank, make account enquiries and fill in application

forms to take up additional services or purchase new products offered. An information security auditor could

assess if there are any risks pertaining to any direct links to the bank's internal network or technical

vulnerabilities. These risks range from low to moderate depending on the connectivity between the internet

and the internal network and the applications that the customers could access.

Transactional services allows customers to execute online transactions such as the transfer of funds,

payment of bills and other financial transactions. This is the highest risk category that requires the strongest

information security controls and regular motoring since online transactions are often irrevocable once

executed. The bank’s internet systems may be exposed to internal or external attacks if information security

controls are inadequate. A heightened element of risk is that attacks against internet systems do not require

physical presence at the site being attacked. At times, it is not even clear or detectable as to when and how

attacks are launched from multiple locations in different countries.

To be able to assess the entire information flow in such type of a service, an auditor should assess the

People, Process and Technology aspects of the information security controls as describes below:

People (Internal/external/customers):

► Confidentiality Agreements – checking if the internal/external

staff have signed the confidentiality agreements;

► Terms & Conditions of Online Banking Usage – ensuring that

accepting the terms & conditions of online banking usage are

accepted by the customers;

► Mandatory Awareness Training on the first login – reviewing

the trends and results from the mandatory awareness training

on first login to the Internet banking system and providing

recommendations for improvements;

► Change of Password upon first login – attesting that the customers are mandated to change

passwords upon first login through information systems;

► Privacy Statement – checking if the privacy statements are included in the customer and staff

contracts.


of 51

Process:

► Delivery of Online Username & Password – assessing the end-to-end process followed by the bank

to ensure that first time online user credentials are delivered in a secure manner.

► Reset of Online Banking Passwords – checking how the user can reset the online banking password

► Segregation of Duties – ensuring that duties regarding the user administration are divided so that no

other person than the user itself can perform Internet banking transactions.

Technology:

► Technology – Verifying the technology that is used for delivering the online banking solution to the

customers. Several methods (as listed below) can be used for the authentication, and the auditor

may suggest if the chosen method is successfully working or not.

► Digital Certificates

► One-Time Password Tokens;

► One-Time Password Cards;

► Browser Protection;

► Virtual Keyboards;

► Device Registering;

► CAPTCHA;

► Short Message Service;

► Device Identification, etc.


of 51

9 Summary

The final chapter of this thesis presents the conclusion that answers the main research question of this study.

Finally, a reflection upon the research, a discussion of the results, and suggestions for further research are

offered.

9.1 Conclusion

For this study, the following main research question was defined:


While many organizations still view information security and its audits as a cost, it has been shown through

literature research and interviews that effectively managed information security audits are instrumental in

helping an organization meet its business goals by improving efficiency and aligning with business

objectives. Practical experience of the interviewees is that organizations too often view information security in

isolation: the perception is that information security is someone else’s responsibility and there is no

collaborative effort to link the information security program to business goals. It is easy for this

compartmentalized approach to lead to weaknesses in information security management, possibly resulting

in serious exposure. That’s where information security audits bring the benefits of information security

controls to the forefront and ensure that any negative exposure of business information is avoided, before it’s

too late.

Information security audits are considered as a strategic asset or a driver of business value. From a financial

perspective, information security audits prevent unnecessary expenditure on information security and control

due to a lack of comprehension of business needs. From an operational perspective, information security

audits enable organizations to drive information security efforts in the right direction to achieve the intended

business benefit, avoid negligence, resulting into aversion of risks to information.

Further, the implementation of information security audits facilitates the organization in streamlining the

internal processes and technologies, resulting in safeguarding of organizational assets, continuous

improvement, increase in the efficiency and overall business. Information security audits ensure that the

gaps and weaknesses in the ongoing business processes, technical configurations and operations are well

identified and acted upon in a timely manner. By conducting information security audits, one can ensure that

an organization is immune to various known risks (comprising of varied threats and vulnerabilities).


of 51

The need is to redefine the role of information security auditor and move toward a full partnership role with

management. It is now more important than ever that the information security auditor become involved in

supporting and helping implement corporate governance in information security and management.

In support of the conclusion of the main research questions, the following sub-research questions were

answered:

1. How to Protect Business Information?

There are many ways to protect the critical business information, however for it to be effective, efficient and

repeatable it is important to follow a proven framework of a tested management system (like one endorsed

by ISO/IEC 27001:2005). An information security management system provides a systematic way to manage

information security risks and implement the controls. This way of working with a Plan-Do-Check-Act cycle

involves conforming the information security implementation based on assessed risks and performing an

audit involving the review of ISMS design, its existence and the operational effectiveness of the

information security controls.

To protect the critical business information, its related risks and their potential impact due to loss of

Confidentiality, Integrity and availability are assessed. Based on the identified risks, decisions are made to

implement information security risks, leading to the protection of business information.

2. How to measure if information security controls meets business objectives?

One of the common methods applied for the measurement of information security controls is using the CMMI

(Capability Maturity Model Integration) model. Using CMMI levels, an information security auditor can verify

and validate if these information security controls are doing their job properly, thereby keeping the

organization out of trouble. Using the CMMI levels (from 1 to 5), an internal information security auditor can

provide scores to each individual information security control based on the audit findings supported by an

audit trail. The measurements produced through the application of CMMI model, resulting in the output from

internal audit, could contribute as inputs to the process of reviewing the extant controls and determining

whether they should be changed or improved.

3. What benefits can information security audits bring to an organization?

As an outcome of the information security audits, an organization can get to know how good or bad the

security condition of the organization is, so a decision can be made whether to rely on the information

provided to the management or not. It makes the organization take controls of its business processes so that

better business decisions can be made based on a reliable set of information. Information security audits can


of 51

also provide a better outlook of any gaps between what an organization management wants versus what is

delivered.

4. What are the possible ways to make information security benefits more visible in the organization?

In the field of information security, benefits cannot be correctly and quantifiably measured as a concrete gain,

but rather as a reduction in risk and losses. There are various possible ways to make information security

benefits more visible in the organization, some of them include providing management dashboards for risk

aversion, cost savings, number of avoided incidents, number of detected frauds etc. or preparing e-learning

modules. Other methods include internal publications through newsletter, pamphlets, brochures etc.

5. How can an information security auditor help?

An information security auditor can help an organization in finding out how risks have changed from the time

it was last assessed, if there is any lack of funding, identifying cultural issues, and any internal and external

threats to business information and processes. Further, the risk of being exposed before the eyes of-

management- induces staff to keep within the compliance of organizational policies and procedures, to avoid

errors of omission or commission.

9.2 Result discussion

Increasingly, top management is realizing the significant impact that information can have on the success of

the organization. Management expects heightened understanding of the way information is operated and the

likelihood of its being leveraged successfully for competitive advantage.

Looking at the results of this thesis, I realize that information security audits can be used as a supporting tool

set that allow organizations to bridge the gap with respect to control requirements, technical issues and

business risks, and communicate that level of self-control to stakeholders. It enables the organization to take

full advantage of its business information, thereby maximizing benefits, capitalizing on opportunities and

gaining competitive advantage. As an outcome of the information security audits, management is also able to

optimize the use of available information resources, including information, services, processes, applications,

infrastructure and people.

Through this thesis, it has been demonstrated that information security audits can prove to be highly

beneficial for the organization if the true deep potential of an internal information security auditor is tapped.

The need is to provide a stage to the auditors to prove that Information security is a board-level priority and

should be provided with visibility, accountability and value.


of 51

9.3 Further research

During this study, a number of topics were identified during the interviews that could be used for future

research, few of these topics are discussed below:

Implementation of an ISMS using the Plan-Do-Check-Act cycle

In this study, it is not described how to implement an information security management system (ISMS). An

ISMS implementation varies per organization and depends on its management objectives, goals for

information security and the risks to its business information. An attempt has been made to describe the

details of each of phases of Plan-Do-Check-Act cycle, but the intention of this thesis is not to detail the steps

leading towards a successful implementation of ISMS aligned with ISO/IEC 27001:2005. This is an area that

reader is suggested to further research.

Certification of ISO/IEC 27001:2005 and its benefits to the organization

Since the scope of this thesis has been limited to only the internal information security audits, the pros and

cons of achieving an ISO/IEC 27001:2005 certification are not discussed. The goals for certification again

vary per organization. Experience has shown that some organizations obtain certification to satisfy the

customer demands, some just to qualify for the tenders and some to align themselves to the standard.

Reader is suggested to delve deeper into this area.

Other models to measure information security controls

In the chapter 5 (section 5.3), the CMMI model for measuring the information security controls has been

discussed. Although CMMI is one of the most common frameworks, organizations also apply other models

such as CoBIT, KAD model, INK-model etc to measure the maturity of information security controls. Reader

is advised to consider these different models and further research which model is more suitable for them.


of 51

Appendix A Terms & Definitions

*Audit

Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively

to determine the extent to which the audit criteria are fulfilled.

*As part of this thesis, audits are only considered from an internal information security audit perspective and

not from a compliance audit point of view or any other audits.

NOTE 1 Internal audits, sometimes called first party audits, are conducted by the organization itself, or on its

behalf, for management review and other internal purposes. Internal audits can form the basis for an

organization’s self declaration of conformity.

NOTE 2 External audits include second and third party audits. Second party audits are conducted by parties

having an interest in the organization, such as customers, or by other persons on their behalf. Third party

audits are conducted by independent auditing organizations, such as regulators or those providing

certification.

Audit criteria

Set of policies, procedures or requirements used as a reference against which audit evidence is compared.

Audit evidence

Records, statements of fact or other information which are relevant to the audit criteria and verifiable.

Auditee

Organization or individual being audited

Auditor

Person who conducts an audit

Audit programme

Arrangements for a set of one or more audits planned for a specific time frame and directed towards a

specific purpose


of 51

Audit scope

Extent and boundaries of an audit

Asset

Anything that has value to the organization.

Availability

The property of being accessible and usable upon demand by an authorized entity.

Confidentiality

The property that information is not made available or disclosed to unauthorized individuals, entities, or

processes.

Conformity

Fulfillment of a requirement

Control

Means of managing risk, including policies, procedures, guidelines, practices or organizational structures,

which can be of administrative, technical, management, or legal nature. Control is also used as a synonym

for safeguard or countermeasure.

Information security

Preservation of confidentiality, integrity and availability of information; in addition, other properties such as

authenticity, accountability, non-repudiation and reliability can also be involved.

Information Security Risk

An undesired event occurring to exploit a weakness in the asset to cause negative impact due to the loss of

confidentiality, integrity and availability of an asset.


of 51

Integrity

The property of safeguarding the accuracy and completeness of assets

Risk

The potential that a given threat will exploit vulnerabilities of an information asset or group of information

assets and thereby cause harm to the organization

Risk management (definition from CISA review manual)

It is the process of identifying vulnerabilities and threats to the information resources used by an organization

in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an

acceptable level, based on the value of the information resource to the organization.

Management system

System to establish policy and objectives and to achieve those objectives


of 51

Appendix B Bibliography

The following literature is used in this thesis:

Standards

► ISO/IEC 27001:2005

► ISO/IEC 27004:2009

► ISO/IEC 27011:2008

► ISO/IEC 17021:2011

► ISO/IEC 19011:2011

► ISAE 3402 framework

Books

► Accounting Information Systems and Internal Control – Eddy Vaassen

Thesis

Web pages, Articles and White papers

► Internal Auditor Magazine – December 2011 (internalauditoronline.org)

► Just below the surface – by Jatin Sehgal & Andrea Craig, www.Norea.nl

► Slimmer zijn dan je criminele opponent – by Jatin Sehgal, www.automatiseringgids.nl

► http://en.wikipedia.org/wiki/Information_security

► http://www.netcoach.eu.com/index.php?id=36

► http://www.isaca.org/Knowledge-Center/BMIS/Documents/IntrotoBMIS.pdf

► http://www.irca.org/en-gb/about/management-systems-auditing

► https://www.checkpoint.com/smb/help/safeatoffice/8.0/7066.htm

► http://www.auditing.arollo.com/external-internal.html

► http://www.bankinfosecurity.com/privacy-c-151

► http://docs.bankinfosecurity.com/files/whitepapers/pdf/416_BIS_Security_and_Financial_Services_A

ccenture.pdf

► http://www.thedailybeast.com/newsweek/2012/04/08/security-breaches-shake-confidence-in-credit-

card-safety.html

► http://www.paramountassure.com/consulting/information_security.html

► http://en.wikipedia.org/wiki/Auditing_information_security

► http://en.wikipedia.org/wiki/Bank

► http://en.wikipedia.org/wiki/Online_banking

► http://www.isaca.org/Knowledge-Center/cobit

► http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/An-Introduction-to-

the-Business-Model-for-Information-Security.aspx

http://www.norea.nl/

http://www.automatiseringgids.nl/

http://en.wikipedia.org/wiki/Information_security

http://www.netcoach.eu.com/index.php?id=36

http://www.isaca.org/Knowledge-Center/BMIS/Documents/IntrotoBMIS.pdf

https://www.checkpoint.com/smb/help/safeatoffice/8.0/7066.htm

http://www.auditing.arollo.com/external-internal.html

http://www.bankinfosecurity.com/privacy-c-151

http://docs.bankinfosecurity.com/files/whitepapers/pdf/416_BIS_Security_and_Financial_Services_Accenture.pdf

http://docs.bankinfosecurity.com/files/whitepapers/pdf/416_BIS_Security_and_Financial_Services_Accenture.pdf

http://www.thedailybeast.com/newsweek/2012/04/08/security-breaches-shake-confidence-in-credit-card-safety.html

http://www.thedailybeast.com/newsweek/2012/04/08/security-breaches-shake-confidence-in-credit-card-safety.html

http://www.paramountassure.com/consulting/information_security.html

http://en.wikipedia.org/wiki/Auditing_information_security

http://en.wikipedia.org/wiki/Bank

http://en.wikipedia.org/wiki/Online_banking

http://www.isaca.org/Knowledge-Center/cobit

http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/An-Introduction-to-the-Business-Model-for-Information-Security.aspx

http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/An-Introduction-to-the-Business-Model-for-Information-Security.aspx


of 51

Appendix C Interview Questions

As part of this thesis, many interviews were conducted with experts from various organizations in the

countries such as the Netherlands, Norway, Belgium, Luxembourg and Germany. Interview questions were

based on the topic related to business benefits of information security audits.

Goal of these interviews was to discuss the manner in which benefits of information security and related

audits are realized across different organizations in different geographies. The results of these interviews

have been used in this thesis that forms part of the curriculum of the postgraduate study program on EDP

auditing at VU University Amsterdam.

As a token of appreciation for the willingness of the interviewees to cooperate, a copy of the final thesis will

be sent to them. All the information gathered from the interviews is treated as confidential and has been used

in this thesis anonymously.

The following questions provide an indication of the type of questions being asked during the interviews.

Where possible and necessary, these questions were constructed differently to obtain related information

from the interviewees:

Q1 In your opinion why is an ISMS important for your business in protecting business information?

Q2. According to you, how can a management system be audited to ensure protection of business information?

Q3. In your opinion, what can be done to provide Information Security enough coverage through-out the organization, so it is not just an IT project?

Q4. What are your suggestions on achieving operational effectiveness within an organization with information security controls?

Q5. How according to you can information security controls be validated and verified?

Q6. What are your suggestions to make information security benefits more visible in the organization?

Q7. What benefits can information security audits bring to an organization?

Q8. Please explain how you utilize the deep potential of an information security audit to achieve overall business vision?


of 51

Appendix D An example key performance indicator (KPI)

Information Security

Control or control

objective

Clause 5.2.2.d [27001:2005]. Training, awareness and competence.

The organization shall ensure that all personnel who are assigned responsibilities

defined in the ISMS are competent to perform the required tasks by: d) maintaining

records of education, training, skills, experience and qualifications.

Purpose of

measure

► To establish the control compliance and report to the top management. ► To ensure the business objectives for information security trainings are achieved.

Measurement

calculation

details

Calculation function , expressed by the formula:

RWISMS = ( WEISMS / WSEISMS )

In which:

WEISMS= Σ workers who have received training in ISMS according to

ISMS annual training plan.

WSEISMS=Σ workers, affected by ISMS scope, whom have to receive training in

ISMS.

Stakeholders Owner Human Resource – Training Manager

Customer ► Top Management. ► ISMS Manager. ► Security Management. ► Training Management

Collector Training Management – Human Resource Department.

Communicator Top Management

Reviewer ISMS Manager

Life cycle. Frequency of collection.

Monthly, first working day of the month.

Criteria RWISMS (0-0.99 Unsatisfactory, 1 correct)

If in second quarter (RWISMS<0.8) = unsatisfactory, then increase training.

If at the end of the year RWISMS = unsatisfactory, review training budget and training

plans.

Indicator Effects/impact ISMS Non-compliance

Causes of

deviation

► Low budget. ► Ineffective training plan. ► No appropriate allocation of work shifts to allow training. ► Shortage of personnel for allocation of work shifts with

personnel in training.

Remarks In case the number of workers changes during the period of analysis, it will be noted that: a hypothetical value of RWISMS > 1 (decrease in number of workers)

will be taken as RWISMS =1

WWHHAAATTT TAARRREEE TTHHHEEE …vurore.nl/images/vurore/downloads/1089_Jatin-Sehgal.pdf ·...

Documents

Transcript of WWHHAAATTT TAARRREEE TTHHHEEE …vurore.nl/images/vurore/downloads/1089_Jatin-Sehgal.pdf ·...