WWHHAAATTT TAARRREEE TTHHHEEE …vurore.nl/images/vurore/downloads/1089_Jatin-Sehgal.pdf ·...
Transcript of WWHHAAATTT TAARRREEE TTHHHEEE …vurore.nl/images/vurore/downloads/1089_Jatin-Sehgal.pdf ·...
Author: Student number: E-mail address: Phone number: University counselor: Company counselor: Thesis Number:
Jatin Sehgal 2160145 (W) [email protected] / (P) [email protected] +31 (0) 6 2908 4825 Dr Abbas Shahim RE CGEIT (Partner Atos Consulting & Technology Services) Martin Wijnmaalen ( Partner, Ernst & Young Advisory) 1089
WWWHHHAAATTT AAARRREEE TTTHHHEEE BBBUUUSSSIIINNNEEESSSSSS
BBBEEENNNEEEFFFIIITTTSSS OOOFFF IIINNNFFFOOORRRMMMAAATTTIIIOOONNN
SSSEEECCCUUURRRIIITTTYYY AAAUUUDDDIIITTTSSS???
What are the business benefits of Information Security Audits?
Page 2 of 51
Table of Contents
1 PREFACE 3
2 EXECUTIVE SUMMARY 4
3 THESIS INTRODUCTION 6
3.1 PROBLEM DEFINITION 6
3.2 OBJECTIVE OF THIS RESEARCH & RESEARCH QUESTION 8
3.3 RESEARCH APPROACH 9
3.4 SCOPE LIMITATIONS 10
3.5 ASSUMPTIONS 10
3.6 LAYOUT OF THIS THESIS 10
4 HOW TO PROTECT BUSINESS INFORMATION? 12
4.1 WHY IS INFORMATION SECURITY MANAGEMENT SYSTEM IMPORTANT? 12
4.2 HOW CAN A MANAGEMENT SYSTEM BE AUDITED TO ENSURE PROTECTION OF BUSINESS INFORMATION
(DESIGN CHECK)? 17
5 HOW TO MEASURE IF INFORMATION SECURITY MEETS BUSINESS OBJECTIVES? 22
5.1 INFORMATION SECURITY COVERAGE IN THE ORGANIZATION 22
5.2 ACHIEVING OPERATIONAL EFFECTIVENESS WITH INFORMATION SECURITY CONTROLS 23
5.3 VERIFYING & VALIDATING THE INFORMATION SECURITY CONTROLS 24
6 WHAT BENEFITS CAN INFORMATION SECURITY AUDITS BRING TO AN ORGANIZATION? 27
7 WHAT ARE THE POSSIBLE WAYS TO MAKE INFORMATION SECURITY BENEFITS MORE
VISIBLE IN THE ORGANIZATION? 32
8 HOW CAN AN INFORMATION SECURITY AUDITOR HELP? 35
8.1 RAISING POTENTIAL OF AN INFORMATION SECURITY AUDITOR IN A TELECOM COMPANY 36
8.2 RAISING POTENTIAL OF AN INFORMATION SECURITY AUDITOR IN A BANK 39
9 SUMMARY 42
9.1 CONCLUSION 42
9.2 RESULT DISCUSSION 44
9.3 FURTHER RESEARCH 45
APPENDIX A TERMS & DEFINITIONS 46
APPENDIX B BIBLIOGRAPHY 49
APPENDIX C INTERVIEW QUESTIONS 50
APPENDIX D AN EXAMPLE KEY PERFORMANCE INDICATOR (KPI) 51
What are the business benefits of Information Security Audits?
Page 3 of 51
1 Preface
This document is the result of the thesis of the postgraduate study programme on EDP auditing at VU
University Amsterdam. This thesis covers an interesting topic that is relevant to the IT Auditing field and is
often challenged in reality being the business benefits of information security audits.
I have been involved with the field of Information Security for the past 12 years and have been often faced
with the challenge to promote confidence in the field of information security and the information security
audits. This raised my interest in writing this thesis on the topic.
I would like to thank my supervisor at VU University Amsterdam, Dr. Abbas Shahim, and my supervisor at
Ernst & Young, Mr. Martin Wijnmaalen for their support and feedback. Also I wish to express my sincere
thanks to all the interviewees from various organizations for taking the time to do the interviews despite their
busy schedules.
Jatin Sehgal
Author: Student number: E-mail address: Phone number: University counselor: Company counselor: Thesis Number:
Jatin Sehgal 2160145 (W) [email protected] / (P) [email protected] +31 (0) 6 2908 4825 Dr Abbas Shahim RE CGEIT (Partner AtoS Consulting & Technology Services) Martin Wijnmaalen ( Partner, Ernst & Young Advisory) 1089
What are the business benefits of Information Security Audits?
Page 4 of 51
2 Executive Summary
So, what are the business benefits of information security audits?
It’s a question many information security professionals and
information security auditors are asking themselves, without a
clear answer. There are many reasons for this struggle, one
being a traditional misalignment with the business so this
topic never found its place in the top management’s agenda,
another that the benefits were neither measurable nor visible
enough.
In order to try and answer this question, it is important to realize what role information security plays in the
organization, how the business information is protected and why it is important that an information security
auditor reviews the protection mechanism. The idea is to understand the information flow within business
processes, and elevate information security (and its audits) as a business enabler rather than just a cost to
the organization.
Let’s start with identifying why information is so critical to an organization in this Information age, before
realizing the benefits of information security and audits.
Recent global trends have shown that organizations are more successful when they manage their business
information in a manner that provides them with a competitive advantage and use this information to drive
business benefits and growth. Information is thus the lifeblood for most of the organizations across the globe,
and its flow through-out the organization by means of business processes, creating value.
As the global economies struggle in these turbulent times, organizations and the related regulators,
customers, partners and other stakeholders are continuously looking for ways to get re-assured that this so
called lifeblood (i.e. organizational information) is protected with utmost importance and care.
As seen in the media and as result of industry surveys, many businesses have suffered huge losses due to
loss of critical business information in the wake of rising security incidents and frauds. Information security is
thus vital to promote the confidence and trust about organization’s policies, processes and its reputation.
However, it can be quite a challenging task to stay out of the headlines and operate securely without having
someone to assess the information security environment regularly. This is where information security audits
can be beneficial to an organization.
What are the business benefits of Information Security Audits?
Page 5 of 51
Since organizations are changing rapidly, so does the need to be continually monitored. Information Security
audits provide a means to ensure that business processes remain secure, repetitive and concurrent with
business and are therefore highly beneficial for any organization to overcome business challenges. These
audits should be considered as a strategic asset or a driver of business value. In this thesis I discuss the real
business benefits that one can achieve by means of regularly performing information security audits and
therefore the focus of this thesis is mainly on the following question:
What are the business benefits of Information Security Audits?
Business benefits of Information Security Audits have been defined in a qualitative way for the purpose of this thesis i.e. to identify and
assess if information security meets identified goals (such as compliance, performance improvements, strategic alignment etc.) instead
of calculating the benefits on a numeric value. It is consciously decided not to aim for the quantitative value of information security audits
in terms of a currency number (such as Euro or Dollar etc.). It is realized that it is far too complex to obtain quantitative value of the
information security audits, and hence it has been kept out of scope for this thesis.
Throughout this thesis, the qualitative benefits of performing the information security audits are discussed in
the context of how an organizational (management) system for information security can be assessed. To give
more practical touch to this thesis, several interviews have been conducted with a few selected members of
premier organizations across different industries in countries such as Netherlands, Norway, Luxembourg,
Belgium etc. It was noted that although information security influences them in the same way, the
requirements to audit these varied organizations and their goals for conducting these audits diverge
significantly.
The interviews have also shown how information security (and its audits) can be customized to achieve the
overall business vision and that slowly but steadily organizations are realizing the deep potential of
performing these audits from a risk management perspective.
Summarizing the results of this thesis, it can be said that information security audits indeed provide huge
business benefits and can be instrumental in helping an organization meet its business goals by improving
efficiency and aligning with business objectives. It also helps avoid the losses due to negligence and provide
an independent evaluation of the security environment. However, these audits should be well planned and
managed through a formal audit programme. In the end, it benefits an organization in several ways, albeit the
need is to make these benefits more visible and measurable.
What are the business benefits of Information Security Audits?
Page 6 of 51
3 Thesis Introduction
3.1 Problem definition
In today's high technology environment, we are becoming more and more dependent on information and
information systems. Masses are increasingly concerned about the proper use of information, particularly
personal data and client information. The threats to information and information systems from natural
disasters, human error, disgruntled employees, hackers, criminals and terrorists are ever increasing. No
wonder that information is one of the most valuable assets in an organization and must be protected with
utmost importance and care.
Information has both financial and non financial characteristics, so the impact due to the loss of information
can be financial and non financial as well. For a typical organization, both apply. The impact on business due
to the loss of information with financial characteristics also has a correlation with the information security as
an internal control for financial reporting. Information Security audits1 are therefore highly important for an
organization to realize the true potential and business benefit of the information security controls and the
urgency for their effectiveness and efficiency to manage information security and business risks.
But where does information exist within an organization? Information exists in many different forms and
shapes, it can be printed or written on a paper, spoken in conversation or shown in films, sent in an email or
using other electronic means. Which-ever form information takes it must always be appropriately protected2.
An organization needs to identify which information is critical for its business activities (processes), how it is
audited and what impact might damage to this information bring to its business. For example, during the
interviews I was informed that information security might be most required in an organization’s procurement
process depending on the type of its business, or it may be critical for its accounting systems or may be
mandated as a legal requirement. The bottom line is to understand how the impact on business information
impacts business and similarly, how information security auditing can bring business advantage and help to
protect critical information.
But should the information security audits focus on technical (ICT) security, data security or the
information security? Most of the interview participants mentioned that in practice many organizations
struggle to spot the real difference between data and information. Whereas, information is the processed
data that provides meaning to its reader so he/she can understand the communication. What is also
1 Information Security audits are referred from a perspective of only Internal Audits as a key component of
the overall risk management framework (external or certification audits are not the main focus of this thesis). 2 Definition as per ISO/IEC 27001:2005 standard.
What are the business benefits of Information Security Audits?
Page 7 of 51
important is to realize the difference between the various aspects/definitions of information security topics
prevalent in the industry. These so called aspects can be defined in three categories:
► Data Security: Focus of Data security is to ensure that
data is safe from corruption and that access to it is suitably
controlled. It cannot alone be termed as information
Security since the focus is only on the protection of data
and not mainly on the other characteristics of information
(such as availability). As per the definition on WIKIPEDIA,
Data Security means protecting a database from
destructive forces and the unwanted actions of
unauthorized users.
► IT Security: Focus of IT security is securing the underlying IT Infrastructure (network, OS, database,
applications) to ensure Information/Data security. Thus, IT security ensures that IT infrastructure
such as a server is secured so that information that resides in this server is always protected.
► Information Security: Focus of Information security is broader in a way that it demands the
protection of information (in electronic or non electronic form) from unauthorized disclosure
(Confidentiality), unauthorized modification (Integrity) and unauthorized Loss (Availability). Clearly,
the data security aspect just focuses on the protection of data integrity, whereas IT security focuses
on the protection of only the technical containers like servers, applications etc. in which the
information lives. However, information can also exist in the non-technical/non electronic form such
as paper or even in the minds of people and hence the scope of information security is to protect the
electronic and non electronic information in whichever form it exists.
There is definitely a degree of complexity in understanding the real difference between the above three
definitions as there is a very thin line between them. IT security and data security may be considered as
integral parts of the Information Security, but should not be misunderstood as the information security
domain as a whole, which is far bigger in scope. Information Security is the protection of Confidentiality,
Integrity and Availability of Information (and not just data) and that should be the focus of an (internal) auditor
reviewing the information security environment.
It is possible that an organization may wish to implement the information security project within the IT
department, there-by protecting the business information (and IT information) that resides only within the IT
What are the business benefits of Information Security Audits?
Page 8 of 51
containers such as servers, applications etc. However, this does not protect the same information that
resides within HR or Legal departments, or even in the other operational unit. That is where most of the
organizations underestimate the real benefits of implementing information security and the business benefit
of information security audits. Therefore, by becoming a partner with the business, information security
auditors can point out what information needs more protection, identify the gaps in implementation of
information security controls and leverage their expertise to help business grow and achieve its goal.
So, do you know what are the true business benefits of the information security audits and how deep is its
untapped potential within your organization?
3.2 Objective of this research & research question
The objective of this research is to provide an answer to the primary research question. When there is no
doubt that information is critical to running business and loss of Confidentiality, Integrity and Availability of
information might impact the business, the primary research question for this thesis is:
What are the business benefits of Information Security Audits?
Business benefits of Information Security Audits have been defined in a qualitative way for the purpose of this thesis i.e. to identify and
assess if information security meets identified goals (such as compliance, performance improvements, strategic alignment etc.) instead
of calculating the benefits on a numeric value. It is consciously decided not to aim for the quantitative value of information security audits
in terms of a currency number (such as Euro or Dollar etc.). It is realized that it is far too complex to obtain quantitative value of the
information security audits, and hence it has been kept out of scope for this thesis.
To be able to provide a detailed answer to the main research question, this question has been broken down
into the following sub-questions:
1. How to Protect Business Information?
- Why is having an Information Security management system important?
- How can a management system be audited to ensure the protection of the business information
(Design check)?
2. How to measure if information security controls meets business objectives?
- Information Security Coverage in the organization
- Achieving operational effectiveness with information security controls
What are the business benefits of Information Security Audits?
Page 9 of 51
- Verifying & validating the information security controls
3. What benefits can information security audits bring to an organization?
4. What are the possible ways to make information security benefits more visible in the
organization?
5. How can an information security auditor help?
- Raising potential of an auditor in a telecom company
- Raising potential of an auditor in a bank
3.3 Research Approach
To be able to provide answers to the above sub-questions, a step-by-step gradual approach was used that
consisted of five phases. Phase 1 was to set the scope and boundaries of the research and to define the
research questions. In phase 2 a literature review was performed to gain the in-depth knowledge of the
information security and information security audit topics required to answer the sub-questions.
To ensure that the thesis is not just a theoretical investigation but also contain a relation to practical
examples, some case studies have been performed in phase 3 (together with interviews) on the current
setup of information security audits within various organizations. To gather an overall answer to the primary
research question, interviews were conducted in phase 4 with the executives of some selected organization
(s) and references were made to surveys conducted on this topic (phase 3 & 4 were combined during
interviews). The goal of the last phase, phase 5, was to draw a conclusion for all previous phases and thus
answer the main research question. The answer to the main research question ultimately follows from the
answers to all previous questions.
Figure: 1 Research approach
What are the business benefits of Information Security Audits?
Page 10 of 51
3.4 Scope limitations
This thesis only strives to provide qualitative reasons in identifying business benefits of performing
information security audits. A reference is made to the ISO27001 framework and similar management
systems, which are most commonly used for information security. The information provided in this thesis is
aimed to be generic and used for most types of the businesses, however does not provide an exhaustive list
of benefits that can be achieved through tailored information security audits. Pointing out any industry
specific benefits (other than mentioned in this thesis) is beyond the scope of this thesis. In addition, this
thesis does not cover research into information security risks, vulnerabilities and threats.
Further, it is important for the reader to note that information security audits are defined from an internal audit
point of view and not from compliance audits (e.g. ISO/IEC 27001:2005 certification audit) or infrastructure
security audits like a penetration/vulnerability assessments. The main focus of this thesis is to define the
business benefits of information security audits performed by an internal auditor there-by elevating their role
from being just assessor of gaps to being partners in business growth by way of risk management.
3.5 Assumptions
Throughout this thesis, it is assumed that the reader possesses the generic knowledge of management
systems and their functioning thereof. In addition, the reader is expected to be aware of the concepts of
auditing in general. Further, it is assumed that an individual or an organization that is interested in learning
the business benefits of information security audits, has practical knowledge of implementing the information
security controls through an information security management system (ISMS).
3.6 Layout of this Thesis
This first chapter (chapter 1) provides a preface to this thesis document. Chapter 2 gives an executive
summary of this thesis starting with the primary question. Chapter 3 includes the introduction, the research
question and the approach to answering the research question. The following chapters (Chapter 4 till
Chapter 8) are related to the sub–questions. The chapter 4 discusses the first sub-question about how to
protect the business information? In this chapter, definition and importance of implementing and auditing an
information security management system (ISMS) has been detailed. This chapter also provides details of a
typical audit process within an organization.
Chapter 5 covers the second sub-question and provides answers on how to measure if information security
meets business objectives by means of internal information security audits. The details of achieving
operational effectiveness with information security controls, validating and verifying these controls as well
making them more visible have been discussed in this chapter.
What are the business benefits of Information Security Audits?
Page 11 of 51
The next chapter, chapter 6, relate to what benefits can information security audits bring to an organization
whereas chapter 7 describes the possible ways to make information security benefits more visible in the
organization by means of an internal information security audits. Chapter 8 explains how to raise the deep
potential of an information security audit. In this chapter, the main highlights of the interviews being
conducted have also been shown. To understand that different way of thinking in the organization, interviews
have been conducted with a CISO of a premier telecom organization having operations in LATAM and Africa,
an IT manager of a government organization in Norway, a Finance Director of a banking organization in
Belgium, a head of procurement in a technology company in Germany and a HR professional of a utility
company in The Netherlands. Finally, chapter 9 provides the summary of this thesis including the conclusion,
a reflection on and discussion of the research, the results and topics for further research.
Appendix A defines various terms & definitions used through-out this thesis, Appendix B provides
the bibliography and Appendix C details the questions being asked in interviews. Appendix D
provides an example of a key performance indicator for an information security control.
What are the business benefits of Information Security Audits?
Page 12 of 51
4 How to Protect Business Information?
Almost every organization depends on information. It can be about its
operations, business processes, trade secrets, intellectual property,
employees' names, salaries, and so on. Depending on the type of
organization, this dependency may vary. E.g. a governmental office
may require personal information about citizens, residential
addresses, car licenses registration etc, a bank requires information
about its customers' accounts, their money transactions, ATM
machine access codes, and so on. Much of this information is
confidential, should stay integral and must be available at the time of
use.
Just as the type of information may differ from organization to organization, the way it needs to be protected
differs as well. The challenge is how to implement the different protection measures to protect the business
information by still following a standardized common practice to provide a comfort level to stakeholders. The
answer lies in following a best practice framework for management system for information security that takes
your organization towards a continuous improvement path. Lets dive deeper into why such an information
security management system is important for the protection of business information.
4.1 Why is Information Security management system Important?
Information security can be implemented in more than many ways for the protection of critical information,
however for it to be effective, efficient and repeatable it is important to follow a proven framework of a tested
management system (like one endorsed by ISO/IEC 27001:2005). A management system is a proven
framework and is a means by which business processes remain concurrent with business and are
repeatable.
In order to understand the importance and meaning of an information security management system, lets
break it down into two words i.e. “information security” and “management system”.
Information Security means protecting information and information systems from unauthorized access, use,
disclosure, disruption, modification, perusal, inspection, recording or destruction. The terms information
security, computer security and information assurance are frequently used interchangeably. These fields are
interrelated often and share the common goals of protecting the confidentiality, integrity and availability of
information;
What are the business benefits of Information Security Audits?
Page 13 of 51
Figure: 2 CIA Triad explaining core principals of information security
Management System provides a structure for doing things properly, attempting to systematize and
standardize whatever is possible in order to do things efficiently and effectively, using validated
methodologies that lead an organization toward the achievement of its objectives. A management system is
a proven framework that directs and controls an organization in a transparent manner for managing and
continually improving an organization's policies, procedures and processes. Management system provides
company management with the required information to anticipate the future and determining the best course
of actions to achieve organizational objectives.
Management systems provide a structure for doing things properly, attempting to systematize and
standardize whatever is possible in order to do it efficiently and effectively, using validated methodologies
that lead an organization toward the achievement of its objectives.
During the interviews, I have asked participants to point out some of the benefits of adopting a management
system approach, their responses in terms of the benefits are listed as follows:
► Increased operational efficiency by learning from mistakes/error rectification
► Overall performance improvement by following a process approach
► Reduced risks as responsibilities become clearer
► Reduced cost, time and disruption of audit
What are the business benefits of Information Security Audits?
Page 14 of 51
► Consistent objectives, planning, and document management.
Combined with the information security objectives, information security management system (ISMS) is
defined using a Plan- Do-Check-Act cycle (also known as DEMING cycle). Following this cycle puts an
organization into a continuous improvement path, as with each iteration one can expand the policy and
objectives, and the scope of the ISMS.
Figure: 3 ISMS explained using a Plan-Do-Check-Act cycle
PLAN: Establish an ISMS: Planning is the most important phase in building an Information Security
Management System. An ISMS framework follows a risk based approach and hence it is vital that before the
information security controls are selected and implemented, the risks to an organization or any of its part are
known.
This phase involves establishing an ISMS policy for an organization, its objectives, processes and
procedures relevant to managing risk and improving information security to deliver results in accordance with
organization’s overall business objectives. A risk assessment provides results in form of identified risks to the
organization management which they can decide to either accept, reject, mitigate or transfer. In case risks
What are the business benefits of Information Security Audits?
Page 15 of 51
are accepted, then it must meet the acceptance criteria of organization and must be approved by
management. However, if management decides to mitigate the risks, then controls are selected from a
bucket of information security controls that are implemented to mitigate specific risks as identified during risk
assessment and thus a risk treatment plan is created.
DO: Implement & Operate the ISMS: This phase includes implementing and operating with the
organization ISMS policy, controls, processes and procedures. The objective of this phase is to prepare a
risk treatment plan to mitigate the identified risks (through risk assessment performed during the Plan
phase). Organization management should provide enough resources and commitment for the
implementation of the controls.
It might be a case that organization already has a certain level of implementation of the selected controls,
then it is vital to recognize the current level of implementation of those controls an identify what additional
efforts are required to mitigate the risks to bring them to an acceptable low level. The end result of this
phase is the implementation of selected controls.
CHECK: Monitor & Review the ISMS: Now that organization has established the ISMS design and has
assessed its risks and the controls have been implemented to bring the risks down to an acceptable level,
this phase concentrates on Checking if the implemented controls are working as effectively as desired and
are performing at a certain level. Therefore, it required to assess and, where applicable, measure process
performance against ISMS policy, objectives and practical experience and report the results to management.
ACT: Maintain & Improve the ISMS: After checking the implantation level of controls, organization might
observe certain gaps in the implementation of the selected controls. This phase concentrates on the
corrective and preventive actions, based on the results of the internal ISMS audit and management review or
other relevant information, to achieve continual improvement of the ISMS.
As explained above, an information security management system provides a systematic way to manage
information security risks and implement the controls. As mentioned by interview participants, following can
be the business benefits that an organization can obtain by implementing an information Security
Management System (that includes conducting internal information security audits as part of CHECK phase):
What are the business benefits of Information Security Audits?
Page 16 of 51
Information Security Management System helps you to
Manage risks By consciously investing in information security controls or
accepting, transferring and avoiding risks.
Contribute to operational effectiveness
By ensuring that business operations are securely performed
without breach of confidentiality, integrity and availability
improving the overall effectiveness & efficiency of your business
processes.
Increase stakeholder satisfaction
By delivering what is expected in a timely and secure manner
and providing stakeholder with information regarding the
organization’s ability to meet its management system
related business objectives.
Protect your brand and reputation By keeping you out of negative headlines.
Continual improvement
By following Plan-Do-Check-Act cycle, one identifies new
risks, manages changes and builds upon the last
information security implementation towards a continuous
growth path.
Remove barriers to trade By providing trust and confidence to business partners
and promoting trade of information and resources.
Manage compliance
By providing you a platform to demonstrate due diligence
& due care for complying with laws, regulations and
contractual obligation. In Australia, for example, every
company, by law, must have an official (Information)
Security Policy and Acceptable Internet Usage Policy in
place
Table: 1 Benefits of implementing an Information Security Management System
What are the business benefits of Information Security Audits?
Page 17 of 51
4.2 How can a management system be audited to ensure protection of business
information (Design Check)?
In the above section it was defined why an information security
management system is important. This section describes how an ISMS can
be audited to ensure protection of business information. This is important
because through an information security audit an organization can
determine whether its activities and related results comply with planned
arrangements to deliver customer, stakeholder and regulatory requirements
for information security. It can determine whether these arrangements are
implemented effectively, and are suitable to achieve the stated objectives.
As an audit outcome, the organization can understand risks and
opportunities to inform future changes and improvements to protect
business information & grow their business.
But the bigger question is how do you audit an ISMS to ensure protection of business information?
Typically, an information security management system audit involves reviewing the ISMS design, its
existence and the operational effectiveness of the information security controls. In order to organize audit
in a structural manner the top management should start by establishing clear audit objectives and end results
by means of an audit program and assign one or more competent persons to manage the audit program. The
extent of an audit program should be based on the size and nature of the part of the organization being
audited, as well as on the nature, functionality, complexity and the level of maturity of the ISMS to be audited.
The audit program should include information and resources necessary to organize and conduct ISMS audits
effectively and efficiently within the specified time frames.
However, to align these audits to the overall satisfaction of the top management, the following questions
could be asked:
► What are the expectations of the stakeholders from the audit?
► Are the goals of information security audit aligned with those of the business?
► How can the information security audit improve efficiency and effectiveness of the implemented
ISMS?
► Do you have the right staffing mix to provide the advice and expertise your business seeks?
What are the business benefits of Information Security Audits?
Page 18 of 51
► What has your organization done to adjust information security to address the changing
environment?
Based on the guidance of ISO/IEC 19011:2011, an audit program can be prepared to answer the above
questions and may include the following topics:
► Audit Objectives:
► top management priorities;
► commercial and other business intentions;
► legal and contractual requirements and other requirements to which the organization is
committed;
► needs and expectations of interested parties, including customers;
► auditee’s level of performance, as reflected in the occurrence of failures or incidents or
customer complaints;
► risks to the auditee, etc.
► Extent/number/types/duration/locations/schedule of the internal information security audits;
► Audit program procedures:
► assuring the competence of information security auditors and audit team leaders;
► selecting appropriate information security audit teams and assigning their roles and
responsibilities;
► conducting information security audits, including the use of appropriate sampling methods;
► conducting information security audit follow-up, if applicable;
► reporting to the top management on the overall achievements of the audit program;
► Audit criteria including:
► ISO/IEC 27001:2005 or CoBIT or any other framework;
► applicable policies, procedures, standards, legal requirements;
► contractual requirements;
► sector codes of conduct etc.
► Audit methods:
► conducting interviews;
► completing checklists and questionnaires with auditee participation;
► conducting document review with auditee participation;
► sampling;
► observation of work performed;
► analyzing data, etc.
What are the business benefits of Information Security Audits?
Page 19 of 51
► Selecting audit team: In deciding the size and composition of the audit team for the internal ISMS audit,
consideration should be given to the following:
► the overall competence of the audit team needed to achieve audit objectives, taking into
account audit scope and criteria;
► complexity of the audit;
► the audit methods that have been selected;
► legal and contractual requirements and other requirements to which the organization is
committed;
► the need to ensure the independence of the audit team members from the activities to be
audited and to avoid any conflict of interest;
► the ability of the audit team members to interact effectively with the representatives of the
auditee and to work together;
► the language of the audit, and the auditee’s social and cultural characteristics. These issues
may be addressed either by the auditor’s own skills or through the support of a technical
expert.
Once an audit programme is developed, an information security audit is conducted using the 6 steps process
as described in the figure:4 below, and detailed in the figure:5 using a flow diagram. Organisations could
initiate the internal information security audit as per the audit schedule. The first step (Step-1) in initiating the
audit is to appoint an audit team leader and assign responsibility for conducting the audit. The audit team
leader performs the steps to conduct audit activities as part of the ISMS audit programme.
Thereafter, audit scope, objectives and criteria’s are defined & documented. Feasibility of conducting the
audit is determined taking into account time and resource requirements. When the audit can be declared
feasible, an audit team should be selected, taking into account the competence needed to achieve the
objectives of the audit. If there is only one auditor, the auditor should perform all applicable duties of an audit
team leader. Once the audit team is defined and selected, the initial contact for the audit should be made
with the auditee in an informal or formal manner to make audit arrangements and request documentation.
Upon receipt of the documentation (Step-2), prior to the on-site audit activities, the auditee’s documentation
should be reviewed to determine the conformity of the system, as documented, with audit criteria. The next
step (Step-3) after the documentation review is preparing for the on-site visits. This starts with preparing an
What are the business benefits of Information Security Audits?
Page 20 of 51
audit plan to provide the basis for the agreement among the audit team and the auditee regarding the
conduct of the audit and continues to assigning each team member responsibility for auditing specific
processes, functions, sites, areas or activities. Such assignments should be made by the team leader taking
into account the need for the independence and competence of auditors and the effective use of resources,
as well as different roles and responsibilities of auditors, auditors-in-training and technical experts. Changes
to the work assignments may be made as the audit progresses to ensure the achievement of the audit
objectives. The audit team leader also assigns responsibilities to prepare the work documents such as
check-lists, sampling plans, forms etc for recording audit trails.
Step-4 begins with conducting the on-site audit activities. During the on-site visit, an opening meeting is
conducted to set the tone for the information security audit. The audit activities are conducted following the
agreed criteria to identify audit findings. At the end of the on-site audit activities, audit findings are
documented in form of a report and communicated to the auditee to complete the audit (Step-5). The audit is
completed when all activities described in the audit plan have been carried out and the approved audit report
has been distributed (Step-6).
The conclusions of the audit may indicate the need for corrective, preventive or improvement actions, as
applicable. Such actions are usually decided and undertaken by the auditee within an agreed timeframe and
are not considered to be part of the audit. Any follow-ups required to be performed based on audit results are
done (Step-7). The completion and effectiveness of corrective action should be verified. This verification
may be part of a subsequent audit.
Figure:4 Steps of an audit activity
What are the business benefits of Information Security Audits?
Page 21 of 51
Figure:5 Details on steps of an audit activity
What are the business benefits of Information Security Audits?
Page 22 of 51
5 How to measure if information security meets business objectives?
Practical experience has shown that Information security as a topic has
been faced with the difficulty to objectively evaluate its maturity and
communicate its value to the business. In a business minded culture,
where numbers play a big role, how would you justify ongoing budget
requests and resource requirements? Thus, organizations need a better
way and a measurement mechanism to demonstrate that efforts and
investments have positive results regardless of changing external factors.
Measuring the information security environment through internal
information security audits uncovers areas where maturity efforts are either
surprisingly behind or surprisingly ahead. These results help you bring
everyone up to the same level and even highlight certain teams that may
be examples for others to emulate. In addition, the higher levels of maturity
in many components require support for business objectives, which may
also help to justify further investment.
In the forthcoming section, I discuss how to measure if information security meets the business objective by
looking at the information security coverage in the organization and detailing how the Information Value
Chain can lead to defining information security risks and required controls. Finally, I describe a method for
measuring the implementation of information security controls using the CMMI model.
5.1 Information Security Coverage in the organization
Most of the organizations that are facing challenge with implementing information security would admit that
there is a cultural gap in the organization and a lack of commitment at all levels in the organization. To
measure if information security meets business objectives, it is very important to realize how deep is the
involvement of staff regarding information security activities. If only a 10-20% of the staff is involved in
information security activities, it is going to take a lot of time and effort before the organization could call itself
secure. In many cases on senior management and specifically on Board level, information security is seen as
a technical issue, which must be delegated to the IT section, and forgotten about. Without this management
support, information security managers fight a very difficult, and often losing, battle in implementing and
rolling out a organization-wide information security plan in the company, taking into account all the different
dimensions of information security like the human (personnel) dimension, the awareness dimension, the
legal dimension, the policy dimension, the measurement and monitoring dimension etc.
What are the business benefits of Information Security Audits?
Page 23 of 51
Information security efforts that fail to consider how humans react to and use technology often do not deliver
intended benefits. Information security programs need to take into account how the organization and its
people, processes and technologies interact, and how organizational governance, culture, human factors and
architectures support or hinder the ability of the organization to protect information and to manage
information security risks.
5.2 Achieving operational effectiveness with information security controls
One of the ways to confirm that the information security controls achieve operational effectiveness is to first
define the “Information Value Chain”. The information value chain can be defined as the flow of business
information that contributes to the business activities being performed in order to meet the business
objectives and goals leading an organization towards the growth path. In simpler terms, it is the way
business information flows to perform business operations. Information flows vertically and horizontally
within the organization. It flows vertically when this information flows between the different levels within an
organization or between the organization and third parties, however, it flows horizontally when it flows
between different departments or organization units. The information flow also depends on the internal and
external factors. Internal factors include internal processes, policies, an Organizational structure, governance
etc while the external factors include geography, political and economical environment etc.
Once the information value chain has been identified and clearly defined, it becomes evident what type of
information and in what shapes and forms is critical to business and more precisely how protection of the
confidentiality, integrity and availability can support business operations. To make it more visible in the
organization, it is vital to identify what could go wrong if the business information is not protected, so the
business decisions can be made regarding its protection, i.e. clear Information Security objectives must be
formulated to reflect how business activities depend on the critical information and how it should be
protected. Similarly, the information security strategy must also align with business strategy.
The information security goals must be very clear and the objectives should be approved by management.
For example, business objective of a pizza company may be to become best pizza brand in the country and
to provide fastest delivery of pizzas to your location. Information security goals may support this business
objective by ensuring that critical information such as pizza orders, location details and delivery time are
correctly available to deliver pizzas in time and customer credit card numbers are well protected so that the
customer loyalty is established, ultimately making the pizza company the best brand in the country and
profitable in its business.
What are the business benefits of Information Security Audits?
Page 24 of 51
As discussed earlier, Information is everywhere in an organisation, the higher management needs
information about their products or services whereas lower levels need to know information about the status
of inventory or service level compliance. The IT department needs information from business to know the IT
services demanded, where as the HR department needs salary information to process payroll. Since the
information resides in different forms and shapes in different parts of the organisation, the demand for
protection various differently as well. This demand can be very clearly described by means of formulating
clear information security objectives. The information security objectives must be able to ultimately support
the business activities to reach organisation goals and thereby meeting business objectives as well.
To establish information security objectives, it is of utmost importance to realize what type of information is
critical for business and what impact the business might have due to loss of confidentiality, integrity and
availability of information.
Lets take an example of another organisation which is a production house in which a sales person depends
on the correct information about a certain quantity of a product in the warehouse and its demand in the
market based on which he can make a decision to buy a certain quantity from its vendor. If the stock
information from the warehouse is incorrect or unavailable, or the demand figures are fudged, the business
might suffer losses due to either underproduction or over production of goods.
Thus, very clearly information security controls support the achievement of business objectives and
operational effectiveness.
5.3 Verifying & validating the information security controls
It has been clarified that the information security controls are important for the business functioning of the
organization. Further, these information security controls contribute to the protection of information which is
required to conduct the business activities. Verifying & validating (i.e. measuring) these information security
controls facilitates decision making, non-compliance identification, and performance improvement and verify
how well selected security requirements, which are based on risk assessment and applicable legal and
regulatory requirements, have been met.
The following can be defined as main objectives of measuring the information security controls:
► to evaluate the effectiveness of implemented security controls and control objectives;
► to evaluate the effectiveness of the ISMS including the cycle of continual improvement;
What are the business benefits of Information Security Audits?
Page 25 of 51
► to provide security indicators to assist management review
► to facilitate improvement of information security
► to communicate the effectiveness of information security to the organization;
► to serve as an input into the risk management process
► to provide output for an internal comparison and benchmarking of effectiveness
Now that it is clear why measurement is required for the information security controls, lets identify how this
measurement can be performed. One of the many common methods applied for the measurement of
information security controls is using the CMMI3 (Capability Maturity Model Integration) model. Using CMMI
levels it can be easy to verify and validate if these information security controls are doing their job properly,
thereby keeping the organization out of trouble.
These CMM levels have been defined as below:
CMMI Level Meaning
1 Initial An initial information security control exists but it is being performed on an Ad-
Hoc basis
2 Repeatable The information security control is repetitive but based on intuition
3 Defined The information security control is surrounded by a defined process
4 Managed The information security control is being managed and is measurable.
5 Optimized The information security control is optimised to the current environmental
factors.
Table: 2 CMMI Levels and their meaning
Using the CMMI levels as defined in the table above, an internal information security auditor can provide
scores to each individual information security control based on the audit findings supported by an audit trail.
3 CMMI is only one of the many maturity models commonly used to measure maturity of information security
controls. There are various other models such as CoBIT Maturity model, INK-model or the KAD model that
may be used to perform maturity assessment.
What are the business benefits of Information Security Audits?
Page 26 of 51
For making the measurements more objective, Key Performance Indicators (KPIs)4 should be defined at
each individual control level to benchmark if the controls are working as per the desired level of performance.
Those controls mitigating higher risks should be looked at more carefully than those mitigating medium or
low risks. The measurements produced through the application of CMMI model, resulting in the output from
internal audit, could contribute as inputs to the process of reviewing the extant controls and determining
whether they should be changed or improved.
An organization can decide what maturity level it desires to achieve on an individual control level or for the
security program as whole and in what time frame and can build an information security strategy around it.
By means of the information security strategy clear Information Security objectives can be formulated to
reflect how business activities depend on the critical information and how it should be protected. Similarly,
the information security strategy must also align with business strategy.
The information security goals must be very clear and the objectives should be approved by management.
For example, business objective of a pizza company may be to become best pizza brand in the country and
to provide fastest delivery of pizzas to your location. Information security goals may support this business
objective by ensuring that critical information such as pizza orders, location details and delivery time are
correctly available to deliver pizzas in time and customer credit card numbers are well protected so that the
customer loyalty is established, ultimately making the pizza company the best brand in the country and
profitable in its business.
4 An example of the Key Performance Indicator (KPI) has been given in Appendix D.
What are the business benefits of Information Security Audits?
Page 27 of 51
6 What benefits can information security audits bring to an organization?
As such Information Security audits bring many benefits to an organization, some of them are more of the
essence than others. As an outcome of the information security audits, you get to know how good or bad the
security condition of your organization is so you can make a decision whether to rely on the information
provided to the management or not. It makes you take controls of your business processes so that better
business decisions can be made based on a reliable set of information. Information security audits can also
provide a better outlook of any gaps between what an organization management wants versus what is
delivered.
Before I get into the nitty-gritty of what benefits can an information security audit bring, it is important to
understand the basic principles of auditing for sake of clarity. These principles make the information security
audit an effective and reliable tool in support of management policies and controls, providing information on
which an organization can act to improve its performance, protect itself from business risks and direct itself
towards growth. Adherence to these principles is a prerequisite for providing audit conclusions that are
relevant and sufficient and for enabling auditors working independently from one another to reach similar
conclusions in similar circumstances.
The following principles relate to information security auditors:
► Ethical conduct: the foundation of professionalism detailing that trust, integrity, confidentiality and
discretion are essential to information security auditing.
► Fair presentation: the obligation to report truthfully and accurately detailing that audit findings, audit
conclusions and audit reports reflect truthfully and accurately the audit activities.
► Confidentiality: discretion in the use and protection of information acquired. This concept includes
the proper handling of sensitive or confidential information.
► Due professional care: the application of diligence and judgment in auditing detailing that auditors
exercise care in accordance with the importance of the task they perform and the confidence placed
in them by auditee/interested parties.
► Independence: the basis for the impartiality of the audit and objectivity of the audit conclusions
detailing that auditors are required to be independent of the activity being audited and are free from
bias and conflict of interest.
What are the business benefits of Information Security Audits?
Page 28 of 51
► Evidence-based approach: Provides the rational method for reaching reliable and reproducible
audit conclusions in a systematic audit process.
Assuming that an information security auditor adheres to the basic auditing principals as mentioned above,
several benefits can be materialized through an information security audit to enable organizations drive
growth and profitability. In an information security audit, typically an auditor should look at how the
information security controls are working and at what level of maturity comparing to business requirements
(as described in the above chapter).
Based on the outcomes of the literature research and interviews, following can be described as the main
benefits that information security audits can bring to an organization:
a) Identification and assessment of risks: Information security audit helps companies identify the
information security risks and barriers they might face in the path to achieving their business objectives.
Information security audit also assesses the likelihood of the security risk materializing and its possible
consequences, thereby giving a perspective of what risks are “key” and therefore require more urgent
management attention. Information security audits can help companies be better prepared to prevent certain
adverse events from occurring and also to provide an adequate response should such events occur. This
means that an organization is likely to face fewer surprises or crises situations and be better prepared for
most eventualities.
b) Evaluating information security controls: Using the information security audits, companies can assess
whether the information security controls and procedures they have put in place are adequate to mitigate the
identified information security risks. This enables companies to improve controls procedures and make
course corrections where needed. Evaluation of controls through experts in this field can help remedy gaps
in information security controls.
c) Ensuring compliance with regulations: Compliance with related regulations as well as internal
information security policies and procedures is a key result of the involvement of information security audit. A
constant focus on this area through the internal information security audit function can help management
promote a culture of “compliance consciousness” where compliance occurs as a part of everyone’s daily
work rather than as a separate process.
What are the business benefits of Information Security Audits?
Page 29 of 51
d) Improve effectiveness and efficiency of processes: When management extends the internal
information security audit scope to include evaluation of organization risks, this can enhance the
effectiveness and efficiency of business processes by identifying duplication and redundant activities.
Internal information security audit may also identify the key areas for improvement, leading to mature
business processes.
e) Uncover fraudulent or other illegal activities within your company: Using the information security
audits, companies can identify any illegal activities that are taking place due to improper access control and
monitoring. By analyzing logs and trends, an information security auditor can alert the top management of
any frauds taking place within the organization.
f) Provide comfort to management, the Board and other stakeholders: One of the most important
benefits of information security audit is to provide assurance to management and a level of comfort to the
internal and external stakeholders that the organization has a strong information security environment that
sufficiently mitigates the risks it might be exposed to, e.g. information leakage or hacking activities, thereby
contributing towards meeting business objectives.
Management must actively utilize the services of information security audit function to act a sounding board
for strategies under development, to anticipate information security risks before they materialize and take
appropriate and timely action. If used effectively, information security audits can become a tool that helps
creates significant business value.
During a recent Global Information Security Survey conducted by Ernst & Young, where many CIOs, CISOs,
CFOs, CEOs and other information security executives (in total 1836 participants) invited in 64 countries and
across all industry sectors, were all asked questions related to the speed of change and widening gap in
information security. 68% of the survey participants agreed that assessments performed by the internal audit
function are ways to assess the efficiency & effectiveness of the information security. Below is the output of
one such question asked during the survey:
What are the business benefits of Information Security Audits?
Page 30 of 51
Figure 6: 15th Annual Ernst & Young Global Information Security Survey Output
To make an information security auditor’s report more useful, he/she can specify in report the exact gaps in
the information security controls that could make business suffer and could lead to:
► Lost productivity.
Based on auditor’s report, business executives can quantify how many employees would be unable
to get work done because of a security breach, and for how long? What if their computing equipment
were seized by law enforcement for forensic analysis? How much time would be spent by IT staff
repairing damage caused by the breach as opposed to doing other work?
► Loss of revenue during outages.
As an outcome of the auditor’s report, business could determine how much revenue might you lose
per minute, per hour, or per day in a scenario if your corporate website does not work? What if you
lost Internet connectivity?
► Loss of data, temporary or permanent.
Restoring from a backup can be costly. An auditor’s report could provide details if an insider can or
cannot destroy company backup.
What are the business benefits of Information Security Audits?
Page 31 of 51
► Compromise of data through disclosure or modification. Strategic and product plans, as well as
sensitive financial information, are just a couple of examples.
► Repair costs. You might need to buy new hardware or use disk-recovery services, for example.
► Loss of reputation. Think about how you’d feel reading about the breach on the front page of a
newspaper. Many countries have or are considering laws that require disclosure of incidents that
compromise customer data. Do you do business in these countries?
What are the business benefits of Information Security Audits?
Page 32 of 51
7 What are the possible ways to make information security benefits more visible
in the organization?
As the wise adage goes “a penny saved is a penny earned”, it applies perfectly well to the field of
information security. In the field of information security, benefits cannot be correctly and quantifiably
measured as a concrete gain, but rather as a reduction in risk and losses. It is not an investment that
provides a return, like a new product or a service, it's an expense that, hopefully, pays for itself in cost
savings and risk aversion. Ultimately, information security provides benefit in terms of risk management &
loss prevention and not through tangible earnings.
The bigger question to ask is “Is information security really necessary?” one has to think in terms of averted
risks or losses by having compliance with various legislation, regulations and contractual requirements. Think
about the penalties you would have to pay if you did not invest in information security, and if it is quantifiable,
make it appear in the form of a management dashboard. E.g. if you saved €500.000,- of penalties by
implementing the controls worth €100.000,-, there is a tangible & visible benefit, however this is not as clear
in most of the cases.
Another way to make information security benefits more visible is by showing how it helped achieve
competitive advantage in the marketplace e.g. number of contracts won because of the security capabilities.
One can even measure how the expenses/costs were saved by decreasing the number of incidents year on
year or quarter on quarters. Even demonstrating how the business operations were optimized can be an
efficient way to demonstrate the benefits of information security. Additionally, find out how information
security can underpin certain elements of company’s corporate strategy.
The key to making these information security benefits more visible is making a clear and approved
measurement system (e.g. through KPIs) which can define how to the company achieved the set objectives
due to information security initiatives. The problem is not that management doesn’t want to invest in
information security, but that it is either uninformed about it, or that you have no instrument to make it visible.
The dashboard below shows one of the instruments that management can get on a regular basis so they can
see the real benefits of information security.
What are the business benefits of Information Security Audits?
Page 33 of 51
Security Management Dashboard
Security
breaches/Frauds
detected& avoided
Successful
securitybreaches
Compliant
40%
Minor Gaps
20%
Major Gaps
10%
Concept
3040
30 10
10
3
0
20
40
60
80
28
39
22
9
40
Sales
HR & Admin
Technology
Legal & Finance
OperationsSecurity Audit Findings
2-20%
3-20%
4-20%
5-20%
1-20%
2-20%
3-20%
4-20%
5-20%
1-20%
Overall new-joiners access registered
99%
Accomplishment of 92% of Security Objectives
Staff change passwords regularly
Security Changes unregistered
Assets clasified
8%
6%
Learning
8 Security
Trainings
Conducted
across
organization
97% staff
successfully
completed
Control Maturity Score Training Pace
Incidents Frauds
Prevented Corrected Detected
93%
3%
83%
No. Of
Critical
Security
Assets per
department
Observations
30%
Figure 7: Management dashboard (example) highlighting summary of audit results
Using a dashboard, like shown above, an internal auditor can provide the information that management
expects to see to continue its interest in information security investments. As a concept, this dashboard
shows how many information security breaches or frauds were detected and avoided due to presence of
information security controls. This could be also shown in-terms of Euros (€) or Dollars ($) saved by avoiding
security breaches. It also provides details of how information security trainings keep employees sharp and
business information safe. Control maturity scores (as calculated using the CMMI maturity model discussed
above) can also be shown in this dashboard. The dashboard also presents details of the cultural aspects or
discipline towards risk management policies in the organization, as shown above, it demonstrates how many
employees have changed passwords regularly, or how many information assets are classified etc. It provides
scores per department on the number of critical security assets that business processes depend on and so
on.
What are the business benefits of Information Security Audits?
Page 34 of 51
With this kind of an output from internal audits, management can decide whether it is in control of the
organizational information and its flow or not. It serves as an important input during the management review
meetings to drive organization towards a growth trajectory. Hence, is a perfect way to make security more
visible in the organization.
During the interviews, participants were asked what different methods and techniques they have used in their
organization to make information security and their benefits more visible in the organization, their response
together with the research on public domains has resulted in following methods & techniques that can be
used in an organization to make information security more visible:
Figure 8: Methods & Techniques to make Information Security & Audit Benefits visible in the organization
What are the business benefits of Information Security Audits?
Page 35 of 51
8 How can an information security auditor help?
An organization needs to conduct information security audits to the determine the effectiveness of their
management system. An information security auditor can help an organization in finding out how risks have
changed from the time it was last assessed, if there is any lack of funding, identifying cultural issues, and any
internal and external threats to business information and processes. Further, the risk of being exposed
before the eyes of- management- induces staff to keep within the compliance of organizational policies and
procedures, to avoid errors of omission or commission.
In addition, an auditor can help in understanding the cross communication that often results in different
departments speaking different languages, resulting in inconsistencies through-out the business. For the
financial manager, information security may equate to minimizing financial risk and loss, while to the sales
manager, it is ensuring that nothing interferes with sales efforts and achieving targets. The legal department
sees it as a function of regulatory compliance, while a board member regards it as protection from personal
liability. To resolve this issue, an auditor helps an organization create a culture that is supportive of
information security. An auditor fosters a systematic thinking approach to understand the interactions and
consequences of addressing a particular situation, thereby avoiding a problem greater than the one being
addressed. An auditor can also help ensure that departmental isolation is reduced so the top management
gains a better picture of information risk and how it relates to overall organization risk.
Below, role of an information security auditor is explained taking examples of a Telecom organization and a
banking organization. During the interviews and literature research, it was realized that both these
organizations are so different from each other in terms of their information sets and type of information
systems for business operations, however the common element is that they both depend on a satisfactory
customer service for their existence. It is explained in these examples how maximum value can be derived
by raising the potential of an information security auditor in two different and yet so common information
security environments.
What are the business benefits of Information Security Audits?
Page 36 of 51
8.1 Raising potential of an information security auditor in a telecom company
Telecommunications companies are considered the back bone of any country’s economy. The amount of
information flow that takes place through the telecom companies is humongous, and hence they have a very
important place in our society. The telecom companies are designated to provide telecommunications
services by intermediating communications of others through facilities for the use of others communications,
hence, telecom companies operators have a complex network, which comprises of network elements
belonging to different vendors which are mostly proprietary applications, operating systems, and protocols,
which remains an unknown for telecom operators. The scenario is more complex when there is outsourcing
of network management through contracts with multiple network vendors.
Typical services provided by a telecom operator fall under three categories Mobile, Fixed Line and Data
Services. Information security management in telecommunications organizations is required regardless of
the service or method. If information security is not implemented properly the extent of telecommunications
risks regarding confidentiality, integrity and availability, may be increased. During the interviews it was
mentioned that most of countries have security requirements as part of the telecom operator’s license terms
and conditions which refers to enhancing security in telecom operator environment and conducting
mandatory internal/external information security audits. Not adhering to these requirements could jeopardize
the license to operate.
Looking at the service portfolio of a telecom service provider, it can be said that if any of these three services
were to be attacked or impacted due to information security incidents, it also impacts the day-to-day lives of
many people relying on the telecom services, taking the affects beyond the boundaries of the telecom
organization. E.g. if the mobile/data services were impacted, the subscribers would not be able to make
mobile calls, send messages, make mobile payments and/or use GPRS/3G/4G services. In such a situation,
the telecom operator not only have the direct financial loss, but also the reputation loss combined with many
replicating after affects.
Therefore, it is of paramount interest of the top management to keep information security control updated
and accurately implemented according to the risks. The methods for protection of business information and
related assets for a Telecommunications company must be appropriately audited in order to avoid significant
interference to telecommunications services delivery.
The figure below shows the organizational processes of a typical telecommunications organization, it is
important for an information security auditor to understand the functioning of these processes which support
the customer services delivery and how they rely on information and Information Systems to a very large
extent. Knowledge of these business processes and related risks enables an information security auditor to
What are the business benefits of Information Security Audits?
Page 37 of 51
correlate the impacts of information security risks to the business processes, thereby enabling the top
management to understand the gaps.
Figure 9: Typical services & related business process in a telecom organization
As described in the figure above, there are typically three types of services provide by a telecom
organization. The landline services which is still considered as main communication facility for many
businesses and govt. institutions, the Mobile services that provides increased mobility to subscribers, and
the data services enabling access to information anywhere and anytime. Irrespective of the services, the
main processes within these remains almost similar as described above.
By understanding the deep relationship between the business activities and the related information security
risks, an auditor can help the top management of the telecom company understand how the information
security controls influence the flow of information through-out the organization amidst increased size &
complexity of operations, changing technology and complexity of services, evolving regulatory requirements
and increasing demands of end customers.
As an information security auditor, one provides expert advice on how the business is impacted in case the
information is compromised. E.g., if the information about the development of new services & products is
leaked before their launch, a competitor might take competitive advantage and launch the similar product or
service before the organization, leading to loss of finances and market position. Similarly, if the business
information in supply chain and logistics business process (comprising of Procurement, Purchasing, Logistics
and Stock Management sub processes) is unavailable, it could delay the delivery of telecom services to
subscribers.
What are the business benefits of Information Security Audits?
Page 38 of 51
The business process revenue generation is typically a set of sub-processes such as Interconnect and
Roaming Agreements set up, Cash Management, Financial Statement Close and Taxes activities etc. The
role of an information security auditor in such a business process is to ensure any regulatory requirements
and contractual obligations pertaining to information security are fulfilled.
Billing process is related to the production of timely and accurate bills, for providing pre-bill use information
and billing to customers, for both prepaid and postpaid subscribers. In addition, the customer care part of this
process handles customer inquiries about bills, provides billing inquiry status and is responsible for resolving
billing problems to the customer's satisfaction. An information security auditor can verify that access to critical
customer information is restricted only on a need to know basis and that customer bills are accurately
charged based on correct data set.
By taking another example, it could be explained that all processes dealing with CDRs (Call Detail Records)
are critical in terms of confidentiality and integrity of sensitive personal information of customer. It is a legal
requirement to protect this sensitive information from unauthorized disclosure and unauthorized modification
in most of the countries due to stricter privacy laws. An internal information security auditor’s report may
provide confidence to the stakeholders that the sensitive information is protected appropriately.
Summarizing the arguments above, it can be implied that an information security auditor can indeed be
indispensable for the telecom companies, the trick is to realize its true deep potential.
What are the business benefits of Information Security Audits?
Page 39 of 51
8.2 Raising potential of an information security auditor in a bank
A banking institution is a combination of various complex business processes (such as Insurance,
Investments, retail etc.) aiming at exchange of money by accepting money deposits and channelizing it into
lending activities, either through loans or through capital markets. In this way of working, a typical bank
depends heavily on information and information systems to provide its services.
Due to their influence within a financial system and an economy, banks are generally highly regulated in
most countries. That means not only do they have to comply with the stricter regulations, but also survive in a
market where the customers expect banks to be secure and manage their information (personal information,
but also most importantly financial/transactional information) with utmost care. Due to the complexity and
variety of the business models in a bank, only Internet banking has been discussed in this thesis and chosen
as an example to explain the potential of an information security auditor.
Internet banking (or online banking or E-banking) allows customers of a banking institution to conduct
financial transactions on a secure website operated by the institution. However the rapid pace of
technological innovations has changed the scope, complexity and magnitude of risks that banks face in
providing internet banking. Security of a customer's financial information is very important, without which
online banking could not operate, therefore banks across the world are required to have resilient operations
and processes that enable them to manage and respond to existing risks and to adjust to new risks.
During the case studies research, it was noted that in March 2012, 1.5 million VISA and MasterCard records
were hacked where as in April 2012, a hacker stole 200,000 PayPal accounts, 2,701 bank card numbers in
U.K. Although these threats are growing, the electronic medium and Internet also creates new business
opportunities to attract customers and sustain growth. In such a high paced information world, no wonder
that demand for assessing information security implementations is at peak.
An information security auditor in a bank can help avoid any major impact on its Internet banking by
assessing the risks to the entire information flow (and related components), exposure to which could have
severe ramifications for the bank. Typically, information flow in an internet banking service can be classified
into three categories namely information service, interactive information exchange service and
transactionalservice.
Information service is the most basic form of online internet service. It is a one-way communication whereby
information, advertisements or promotional material are provided to the customers. Although the risks
associated with such online services are low, these services are often the targets of hacking.
What are the business benefits of Information Security Audits?
Page 40 of 51
A bank may suffer reputational harm resulting from its website being hacked and vulgarized. An information
security auditor could help in identifying the vulnerabilities at the infrastructure level and avoiding any impact
to bank’s business.
Interactive information exchange service offers slightly more bank-customer interactions compared with the
former. Customers are able to communicate with the bank, make account enquiries and fill in application
forms to take up additional services or purchase new products offered. An information security auditor could
assess if there are any risks pertaining to any direct links to the bank's internal network or technical
vulnerabilities. These risks range from low to moderate depending on the connectivity between the internet
and the internal network and the applications that the customers could access.
Transactional services allows customers to execute online transactions such as the transfer of funds,
payment of bills and other financial transactions. This is the highest risk category that requires the strongest
information security controls and regular motoring since online transactions are often irrevocable once
executed. The bank’s internet systems may be exposed to internal or external attacks if information security
controls are inadequate. A heightened element of risk is that attacks against internet systems do not require
physical presence at the site being attacked. At times, it is not even clear or detectable as to when and how
attacks are launched from multiple locations in different countries.
To be able to assess the entire information flow in such type of a service, an auditor should assess the
People, Process and Technology aspects of the information security controls as describes below:
People (Internal/external/customers):
► Confidentiality Agreements – checking if the internal/external
staff have signed the confidentiality agreements;
► Terms & Conditions of Online Banking Usage – ensuring that
accepting the terms & conditions of online banking usage are
accepted by the customers;
► Mandatory Awareness Training on the first login – reviewing
the trends and results from the mandatory awareness training
on first login to the Internet banking system and providing
recommendations for improvements;
► Change of Password upon first login – attesting that the customers are mandated to change
passwords upon first login through information systems;
► Privacy Statement – checking if the privacy statements are included in the customer and staff
contracts.
What are the business benefits of Information Security Audits?
Page 41 of 51
Process:
► Delivery of Online Username & Password – assessing the end-to-end process followed by the bank
to ensure that first time online user credentials are delivered in a secure manner.
► Reset of Online Banking Passwords – checking how the user can reset the online banking password
► Segregation of Duties – ensuring that duties regarding the user administration are divided so that no
other person than the user itself can perform Internet banking transactions.
Technology:
► Technology – Verifying the technology that is used for delivering the online banking solution to the
customers. Several methods (as listed below) can be used for the authentication, and the auditor
may suggest if the chosen method is successfully working or not.
► Digital Certificates
► One-Time Password Tokens;
► One-Time Password Cards;
► Browser Protection;
► Virtual Keyboards;
► Device Registering;
► CAPTCHA;
► Short Message Service;
► Device Identification, etc.
What are the business benefits of Information Security Audits?
Page 42 of 51
9 Summary
The final chapter of this thesis presents the conclusion that answers the main research question of this study.
Finally, a reflection upon the research, a discussion of the results, and suggestions for further research are
offered.
9.1 Conclusion
For this study, the following main research question was defined:
What are the business benefits of Information Security Audits?
While many organizations still view information security and its audits as a cost, it has been shown through
literature research and interviews that effectively managed information security audits are instrumental in
helping an organization meet its business goals by improving efficiency and aligning with business
objectives. Practical experience of the interviewees is that organizations too often view information security in
isolation: the perception is that information security is someone else’s responsibility and there is no
collaborative effort to link the information security program to business goals. It is easy for this
compartmentalized approach to lead to weaknesses in information security management, possibly resulting
in serious exposure. That’s where information security audits bring the benefits of information security
controls to the forefront and ensure that any negative exposure of business information is avoided, before it’s
too late.
Information security audits are considered as a strategic asset or a driver of business value. From a financial
perspective, information security audits prevent unnecessary expenditure on information security and control
due to a lack of comprehension of business needs. From an operational perspective, information security
audits enable organizations to drive information security efforts in the right direction to achieve the intended
business benefit, avoid negligence, resulting into aversion of risks to information.
Further, the implementation of information security audits facilitates the organization in streamlining the
internal processes and technologies, resulting in safeguarding of organizational assets, continuous
improvement, increase in the efficiency and overall business. Information security audits ensure that the
gaps and weaknesses in the ongoing business processes, technical configurations and operations are well
identified and acted upon in a timely manner. By conducting information security audits, one can ensure that
an organization is immune to various known risks (comprising of varied threats and vulnerabilities).
What are the business benefits of Information Security Audits?
Page 43 of 51
The need is to redefine the role of information security auditor and move toward a full partnership role with
management. It is now more important than ever that the information security auditor become involved in
supporting and helping implement corporate governance in information security and management.
In support of the conclusion of the main research questions, the following sub-research questions were
answered:
1. How to Protect Business Information?
There are many ways to protect the critical business information, however for it to be effective, efficient and
repeatable it is important to follow a proven framework of a tested management system (like one endorsed
by ISO/IEC 27001:2005). An information security management system provides a systematic way to manage
information security risks and implement the controls. This way of working with a Plan-Do-Check-Act cycle
involves conforming the information security implementation based on assessed risks and performing an
audit involving the review of ISMS design, its existence and the operational effectiveness of the
information security controls.
To protect the critical business information, its related risks and their potential impact due to loss of
Confidentiality, Integrity and availability are assessed. Based on the identified risks, decisions are made to
implement information security risks, leading to the protection of business information.
2. How to measure if information security controls meets business objectives?
One of the common methods applied for the measurement of information security controls is using the CMMI
(Capability Maturity Model Integration) model. Using CMMI levels, an information security auditor can verify
and validate if these information security controls are doing their job properly, thereby keeping the
organization out of trouble. Using the CMMI levels (from 1 to 5), an internal information security auditor can
provide scores to each individual information security control based on the audit findings supported by an
audit trail. The measurements produced through the application of CMMI model, resulting in the output from
internal audit, could contribute as inputs to the process of reviewing the extant controls and determining
whether they should be changed or improved.
3. What benefits can information security audits bring to an organization?
As an outcome of the information security audits, an organization can get to know how good or bad the
security condition of the organization is, so a decision can be made whether to rely on the information
provided to the management or not. It makes the organization take controls of its business processes so that
better business decisions can be made based on a reliable set of information. Information security audits can
What are the business benefits of Information Security Audits?
Page 44 of 51
also provide a better outlook of any gaps between what an organization management wants versus what is
delivered.
4. What are the possible ways to make information security benefits more visible in the organization?
In the field of information security, benefits cannot be correctly and quantifiably measured as a concrete gain,
but rather as a reduction in risk and losses. There are various possible ways to make information security
benefits more visible in the organization, some of them include providing management dashboards for risk
aversion, cost savings, number of avoided incidents, number of detected frauds etc. or preparing e-learning
modules. Other methods include internal publications through newsletter, pamphlets, brochures etc.
5. How can an information security auditor help?
An information security auditor can help an organization in finding out how risks have changed from the time
it was last assessed, if there is any lack of funding, identifying cultural issues, and any internal and external
threats to business information and processes. Further, the risk of being exposed before the eyes of-
management- induces staff to keep within the compliance of organizational policies and procedures, to avoid
errors of omission or commission.
9.2 Result discussion
Increasingly, top management is realizing the significant impact that information can have on the success of
the organization. Management expects heightened understanding of the way information is operated and the
likelihood of its being leveraged successfully for competitive advantage.
Looking at the results of this thesis, I realize that information security audits can be used as a supporting tool
set that allow organizations to bridge the gap with respect to control requirements, technical issues and
business risks, and communicate that level of self-control to stakeholders. It enables the organization to take
full advantage of its business information, thereby maximizing benefits, capitalizing on opportunities and
gaining competitive advantage. As an outcome of the information security audits, management is also able to
optimize the use of available information resources, including information, services, processes, applications,
infrastructure and people.
Through this thesis, it has been demonstrated that information security audits can prove to be highly
beneficial for the organization if the true deep potential of an internal information security auditor is tapped.
The need is to provide a stage to the auditors to prove that Information security is a board-level priority and
should be provided with visibility, accountability and value.
What are the business benefits of Information Security Audits?
Page 45 of 51
9.3 Further research
During this study, a number of topics were identified during the interviews that could be used for future
research, few of these topics are discussed below:
Implementation of an ISMS using the Plan-Do-Check-Act cycle
In this study, it is not described how to implement an information security management system (ISMS). An
ISMS implementation varies per organization and depends on its management objectives, goals for
information security and the risks to its business information. An attempt has been made to describe the
details of each of phases of Plan-Do-Check-Act cycle, but the intention of this thesis is not to detail the steps
leading towards a successful implementation of ISMS aligned with ISO/IEC 27001:2005. This is an area that
reader is suggested to further research.
Certification of ISO/IEC 27001:2005 and its benefits to the organization
Since the scope of this thesis has been limited to only the internal information security audits, the pros and
cons of achieving an ISO/IEC 27001:2005 certification are not discussed. The goals for certification again
vary per organization. Experience has shown that some organizations obtain certification to satisfy the
customer demands, some just to qualify for the tenders and some to align themselves to the standard.
Reader is suggested to delve deeper into this area.
Other models to measure information security controls
In the chapter 5 (section 5.3), the CMMI model for measuring the information security controls has been
discussed. Although CMMI is one of the most common frameworks, organizations also apply other models
such as CoBIT, KAD model, INK-model etc to measure the maturity of information security controls. Reader
is advised to consider these different models and further research which model is more suitable for them.
What are the business benefits of Information Security Audits?
Page 46 of 51
Appendix A Terms & Definitions
*Audit
Systematic, independent and documented process for obtaining audit evidence and evaluating it objectively
to determine the extent to which the audit criteria are fulfilled.
*As part of this thesis, audits are only considered from an internal information security audit perspective and
not from a compliance audit point of view or any other audits.
NOTE 1 Internal audits, sometimes called first party audits, are conducted by the organization itself, or on its
behalf, for management review and other internal purposes. Internal audits can form the basis for an
organization’s self declaration of conformity.
NOTE 2 External audits include second and third party audits. Second party audits are conducted by parties
having an interest in the organization, such as customers, or by other persons on their behalf. Third party
audits are conducted by independent auditing organizations, such as regulators or those providing
certification.
Audit criteria
Set of policies, procedures or requirements used as a reference against which audit evidence is compared.
Audit evidence
Records, statements of fact or other information which are relevant to the audit criteria and verifiable.
Auditee
Organization or individual being audited
Auditor
Person who conducts an audit
Audit programme
Arrangements for a set of one or more audits planned for a specific time frame and directed towards a
specific purpose
What are the business benefits of Information Security Audits?
Page 47 of 51
Audit scope
Extent and boundaries of an audit
Asset
Anything that has value to the organization.
Availability
The property of being accessible and usable upon demand by an authorized entity.
Confidentiality
The property that information is not made available or disclosed to unauthorized individuals, entities, or
processes.
Conformity
Fulfillment of a requirement
Control
Means of managing risk, including policies, procedures, guidelines, practices or organizational structures,
which can be of administrative, technical, management, or legal nature. Control is also used as a synonym
for safeguard or countermeasure.
Information security
Preservation of confidentiality, integrity and availability of information; in addition, other properties such as
authenticity, accountability, non-repudiation and reliability can also be involved.
Information Security Risk
An undesired event occurring to exploit a weakness in the asset to cause negative impact due to the loss of
confidentiality, integrity and availability of an asset.
What are the business benefits of Information Security Audits?
Page 48 of 51
Integrity
The property of safeguarding the accuracy and completeness of assets
Risk
The potential that a given threat will exploit vulnerabilities of an information asset or group of information
assets and thereby cause harm to the organization
Risk management (definition from CISA review manual)
It is the process of identifying vulnerabilities and threats to the information resources used by an organization
in achieving business objectives, and deciding what countermeasures, if any, to take in reducing risk to an
acceptable level, based on the value of the information resource to the organization.
Management system
System to establish policy and objectives and to achieve those objectives
What are the business benefits of Information Security Audits?
Page 49 of 51
Appendix B Bibliography
The following literature is used in this thesis:
Standards
► ISO/IEC 27001:2005
► ISO/IEC 27004:2009
► ISO/IEC 27011:2008
► ISO/IEC 17021:2011
► ISO/IEC 19011:2011
► ISAE 3402 framework
Books
► Accounting Information Systems and Internal Control – Eddy Vaassen
Thesis
Web pages, Articles and White papers
► Internal Auditor Magazine – December 2011 (internalauditoronline.org)
► Just below the surface – by Jatin Sehgal & Andrea Craig, www.Norea.nl
► Slimmer zijn dan je criminele opponent – by Jatin Sehgal, www.automatiseringgids.nl
► http://en.wikipedia.org/wiki/Information_security
► http://www.netcoach.eu.com/index.php?id=36
► http://www.isaca.org/Knowledge-Center/BMIS/Documents/IntrotoBMIS.pdf
► http://www.irca.org/en-gb/about/management-systems-auditing
► https://www.checkpoint.com/smb/help/safeatoffice/8.0/7066.htm
► http://www.auditing.arollo.com/external-internal.html
► http://www.bankinfosecurity.com/privacy-c-151
► http://docs.bankinfosecurity.com/files/whitepapers/pdf/416_BIS_Security_and_Financial_Services_A
ccenture.pdf
► http://www.thedailybeast.com/newsweek/2012/04/08/security-breaches-shake-confidence-in-credit-
card-safety.html
► http://www.paramountassure.com/consulting/information_security.html
► http://en.wikipedia.org/wiki/Auditing_information_security
► http://en.wikipedia.org/wiki/Bank
► http://en.wikipedia.org/wiki/Online_banking
► http://www.isaca.org/Knowledge-Center/cobit
► http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/An-Introduction-to-
the-Business-Model-for-Information-Security.aspx
What are the business benefits of Information Security Audits?
Page 50 of 51
Appendix C Interview Questions
As part of this thesis, many interviews were conducted with experts from various organizations in the
countries such as the Netherlands, Norway, Belgium, Luxembourg and Germany. Interview questions were
based on the topic related to business benefits of information security audits.
Goal of these interviews was to discuss the manner in which benefits of information security and related
audits are realized across different organizations in different geographies. The results of these interviews
have been used in this thesis that forms part of the curriculum of the postgraduate study program on EDP
auditing at VU University Amsterdam.
As a token of appreciation for the willingness of the interviewees to cooperate, a copy of the final thesis will
be sent to them. All the information gathered from the interviews is treated as confidential and has been used
in this thesis anonymously.
The following questions provide an indication of the type of questions being asked during the interviews.
Where possible and necessary, these questions were constructed differently to obtain related information
from the interviewees:
Q1 In your opinion why is an ISMS important for your business in protecting business information?
Q2. According to you, how can a management system be audited to ensure protection of business information?
Q3. In your opinion, what can be done to provide Information Security enough coverage through-out the organization, so it is not just an IT project?
Q4. What are your suggestions on achieving operational effectiveness within an organization with information security controls?
Q5. How according to you can information security controls be validated and verified?
Q6. What are your suggestions to make information security benefits more visible in the organization?
Q7. What benefits can information security audits bring to an organization?
Q8. Please explain how you utilize the deep potential of an information security audit to achieve overall business vision?
What are the business benefits of Information Security Audits?
Page 51 of 51
Appendix D An example key performance indicator (KPI)
Information Security
Control or control
objective
Clause 5.2.2.d [27001:2005]. Training, awareness and competence.
The organization shall ensure that all personnel who are assigned responsibilities
defined in the ISMS are competent to perform the required tasks by: d) maintaining
records of education, training, skills, experience and qualifications.
Purpose of
measure
► To establish the control compliance and report to the top management. ► To ensure the business objectives for information security trainings are achieved.
Measurement
calculation
details
Calculation function , expressed by the formula:
RWISMS = ( WEISMS / WSEISMS )
In which:
WEISMS= Σ workers who have received training in ISMS according to
ISMS annual training plan.
WSEISMS=Σ workers, affected by ISMS scope, whom have to receive training in
ISMS.
Stakeholders Owner Human Resource – Training Manager
Customer ► Top Management. ► ISMS Manager. ► Security Management. ► Training Management
Collector Training Management – Human Resource Department.
Communicator Top Management
Reviewer ISMS Manager
Life cycle. Frequency of collection.
Monthly, first working day of the month.
Criteria RWISMS (0-0.99 Unsatisfactory, 1 correct)
If in second quarter (RWISMS<0.8) = unsatisfactory, then increase training.
If at the end of the year RWISMS = unsatisfactory, review training budget and training
plans.
Indicator Effects/impact ISMS Non-compliance
Causes of
deviation
► Low budget. ► Ineffective training plan. ► No appropriate allocation of work shifts to allow training. ► Shortage of personnel for allocation of work shifts with
personnel in training.
Remarks In case the number of workers changes during the period of analysis, it will be noted that: a hypothetical value of RWISMS > 1 (decrease in number of workers)
will be taken as RWISMS =1