Internal security audits are a valuable source of information and highlight the areas that require attention, but do not be overly driven by their findings and recommendations.
Excessively strengthened security controls can impact business negatively. Security-related audit findings must be viewed in context of the relationship between business goals, the threat profile and the security controls. Security management and internal audit are two separate streams, but are driven by similar goals and fundamentally can be two sides of the same coin.
Sometimes, security controls are relevant to/appropriate for the infrastructure, but not relevant for the business itself. This results in the organization’s internal audit team finding weaker security controls within the infrastructure. In such situations, collaboration between security management, internal auditors and business must resolve the trade-off between compliance and noncompliance to the organizational security policies. Security management must be able to explain the business rationale for weaker controls to the auditors and simultaneously communicate the risks clearly to the enterprise’s management of not being compliant to the strengthened security policies. By doing so, security management ensures that the risk is understood and accepted by management.
Utilizing a risk-based approach to security management practice and internal audit can enable both streams to add value to the organization. It can help security management to identify and prioritize the more vulnerable components of the infrastructure and address those exposures appropriately. Similarly, a risk-based audit approach can help auditors to perform audits on the more critical parts of the infrastructure, understand the business requirements properly, and, reduce time and cost by conducting a more focused audit.
Enterprises’ organizational data centers increasingly are being managed by outsourcing partners. When it comes to partners’ compliance with an organization’s security policies, outsourced contracts that are poorly defined with regards to security can raise financial and fulfillment issues, putting the whole business at risk. Therefore, security management must be involved in every stage of the outsourcing lifecycle—from initial negotiations through to sign-off and maintenance of the contract. Additionally, security management must convince management, internal auditors and outsourcing partners to reach an agreement on the best solution and the way forward for the organization while mitigating the risks highlighted by the audit team.
Well-defined security management practices and their alignment with the business and internal security audit ensure the protection of organization’s information, data and IT services, and helps the organization to meet its objectives. As larger organizations increasingly adopt outsourcing strategies, the onus on the security management practitioner is growing too. With new threats emerging and technologies evolving, ensuring overall security of the organization can become a challenge from cost, process and effort standpoints if outsourcing contracts do not accommodate security policy updates too. Hence, it is critical that business management involves its security management practice when outsourcing its infrastructure.
Depending on organization’s business goals, resources and threat profile, security management can take a risk-based approach to advise which components of the infrastructure should be outsourced and yet be compliant with policies while mitigating the findings of the internal audit team. Security management and internal audit must work hand in hand to effectively secure the business. Otherwise, the two streams can become counterproductive to the cause.
Muhammad Waheed Qureshi, CISA, CIPP/IT, CISSP, ITIL V3 Foundation
IT Security Analyst, Accenture -Sweden