@ISACA Volume 13  1 July 2015

Five Areas for Big Data Systems Auditing

By Leighton Johnson, CISA, CISM, CIFI, CISSP

With the advent of the Internet of Things (IoT) and the extensive use of big data, there are 5 key areas for auditors and security professionals to focus on when reviewing big data systems, IoT systems and their deployments. These 5 areas are:

  1. Structured data sources—This area for review covers the standard materials auditors have concentrated on for years such as files and folders, databases, spreadsheets and office documents, and data warehouses (type and structure). Typical audit actions, requirements and reviews are conducted in this area.
  2. Unstructured data sources—This area contains some of the newer focal points to examine. It includes nontransactional data structures (e.g., blogs, chats, collaborative environment data), machine-to-machine (M2M) data (includes IoT data), sensor data feeds (e.g., global positioning system [GPS] data), and email and data from other communications. With the advent of incorporating unstructured data sources into normal corporate-level data elements, auditors must focus on users and their privileges for the data (authentication and access control mechanisms), scripting elements in the machine-level activities, sources of data and their criteria, receipt, modifications to data before installation, and process actions for transitioning into the resident data management system.
  3. Real-time data feeds—This area includes social media feeds (e.g., Facebook, Twitter, LinkedIn) and news data feeds (e.g., rich site summary (RSS) sites, Reuters, Associated Press). Making sure that recorded information is not overwritten when updated or deleted is critical for auditing purposes, especially for regulated industries. The system needs to maintain audit trails of who is accessing the data and how they are being used in order to capture and preserve any changes made to an electronic record. Each of these areas needs audit reviews and tracking processes.
  4. Time-sensitive data—This area includes log files (e.g., device logs, transactional logs, packet captures). Log data and the organizational security information and event management (SIEM) tool utilization are often areas of focus for audit and review. Ensure the full scope of the available logs is incorporated into the SIEM system. Verify that audit reduction activities are properly used, deployed and tracked in accordance with industry and compliance requirements.
  5. Metadata about data—The metadata for the various data elements and sources are often the first area for an auditor to examine in a big data system since they describe the capture and attribution data about data elements. This dataset needs to be maintained in a current and available method. Auditing metadata is important to the overall verification and validation of the system, its business usage and the compliance requirements for the organization.

Leighton Johnson, CISA, CISM, CIFI, CISSP, is a senior security consultant for the Information Security & Forensics Management Team of Bath, South Carolina, USA.


Earn CPE at Data Protection Webinar


Detective and preventive controls can help organizations mitigate the vulnerabilities that could lead to data breaches. To provide organizations with strategies to keep their data secure, ISACA has partnered with Oracle to create the “Securing Data in the Age of Mega Breaches” webinar. This webinar will take place on 9 July at 11AM CDT (UTC -5 hours). ISACA members can earn 1 continuing professional education (CPE) hour by attending the webinar and passing a related quiz.

Troy Kitch, senior principal director of security software at Oracle, will lead this webinar. Kitch has more than 15 years of experience with subjects such as data availability, recovery and protection. In this webinar, he will help attendees develop a framework that can be used to deploy security controls. This framework will preserve the value of data and will deploy controls in an efficient and cost-effective manner.

To learn more about this webinar or to register for it, visit the “Securing Data in the Age of Mega Breaches” page of the ISACA web site.


New Volunteer Opportunity:  Subject Matter Experts Needed to Review ISACA Privacy Principles


ISACA invites you to volunteer as a subject matter expert (SME) to review the ISACA Privacy Principles and Program Management Guide draft.

Volunteers are a key contributing factor to the success of this research. If you have expertise in the area of privacy and are enthusiastic about participating and sharing some of your time, please consider reviewing the draft of this global guide.

Volunteers will be given confidential materials and will be asked to submit their comments at a particular time and within the terms designated for this review process. The requirements for SME volunteers for the privacy guide are that you have knowledge of and interest in privacy and data protection and that you agree to the participation agreement requirements.

Please consider volunteering. The project is expected to begin in early August. For more information on how to participate, contact research@isaca.org.


The Death of the Tick Mark and the Birth of the Rock Star Internal Auditor

By Dan Zitting

Tick marks, in the internal audit context, emerged from use in external financial auditing. In financial statement audits, for which the core goal is to foot, sum, agree, tie and recalculate until the auditor is reasonably sure that the numbers presented are accurate, tick marks, such as the following, are very useful:

  • IM:  Immaterial
  • TB:  Agrees to trial balance
  • PY:  Prior year
  • ^:  Calculation foots

Internal audit is charged with a very different task. By definition, directly from The Institute of Internal Auditors, internal auditing is defined as “…an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.”

So then, why is so much time spent preparing and reviewing endless detailed documents using the Auditing for Dummies approach?

It should be obvious that when charged with the responsibility to “add value and improve an organization’s operations,” 99% of the tick marking auditors are doing (and thus, by extension, the manual review of detailed, line-item information) is an enormous waste of time.

Auditing What Really Matters
During my time spent in client services for the Big Four, essentially every organization I encountered expressed intense concern over the topic of employee retention and loss of top talent. The war for talent is no small matter. Competition for skilled, loyal employees and executives is fierce.

Although senior management at each of these organizations is often well aware of the problem and worried about the negative impact that turnover can have on the bottom line, they often do not have any concrete data on what the rate of loss was, the risk factors that were causing losses, where the talent was going or the actual amount of damage to the company’s balance sheet.

This prompts the question: Why have people in the audit department not considered performing an audit on this area of the business? Information outlining the loss of skilled professionals would not only bring the issue to the forefront, but it would also shed light on why this might be happening and what can be done to mitigate the problem. However, I have never seen “Talent Retention” listed as one of the audits in the annual audit plan.

Other key areas of risk that auditors might focus on, as opposed to mulling over minuscule financial details, include competitive pressure and sales functions. Why not take a look at divisions of the business that are not building pipelines fast enough in order to meet sales goals?

Eradicating the tick mark and what it symbolizes is just the first step in making groundbreaking progress toward industry-wide transformation.

Read more on the KnowledgeLeader web site.

Editor’s Note: © 2015 Protiviti Inc. All rights reserved. This article was excerpted with permission from Protiviti’s KnowledgeLeader, a subscription-based web site that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA members receive a discount on an annual subscription to the service.


Book Review:  The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud)

Reviewed by Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA

The CERT Guide to Insider Threats is a glossary of incidents and insider attacks that serves as a casebook and an in-depth reference on information security insider threats and fraud. This book is not only relevant to IT and security professionals, but also to entrepreneurs and business managers, as it helps to build profiles of criminal minds and fraudsters whose actions can lead to reputational damage and financial losses.

While most texts on the subject may dwell either on examples of threats or techniques to combat them, the authors of this book cover both, doing full justice to the issue.

The book methodically outlines the plethora of malicious insider threat attacks and profiles the characteristics of attackers who may have been past or current employees, business partners and other stakeholders dealing with the organization. The various types of insider fraud (e.g., sabotage, data privacy crimes) are extensively reviewed in their different forms. The book contains detailed criminal profiling of malicious insiders, which includes information on their underlying motivations, techniques they use, organizational issues they pose and incident-alert triggers. This information prepares the reader to understand what to do when such events occur and how to detect and prevent them appropriately.

The authors provide methodologies and techniques that arm the reader with the ability to protect both their organizational systems and business data. This book contains a comprehensive reference for the body of knowledge on insider threats and is an excellent value. A number of the detailed incidents outlined in the book have led to interviews by the CERT Insider Threat Center with the victims of such cases and the perpetrators of such crimes. The variety of profiles in the book leads to a multifaceted overview of the current issues in this not-so-well-documented aspect of cybersecurity.

The book begins with what an insider threat is and how the CERT Insider Threat Center addresses such threats with models. The next 3 chapters give an overview of the 3 types of insider threats analyzed by the book: insider IT sabotage, theft of intellectual property and fraud. The 5th chapter gives a review of threats in the software development life cycle (SDLC), in which each phase and relevant threat issues are analyzed.

Mitigation strategies are covered in the 6th and 7th chapters, and chapter 7 is also relevant to technical security experts who need detailed information on new controls that can serve to address insider threats. The 8th chapter contains a collection of cases that are summarized to enable case referencing by organization type and industry sector.

Overall, this book is worthwhile for all IT and business management to ensure adequate knowledge of insider risk management and controls set up to ward off the surge of insider threats.

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) is available from the ISACA Bookstore. For information, visit the ISACA Bookstore online or email bookstore@isaca.org.

Ibe Etea, CISA, CRISC, CA, CFE, CIA, CRMA, a corporate governance, internal controls, fraud and enterprise risk assurance professional. Etea also serves as a member on the advisory council of the Association of Certified Fraud Examiners (ACFE).