menu image
AssuranceSecurityGovernanceMembers & LeadersProfessionals & PractitionersStudents & EducatorsExhibitors & Advertisers
menu shadow
Student Benefits & Join
Educators
Model Curriculum
Downloads
Bookstore
IT Audit Basics
Career Centre
spacer image
Print this page
spacer image

Home Students & Educators IT Audit Basics


 

What Every IT Auditor Should Know About Auditing Information Security

By Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP
Volume 2, 2007
 

Much has been written about information security and how to manage or audit it. The approach to auditing any specific information technology (IT) is similar in the nontechnical aspects: IT auditors complete a risk assessment based on some "model" of that IT. For information security management and audits, a commonly used model is confidentiality, availability and integrity (CAI). These characteristics of information are considered those most commonly protected.1 Herein, this model will be referred to as the information security (infosec) triangle (see figure 1 ).

Figure 1 - Infosec Triangle

Some models add to the three basics. For instance, authors of "Understanding Data Classification Based on Business and Security Requirements," published in the Journal, vol. 5, 2006,2 added the following components:

  • Access and authentication
  • Privacy
  • Ownership and distribution
  • Data retention
  • Auditability

Nevertheless, across the infosec profession, the CAI model is commonly accepted as the prescription model for analyzing, managing and auditing information security. For example, in the book by John McCumber, Assessing and Managing Security Risk in IT Systems: A Structured Methodology, the second chapter is titled "Defining Infosec: Confidentiality, Integrity, and Availability."3

This article will demonstrate ways this approach could be used in auditing information security.

The first component of the infosec triangle is confidentiality. Confidentiality relates to the security of sensitive data-keeping sensitive data confidential. Confidentiality risks are compounded by recent, relevant legislative Acts. The US Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires adequate protection for patient information, especially during electronic transmission.4 Controls must be implemented to properly secure medical records from unauthorized access, be it by members of the medical staff who do not need to know the information, or persons external to the health facility.5 The specific location of sensitive data is important in attaining an adequate level of confidentiality.6 The US Graham-Leach- Bliley Act (GLBA) similarly affects the financial services industry in that institutions have to design, implement and maintain proper controls to protect customer information.7 In the US, for example, not only federal but also state laws affect confidentiality. California set the precedent with SB 1386, which requires organizations to notify California residents when a security breach is detected that either resulted in, or may have resulted in, the theft of personal information (the law specifies what personal information). Other US states are passing similar legislation.

The second component, availability, refers to the fact that information is available from the systems and technologies in a timely fashion. Some entities, and even some industries, require access to information 24/7. For example, consider the negative financial and publicity impact if eBay's web site were not available for several days, or even a few hours. Any organization that relies on IT for business processes, and/or IT that houses frequently used information, is susceptible to outages and unavailability that can have deleterious effects. The infosec component of availability also includes recovery time, in case of an incident.8

The third component of the infosec triangle is integrity. Data must be protected from anything that affects their integrity. That begins with the input of data into systems, the processing of data, and the security of data over time to make sure no unauthorized changes occur. Data's integrity can be adversely affected while they are in storage or in transit (electronically). Generally speaking, auditors are naturally inclined to understand, manage and audit data integrity because of their education, skills and instincts.

IT auditors need to understand that examining the same object using the three components of the infosec triangle can lead to different risk assessments or estimated losses due to an incident. For instance, protecting the availability of personal information has a very different risk than its confidentiality because of legislation such as HIPAA and the consequences.

To illustrate, two items that might be evaluated in an IT audit that involves information security are shown in figure 2 (note: for this example, the conclusions are strictly illustrative and not absolutes).

Figure 2 - Analysis of Two Objects Using the Infosec Triangle

The first object is Internet connectivity. If the organization is connected to the Internet, then it has some risk associated with malicious-minded intruders. Thus, the IT auditor would think through those risks in terms of confidentiality, availability and integrity. For confidentiality, the issue is about personal information that is being kept in computer files-is that information accessible through the entity's Internet connection? A second and a different risk is whether the unavailability of the Internet connection would adversely affect the business or service of the entity, or its information for decision making. That risk is directly proportionate to the degree of reliance of the entity on Internet access in performing its business processes. The more the organization is reliant on the Internet, the greater the risk. Finally, the IT auditor considers the integrity of data. Akin to the first item, this risk is primarily associated with unauthorized access of financial data or accounting information systems via the Internet. That risk could be employees who have access remotely, external hackers or the use of the Internet in performing business processes. For example, an entity could be processing key applications using an applications service provider (ASP) or by using remote, web-enabled applications, or other similar functionalities, over the Internet. If the business processes are embedded in the Internet, then the integrity risk might be high.

Another example infosec object is a portable storage device, e.g., a USB drive, thumb drive, jump drive or flash drive. These devices are now able to store gigabytes of data and even applications. For example, what is the risk that an employee of a large bank can download customer files to a thumb drive and then accidentally lose it or have it stolen? A similar situation occurred recently when thieves stole a laptop from an employee of the US Veteran's Administration. The employee had downloaded thousands of records containing personal information of veterans from the mainframe system. Before discovering who had taken the laptop, much ado was made of the confidentiality risk associated with the theft of it. Confidentiality issues could be a concern regarding USB drives, e.g., theft of personal information. With a USB drive, it is not difficult to download the data and walk out the door of the entity undetected. Availability, however, might have so little risk that it is considered too nominal to need controls. Not many entities would have business processes heavily dependent on USB drives. Integrity could be an issue, if the entity stores financial data on USB drives or uses them for business processes, however unlikely that is to be.

In conclusion, IT auditors can take advantage of the infosec triangle model when conducting risk assessment and control evaluations from a nontechnical perspective. Because of the common usage of this model, it is reliable. Also, the results will be compatible with much of the infosec literature and professional activities.

Endnotes

1 Harrison, Reed; "The 10 Most Important Things an IT Person Must Understand About Security Across the Enterprise," Information Systems Control Journal, vol. 3, 2005

2 Etges, Rafael; Karen McNeil; "Understanding Data Classification Based on Business and Security Requirements," Information Systems Control Journal, vol. 5, 2006

3 The book was published in 2005 by Auerbach (CRC Press), and is available from the ISACA Bookstore.

4 Ungerman, Mark; "Creating and Enforcing an Effective Security Policy," Information Systems Control Journal, vol. 6, 2005, www.isaca.org/jonline

5Op. cit., Harrison

6Op. cit., Etges

7Op. cit., Ungerman

8Op. cit., Etges

Tommie W. Singleton, Ph.D., CISA, CMA, CPA, CITP
is an assistant professor of information systems at the University of Alabama at Birmingham (USA), Marshall IS Scholar, and director of the Forensic Accounting Program. Prior to obtaining his doctorate in accountancy from the University of Mississippi (USA) in 1995, Singleton was president of a small, value-added dealer of accounting information systems using microcomputers. In 1999, the Alabama Society of CPAs awarded Singleton the 1998-1999 Innovative User of Technology Award. Singleton is the ISACA academic advocate at the University of Alabama at Birmingham. His publications on fraud, IT/IS, IT auditing and IT governance have appeared in numerous journals, including the Information Systems Control Journal.

Information Systems Control Journal, formerly the IS Audit & Control Journal, is published by the ISACA. Membership in the association, a voluntary organization of persons interested in information systems (IS) auditing, control and security, entitles one to receive an annual subscription to the Information Systems Control Journal.

Opinions expressed in the Information Systems Control Journal represent the views of the authors and advertisers. They may differ from policies and official statements of the Information Systems Audit and Control Association and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors' employers, or the editors of this Journal. Information Systems Control Journal does not attest to the originality of authors' content.

Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, Mass. 01970, to photocopy articles owned by the Information Systems Audit and Control Association Inc., for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.
nav menu image
spacer image
Assurance | Security | Governance
Members & Leaders | Professionals & Practitioners | Students & Educators | Exhibitors & Advertisers
Info Request | Join | Bookstore | My ISACA | About ISACA
Home | Site Map | Shopping Cart | Logout | Contact Us
spacer image
menu shadow

Terms Of Use | Privacy Policy | IP Guidelines
© 2008 ISACA All rights reserved.
3701 Algonquin Road, Suite 1010, Rolling Meadows, Illinois 60008 USA