Hui Lin, Ph.D., Meghann Abell Cefaratti, Ph.D. and Linda Wallace, Ph.D.
According to the American Institute of Certified Public Accountants (AICPA)’s 19th Annual Top Technology Initiatives survey conducted in 2009, information security management is the most important initiative affecting IT strategy, investment and implementation in business organizations. In light of the fraudulent accounting practices that transpired in the US in the last decade, organizations have recognized the lack of effective information security management as a contributing factor. Information security governance has become a critical concern across all levels of an enterprise because system vulnerability continues to be a pressing risk for organizations, and new threats emerge constantly.
Organizations often rely on enforcing information security policies and implementing controls to safeguard their physical and information assets. The adoption and application of a security framework plays a significant role in information security management. Among the various security frameworks available, ISO 27002 Information technology—Security techniques—Code of practice for information security management is an international standard from the International Organization for Standardization that establishes guiding principles and benchmarks for creating, implementing and sustaining information security management in an organization. ISO 27002 contains a list of control objectives and specific controls that organizations around the world are using as practical guidelines to manage information security. ISO 27002 includes 11 areas of security controls that may be implemented in an organization: security policy management, corporate security management, organizational asset management, human resources security management, physical and environmental security management, communications and operations management, information access control management, information systems security management, information security incident management, business continuity management, and compliance.
Among the various organizational, technological and operational controls outlined in ISO 27002, what security controls are the most commonly implemented? What controls may have been overlooked or deemed less critical? With these questions in mind, this article’s authors surveyed IT auditors to understand the current state of information security controls in organizations. IT auditors were chosen because they are trained to evaluate an organization’s information systems control design and effectiveness, and because they must regularly assess information security controls. Therefore, they are knowledgeable candidates for answering questions regarding an organization’s ability to protect its information assets and properly dispense information to authorized users.
With support from ISACA® and The Institute of Internal Auditors (The IIA), the authors surveyed IT auditors to find out which information security controls their organizations use. The survey of IT auditors measured the prevalence of 107 information security controls outlined in the ISO 27002 framework. The survey participants were asked to agree or disagree, on a five-point scale ranging from 1 (strongly agree) to 5 (strongly disagree), with the statement that their organization used IT to support the specific control.
Survey responses were collected from 154 IT auditors. More than 60 percent of the respondents were between 31 and 50 years old. Approximately half of the participants had been with their current employer between three and 10 years. Survey participants also had a wide range of experience levels in IT audit: 20 percent were staff auditors, 32 percent were senior IT auditors, 38 percent were managers and senior managers, and the remaining 10 percent were IT audit directors. The majority of the respondents (81 percent) held a Certified Information Systems Auditor® (CISA®) certification. Because the majority of the respondents were members of The IIA, the authors did not differentiate between infrastructure and application IT auditors who participated in this study. This is recognized as a limitation, and the conclusions drawn are based on the views of both types of auditors.
The results of this survey provide an informative picture of the current use of information security controls. Figure 1presents a list of the 15 most frequently implemented security controls. For a control to be ranked as “frequent,” participants must have “agreed” or “strongly agreed” (i.e., rated the control as a 4 or a 5 on the scale) that a control was used by their organizations. Many of the controls listed in figure 1 are related to the communications and operations management and information access control management sections of ISO 27002. “Authenticate remote users accessing the network” was ranked the highest by the survey participants. Operational controls such as backup procedures and maintaining network security were among the top five most frequently implemented controls. In addition, the results indicate the prevalence of antivirus software in organizations—antivirus controls appear twice in the top 15.
Figure 2 contains a list of the 15 least frequently implemented information security controls ranked by the study’s participating IT auditors. In other words, the IT auditors “disagreed” or “strongly disagreed” (i.e., rated the control as a 1 or a 2 on the scale) with the statement that their organizations had implemented the specific control. Half of the controls in figure 2 pertain to physical and environmental security controls. It should be noted that it is possible that there are controls in place to protect physical premises, but the organizations may not utilize IT to achieve those controls, such as protection of equipment. Many of the least frequently implemented controls deal with the physical and environmental security section of ISO 27002. In addition, organizations seem to lack IT controls to protect unauthorized information and software installation.
Figure 3 presents the controls for which the respondents most frequently selected a response of “not sure”—meaning that the participants were not sure whether their organizations currently implemented the control. The two controls with the most “not sure” responses are related to routing controls and authentic terminal identifications. This is an interesting finding because it may imply that IT auditors may not be knowledgeable about the specific details of their organizations’ network access controls. Network access controls are important because they protect computer connections and information flows to make sure that there is no network access breach. If IT auditors are not certain whether these controls are in place, organizations should increase awareness of controls in this area.
Figure 4 presents the controls most frequently identified by the participants as “not applicable.” A “not applicable” response was used when the control was not relevant or pertinent to a participant’s organization. The two controls with the most frequent “not applicable” responses relate to third-party security compliance and e-commerce security. This may be because those participants’ organizations do not work with third parties or engage in e-commerce transactions. However, it should be noted that even the two most frequent “not applicable” controls were selected only 12 times, which implies the prevalence of a strong control environment.
By becoming more knowledgeable about and familiar with the information security controls that are currently being implemented within organizations, one can make a more informed attempt to establish organizational guidelines for companies striving to effectively manage information security. The most frequently implemented controls confirm the prevalence of security controls in organizations and provide insight to organizations seeking to take a best-practices approach. The majority of the most-implemented controls pertain to the technological components of an organization’s information systems such as system design, hardware and software. IT auditors agree that their organizations implement controls authenticating users and computers and provide access controls to users and computers. They also agree that organizations implement controls to protect the integrity of data transmitted over networks.
The majority of the least-implemented controls are operational controls and environmental and physical protection of organizational assets. Controls such as equipment protection and building protection are more neglected than technological controls. This result implies that organizations may wish to focus more closely on physical security as unauthorized access to premises and facilities can cause detrimental damages. The least frequently implemented controls shed light on the controls to which organizations may wish to be more attentive in order to meet compliance. Further, companies may explore opportunities to use IT to support the least frequently implemented controls, as these controls may present an opportunity to increase the efficiency and effectiveness of the existing control environment.
While the survey results illuminate the prevalence with which ISO 27002 controls are implemented in organizations, organizations may choose to implement controls based on other information security and IT governance frameworks. With the existence of multiple information security and IT governance frameworks (e.g., ISO 27002, SysTrust, COBIT), the focus, depth and scope of these frameworks may vary considerably. Organizations may consider adopting and integrating multiple frameworks to safeguard financial reporting and information assets. Additionally, organizations need to be proactive about the updates and changes in the frameworks and consistently apply the frameworks for optimal results. Publicly traded companies that strive to comply with requirements in the US Sarbanes-Oxley Act may also benefit from adoption of an information security framework because Sarbanes-Oxley pertains to data retention and documentation, thereby necessitating consideration of information security controls to protect companies’ information assets.
Information security controls are an important component of an organization’s internal control structure. Safeguarding and monitoring a company’s data and information assets are essential parts of information security controls. Organizations continue to improve internal control systems and security management, and the survey results provide a picture of the current practice in implementing information security controls. The authors hope the results can shed light on the extent to which organizations do and do not implement information security controls, and that this will, in turn, help organizations develop strategies to improve information security governance.
Hui Lin, Ph.D.is an assistant professor of accounting and information systems (IS) in the School of Accountancy and Management Information Systems (MIS) at DePaul University (Chicago, Illinois). Previously, she was a business consultant specializing in enterprise solutions and enterprise resource planning (ERP) implementations.
Meghann Abell Cefaratti, Ph.D.is an assistant professor of accounting in the Department of Accountancy at Northern Illinois University (USA). Previously, she was a tax associate with PricewaterhouseCoopers and an auditor with the Air Force Audit Agency.
Linda Wallace, Ph.D.is an associate professor in the Department of Accounting and Information Systems at Virginia Polytechnic Institute and State University (Virginia Tech) (USA). Her research interests include software project risk, information security, knowledge communities and agile software development.
Enjoying this article? To read the most current ISACA® Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute® and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2011 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.