Most of us have heard the phrase “What you don’t know can’t hurt you.” While this may hold true for some circumstances, in the case of an audit, the opposite is true.
A large part of an auditor’s job is to discover and know about exposures and gaps that could hurt the organizations for which they work. An auditor’s remit includes finding, analyzing and documenting an ever-increasing list of things that organizations don’t know about but have the potential to cause damage.
This task can be harder than it sounds, particularly when it comes to an organization’s use of technology. Why? One reason is that auditors need to be alert to the specific risks, threats, issues and other problem areas that can arise related to the specific technologies in use. One area that is particularly challenging is the assessment of cryptographic systems: modules, software, and application components that employ cryptography, and the use of cryptography generally throughout the organization.
Several factors make assessing cryptographic systems more difficult than other technologies. First, it’s ubiquitous – almost every organization (whether it’s known or not) makes extensive use of cryptography to secure everything from data transmissions to employee remote access. Cryptography is used for authentication, to securely store data, and to prove the integrity of that stored data. But despite its ubiquity, it’s a little like the plumbing in our homes: there when we need it, but not something we stop to think about unless something goes terribly, terribly wrong.
Second, cryptographic assessment is not a skill set in which all auditors have extensive experience. Many seasoned auditors know the fundamentals of how cryptography works, but implementation details, i.e., the mathematics underpinning its operation and the engineering aspects of authoring a library, toolkit, or component, aren’t generally at the top of an auditor’s tool box.
Because many auditors aren’t deep crypto experts and there are few general assessment guides for audit of these systems, cryptographic assessment may get short shrift during audits. This is a potential security concern, because poorly implemented, ill-used, broken, insufficient, or other operationally deficient use of cryptography can represent significant risk to an organization.
Now, this doesn’t mean that every auditor needs to be the next Alan Turing – just like they don’t need to be Brian Kernighan to assess a business application written in C! But many could benefit from having a guide that explains the basics of cryptographic system assessment to help them find and identify potential risk areas; for example, potential implementation issues, best practices, known weak configurations, etc.
To help address this, ISACA has authored Assessing Cryptographic Systems. This free resource provides information to the IT audit community about commonly occurring issues in cryptographic systems as well as one possible methodology to assess the use of cryptography in an organization. As a companion piece, ISACA released a sample security policy, “Sample Policy on the Use of Cryptographic Controls,” that can be adapted by an organization to supplement or refine its existing policy on this important topic.
Please take a look at these resources, and let us know if they helped you with your audit work by leaving a comment on this post.