16
A Practical Guide to Security Assessments
Although security assessments are not exactly the same as internal audit, many
similarities exist — with the main similarity being evaluating systems from an
internal control/security perspective. Each of these processes examines how systems
function within an organization and whether or not the organization is secure. This
includes reviewing the critical data transacted by the various systems and its depen-
dencies from both the process and technology perspectives.
The differences between security assessments and IT audits are really quite
subtle. Essentially, the focus of an IT audit is broader. In a security assessment, the
process is very focused around the security aspects of information, such as storage,
transmission, and access. In an IT audit, the focus also includes ensuring that systems
function as intended from a business perspective. This clearly goes beyond the realm
of information security.
Today, traditional operational auditors must be more knowledgeable about tech-
nology and system-related controls, as most mission-critical business processes are
dependent on technology. As a result, IT auditors are an integral part of the process
of securing information assets. Similar to what internal auditors have been doing
for years — providing an independent opinion of the quality of internal controls
around business processes — IT auditors now provide that same independent view
of technology and associated controls. The overlap between IT audit and security
assessments can be seen with internal controls related to technology — access
control, configurations of systems, etc., which are critical to the confidentiality,
integrity, and availability of information.
Besides the increased use of technology, laws
are also raising the stature of IT
auditors. “While heightened concerns over security and terrorism accounts for some
of IT auditor’s new sheen, there’s also another reason: the freshly minted law known
as the Sarbanes–Oxley Act puts more pressure on upper management to vouch for
‘internal controls,’ with specific sections related to information auditing.”
6
The other key aspects of internal auditors are their independence and their
reporting structure. From an organizational perspective, internal audit is separate
and has limited ties to any operational unit of a company. Internal auditors have
access to senior management and often report directly to the board of directors.
From a security perspective, as security assessments are incorporated into audits,
internal audit departments can provide independent judgment and help drive security
initiatives.
From an evolutionary perspective, internal audit continues to give legitimacy to
the information security discipline as it becomes integrated into the function of
internal audit. The dependence on technology and laws such as the Sarbanes–Oxley
Act, HIPAA, and GLBA are expediting this process.
SECURITY STANDARDS
One of the driving forces behind information security has been the proliferation of
different information security standards (key standards will be discussed in detail
in Chapter 9). Similar to other competencies, companies are looking for guidance
as it relates to information security both at an operational level and from an assess-
ment perspective. For example, from an assessment perspective, the accounting
AU1706_book.fm Page 16 Tuesday, August 17, 2004 11:02 AM