What Is the Difference Between Information System and Information Security Compliance?
The Institute of Internal Auditors (IIA) is considered the gold standard for establishing professional practices guidance for auditors. The IIA defines an internal audit as “an independent, objective assurance and consulting activity designed to add value and improve an organization's operations.” In context to auditing the IT infrastructure, it could be considered as providing reasonable assurance to management that the IT controls are complete and working effectively.
The terms assurance and consulting are used in the IIA definition. Assurance is a traditional term often used to describe a very formal audit.
An assurance audit will typically examine controls that have been deployed to assess their completeness and effectiveness. The results of an assurance audit are typically delivered in a report format with a narrative of any findings and an overall rating. The rating scale and verbiage can vary dramatically across industries and companies. Assurance audits can be challenging. While not the intent, an audit report rating is often viewed as a test grade at a university, i.e., did I get an “A” or “F” or something in between. They are not always seen as welcoming by the individuals who often view an audit as grading their work. Senior management on the other hand welcomes audits as a way of gaining independent insights to improve their internal controls.
The IIA recognized that management not only wants to learn the internal auditor’s opinion on existing controls but also wants to get advice on emerging topics and initiatives. Thus was born the concept of audit consulting. The term consulting in recent years has been replaced in many organizations with the term advisory. We will use the term advisory assessments to reflect this less formal advice provided to management.
An advisory assessment by an auditor is less formal than an assurance audit. An advisory assessment may or may not result in a report being produced. Advisory assessment results can be delivered in any format mutually agreed upon with management, such as verbal, memorandum, or a report. An advisory assessment typically has no rating. The real distinction from an assurance audit is that an advisory assessment typically deals with emerging risks or future initiatives. Consequently, there are no controls to test or assess. Advisory assessments tend to focus on the completeness of designs and management plans. It is an opportunity for the auditor to add value by raising the quality of the conversation on risks that may not have been fully considered.
Difference Between Information System and Information Security
Information technology (IT) infrastructure is typically defined as everything needed to operate and manage the IT environment. It is simply all installed technologies, including all hardware, software, network devices, storage, storage, cables, printers, monitors, and such. Typically a series of smaller more management audits or assessments are performed examining different aspects of the IT infrastructure For example, one audit may examine the physical security of the data center that houses the server hardware. Another audit may examine how servers are configured. While another audit may look at specific cybersecurity threats to ensure the readiness of the IT infrastructure to defend against certain attack vectors.
There are subtle differences between information systems and information security terms. Consider the following:
-
Information systems typically refer to the IT infrastructure components (hardware and software) that collect, store, and process data.
-
Information security can refer to the protection against unauthorized access to the IT infrastructure components during the collection, storage, and processing of data.
In both cases, there is a significant overlap. Most notably, how information systems are configured directly impacts how the data are processed and protected. Consequently, many IT infrastructure audits are in essence cybersecurity audits and vice versa.
On occasion, auditors will need to recognize the subtle differences between information systems and information security findings during an audit. For example, suppose an application that analyzes a customer’s financial records takes hours because servers having a minimal amount of memory. Yet the company’s competitors could produce a similar report in minutes. Assume both systems were appropriately secure. An audit may raise an information systems finding but not an information security finding, i.e., lack of server memory impacts company competitiveness but does not put the customer data at risk.
Auditing Information Security
IT security is typically part of a larger security program within an organization. Specifically, an IT security assessment is a key activity that involves the management of risk—an uncertainty that might lead to a loss. Information systems provide numerous benefits and efficiencies within organizations. However, these benefits come with risks. A risk-based approach to managing information security involves the following:
-
Identifying and categorizing the information and the information systems
-
Selecting and implementing appropriate security controls—actions or changes to be applied to systems to reduce weaknesses or potential losses
-
Assessing the controls for effectiveness
-
Authorizing the systems by accepting the risk based upon the selected security controls
-
Monitoring the security controls on a continual basis
This approach is a continual cycle as organizations evolve and as activities such as assessments and monitoring reveal gaps and ineffective controls relevant to requirements and acceptable levels of risk.
The benefits provided to organizations as a result of information technology involve complex systems and processes. These systems not only benefit organizations, but they have also become critical components to the success of the organization. As a result, the continued and secured operation of these systems contributes largely to that success.
To understand their effectiveness, organizations must assess security controls. Security controls include the physical, procedural, and technical mechanisms to safeguard systems. First, are the controls appropriately designed and implemented? Second, are they functioning as expected? If so, are they operating effectively to produce the required results? Third, do they align to the policy of an organization?
You should not use a security assessment simply as a method for proving the strength of system security or as a reason to immediately provide greater security. Rather, a security assessment should produce information required to do the following:
-
Identify weaknesses within the controls implemented on information systems
-
Confirm that previously identified weaknesses have been remediated or mitigated
-
Prioritize further decisions to mitigate risks
-
Provide assurance , a level of confidence that effective controls are in place and that associated risks are accepted and authorized
-
Provide support and planning for future budgetary requirements
The personnel who conduct security assessments can be internal or external to an organization. While the procedures for assessments may vary widely by organization, the National Institute of Standards and Technology (NIST), the technology agency of the U.S. Department of Commerce, provides a framework for effective security assessment plans in NIST Special Publication 800-53 (NIST 2013). This publication defines a recommended assessment procedure, which includes a set of assessment objectives, or goals. Each objective has a set of assessment methods, including examination, interview, and test, and each objective has a set of assessment objects, including specification, mechanism, activity, and individual.
An assessment objective includes one or more statements that are directly related to a corresponding control to determine the validity and effectiveness of the control. For example, consider a common control that most users of computer systems have experienced: being locked out of an information system or application after too many unsuccessful logon attempts. The following illustrates the relationship between the control and the assessment objectives, methods, and objects.
Unsuccessful Logon Attempts
Control: The system enforces a limit of four consecutive invalid access attempts on the same username within a period of 15 minutes. The system automatically locks the account for 30 minutes. Subsequently, four more consecutive invalid access attempts within 15 minutes lock the account indefinitely, which requires manual intervention by the system administrator.
Assessment objectives:
-
Determine if the system enforces the defined threshold of consecutive invalid access attempts
-
Determine if the system enforces the delayed logon after the initial account lock
-
Determine if the system enforces the defined threshold for locking the account indefinitely
Assessment methods and objects:
-
Examine access control policy statement and procedures addressing failed logon attempts
-
Examine associated information system documentation and configuration settings
-
Examine associated information system log records
-
Test the automated mechanism implementing the access control policy for failed logon attempts
Methods for Conducting a Security Control Assessment
You can use several methods to conduct an assessment of security controls:
-
Examination—Verify, inspect, or review associated assessment objects to understand or obtain evidence to support the existence and effectiveness of the security control. Examples include reviewing security policies and procedures and observing physical security mechanisms.
-
Interview—Discuss associated assessment objects with groups or individuals to understand or obtain evidence to support the existence and effectiveness of the security control. Interviews can include senior officials, information system owners, security officers, information system operators, and network administrators.
-
Test—Put associated assessment objects under specific conditions to compare actual behavior with what is expected to obtain evidence to support the existence and effectiveness of the security control. Objects can include hardware or software mechanisms or system operations or administration activities. Examples include testing actual security configuration settings and conducting penetration tests.
Assessment objectives should be part of your organization’s IT security assessment plan. After executing the plan, you can create a report. The IT security assessment report documents the findings of the assessment and provides the information necessary to determine the effectiveness of the controls. Senior management uses the report to provide assurance that risks are appropriate to the goals of the organization and to help create, if necessary, another document for an action plan based on the results of the assessment.
Not all IT security assessments need to be comprehensive to cover all security controls or even all information systems. In fact, security assessments are often performed partially across controls and information systems. Although this chapter has laid out a best-practice framework for a comprehensive IT security assessment, security assessments vary in scope, depth, and breadth. The following is a list of some sample audits you might encounter:
-
Network security architecture
-
Security policies, procedures, and practices
-
Vulnerability scanning and testing
-
Physical security
-
Security risk
-
Social engineering
-
Application
-
Access management
Another common type of assessment, and one that seems to be more popularized in the media, is a penetration test. A penetration test is an assessment method that attempts to bypass controls and gain access to a specific system by simulating the actions of a would-be attacker. However, penetration tests operate under specific constraints and rules of engagement, so they simulate the process a real adversary may take while avoiding any business disruptions or outages.
As a result, a penetration test is not necessarily the best means by which to judge the security of an information system. The test helps an organization understand its systems and gain insight into the level of effort an attacker might need to go through to penetrate the system. Penetration tests often reveal weaknesses or easily exploited vulnerabilities within a system. It is not uncommon for penetration tests to be a catalyst for selling management on the need to invest more money and/or effort in information security.