CHAPTER 11: JUNE: WHAT THE AUDITORS SHOULDN’T KNOW …
Internal audit has history
The relationship with internal audit can often be fractious, but at the outset of this book, the intention was to portray information security in a positive light. Befriending internal audit is very much part of the experience, because you can so often find that any changes you need to implement have already been identified, long ago and many times over, in previous audit reports.
In the case of the organisation at the heart of many of these experiences, it had been subject to ‘special measures’ and was fraught with political infighting. This had a highly detrimental impact on the ability of the organisation to run effectively and efficiently. Whilst it may feel that this is straying beyond the bounds of a typical ISM role, it is vital to understand the landscape within which you are forced to operate. You can then continue to make the necessary progress, in spite of all that is going on around you, particularly when working within the public sector. There is always a ‘bigger picture’, and an historical context and landscape to be considered and not lost sight of, whilst in the eddies of internal political wrangling.
The chronology in Table 7 is designed to show how much history there can be in your organisation if you look for it and an understanding of the time line in which you are working can be most useful.
Table 7: Organisation’s history
Date |
Description |
Comments |
May 1997 |
Finance and general purposes subcommittee paper entitled ‘Information technology – contingency planning and disaster recovery’ |
‘… planning to introduce best-practice notes during the course of 1997/1998 to aid departments to consider the issues involved.’ None have been specifically evidenced. Sadly, the hard copy available states ‘never sent’ at the top. |
Jun 1997 |
District audit network risk assessment sent to a senior manager A strategic review was ongoing at the time – something the public sector suffers from a lot. (Spin ahead 12.5 years and very little had changed sadly) |
Issues identified: • Lack of a defined and tested DR plan • Lack of security, fault and performance management on the network • Lack of standards, procedures and guidance for everyone to follow ICT audit states that ‘activities of the risk assessment are a cause of concern’. |
Oct 1999 |
External risk management review of computer systems conducted |
Referenced issues with backup, disaster recovery and implementation of risk management cases for all new systems. |
Jun 2000 |
Qualified external auditor letter confirming the costs for assessment of the organisation against BS7799:1v999 |
Clearly the organisation had been considering certification to the then British Standard for Information Security Management Systems BS7799 – now an international standard, ISO27001). |
BS7799 registration project |
Over two years later, a BS7799 project initiation document (PID) was created. But nothing concrete appeared to happen to this project in the intervening years. |
|
Nov 2002 |
Policies and principles manual includes information security |
Version 2, based on BS7799-2:2002 and follows its structure in its entirety, but not implemented. |
Nov 2002 |
Detailed application risk analysis |
Process and template prepared – not completed, embedded or shared. |
Nov 2002 |
Homeworking detailed risk analysis v1 |
Document completed, but there is no evidence that the actions were followed up. |
2003 |
External information security course provision reviewed |
Presumably with a view to it being embedded and available within ICT and beyond – it included discussion/education about information classification. |
Jun 2003 |
Data risk analysis v1 |
ISM owner of risk management process – but it hasn’t been used, completed or apparently shared. |
Jun 2003 |
Detailed BS7799 action plan |
Document incomplete. If this had all been followed up and completed, the whole information security improvement programme and compliance efforts would have been a breeze – instant responses would have been available and the BS7799 certification would have been evidence enough to pass external audit requirements. |
Information security action plan |
This covered all expected aspects including InfoSec policy and infrastructure, but personnel and InfoSec awareness sheets sadly were blank, empty of any tasks. The content relied heavily on resources provided by external consultancy services to assist in the completion of the tasks. Effort and expense was, therefore, in evidence as having been spent at the time. |
|
Jul 2003 |
Asset inventory and risk assessment done |
A comprehensive risk analysis was carried out on the IT asset inventory – external consultancy support was utilised. |
Aug 2003 |
Corporate business continuity planning introduced |
External support was offered to workshop with ICT to develop the appropriate service level BCP. BCP guidance notes were prepared (dated June 2003). |
Feb 2005 |
Information assurance CD received from UK government technical authority provider |
This was part of an effort to extend advice given to central government to provide benefit to the wider public sector. The resource should have proved invaluable to the organisation as it contained policy documents and good practice guides (GPGs) which, if utilised and implemented, would have provided an appropriate framework of security control across information assets. |
Second edition of Information Assurance Guidance for the Wider Public Sector CD received from UK government technical authority provider |
This CD includes IS2 – a tool providing policy and guidance on the risk management and accreditation of information systems. Again, the aim in providing this resource was to ensure that organisations were aware of security and connectivity requirements and expectations. |
|
Feb 2007 |
ISO27001 audit report (internal) |
An audit was carried out in Dec 2006, reflecting that in 2004 significant progress needed to be made and a previous audit was, thus, abandoned. So the work commenced in 2003 clearly went nowhere, sadly, and in reality no progress has been made since. It was disappointing to read the audit report stating that progress and likelihood of achieving the standard was ‘adequate’, when a current, up-to-date copy of the standard was not available at the time. |
Letter to all chief executives from an external third-party secure network provider |
This was signed by all the relevant connectivity strategic partners – requesting that chief executives champion their authorities’ early adoption of the intended new secure network. |
|
Apr 08 |
Secure network provider letter |
The secure network became a cross-government programme. The connectivity was described as being a ‘key strategic enabler to improving public services for citizens and communities’. |
Jun 2008 |
Audit of ICT network security – action plan |
A senior ICT manager made a commitment that security roles were to be clarified through job descriptions in the intended new structure – with a target date of December 2008. At this time, another key audit recommendation was to embed the following. ‘A policy on the connection of nonstandard equipment to the network should be determined following an investigation into the feasibility of a cost-effective method of locking out any non-approved equipment being undertaken.’ However, this was rejected due to the potential user disruption and amount of work likely to be generated as a result. |
Another letter from the secure network consortium to all senior information risk owners |
This letter advised the organisation of important revisions to the data access policy. However, without a key ISM in post, it was clear that such communication was not being appropriately handled as no one really knew what to do with it. |
|
Jul 2008 |
Communication from the external consortium and its government sponsor |
A direct request from the government was made to the organisation, requesting it place an order for connection to the secure network. |
Aug 2008 |
Third-party consortium letter to all senior information risk owners |
This letter provided details of the exemption process for those not opting for early connection to the secure network. Sadly, the public sector way is often not to be an early adopter, in spite of the obvious writing being on the wall. The reality is usually that the longer the wait, the more expensive the implementation, as your technology and security has been left to fall behind in the intervening period of time. |
Sep 2008 |
Senior executive management decision-making meeting |
Agenda item – senior ICT managers briefed service reps on the secure network and what was involved to gain connectivity. |
Business case submitted |
The BC outlined the 92 requirements. |
|
Sep 2008 |
Letter from the organisation’s senior information risk owner to the government |
Requesting an exemption from the data access policy until 30/09/09. This then left two weeks to produce a ‘code of connection’ submission return to the government, explaining what the organisation was doing to meet the 92 requirements. |
Oct 2008 |
Third-party consortium letter to senior information risk owner |
The exemption request was approved. |
Nov 2008 |
Government department letter to local department section |
This was a ‘memorandum of understanding’ of what to expect during the transition of operational processing to secure connectivity. |
Dec 2008 |
Third-party consortium letter to senior information risk owners |
Advising of file transfer arrangements, which in reality did not seem entirely secure. |
Dec 2008 |
Externally available article on remote working |
It was clear that secure connectivity mandated controls that precluded remote workers from using their own PCs at home, even when using a secure virtual desktop, thus requiring the organisation to supply all remote and homeworking staff with organisation-controlled equipment. This was an added expense and management overhead. |
Another government department set of guidance notes was produced and circulated |
This did not arrive with the right people within the organisation until November 2009 – at which point there were only two months left before their insecure connectivity was turned off in January 2010. This was another example of a clear lack of understanding of the importance of the various missives coming out of central government relating to networks, security and connectivity. The lack of an appropriately appointed ISM left the organisation exposed to the risk of not being able to fulfil its obligations with regard to service delivery, as well as maintaining the security of its information assets. |
|
Feb 2009 |
Land registry full network access agreement produced |
As with the above, this arrived in the right place in November 2009 – with the old service to be turned off from January 2010. Shorter timescales to implement the required secure network connectivity risked mistakes by the project team – never a position an ISM wants to find themselves in. |
Feb 2009 |
More guidance issued from a government department regarding one of the corporate systems |
The ISM first heard about this on 15 December 2009, with a lead time of two weeks to implement by the deadline of 28 December 2009. |
External request for further connectivity |
Another external requirement appeared that required a different service area to utilise a secure connection. This took another nine months to filter its way through to the ISM to be dealt with properly. |
|
Jun 2009 |
A project team was finally pulled together internally |
First meeting took place where the data access policy was discussed and the implications of the work ahead to achieve the project were appreciated. |
Jun 2009 |
Business case submitted |
Revised BC was presented to senior management requesting funding. Finally, the penny drops, resources are made available and a project is instigated that has to operate under stressful conditions due to the tight timescales afforded. |
What is depicted in Table 7 is largely replicated across many organisations and should resonate with many readers. It is not uncommon for there to be many (often failed) attempts at getting the embedding of information security off the ground. Refer back to the opening gambit of this book – it is not a project … and therein lies the rub. As long as it is tackled in your organisation as such, that way ruin lies. It must be accepted as part of the fabric of the organisation. Information security management is as much a vital component as financial and people management. What the auditors know is vital in helping to paint the picture and tell the story to sell this message across the organisation.
However, when there is a significant audit finding that is made known to the appropriate governance group and the choice made is to ‘bury the bad news’, this can present the ISM with an ethical dilemma.
A laptop audit was conducted that identified results that were considered to be ‘too explosive’. After all the work that had been done on the desktop infrastructure, and after months of trying to gain some traction on the laptop estate, audit finally made an attempt to apply some metrics and measurement to this vital area. It was hard to explain away the fact that the organisation could have 1,500 laptops on its hardware asset inventory log and yet only 300 laptops connected to the network for updates, especially at a time when similar organisations were being fined for not being able to evidence appropriate controls were in place across their ‘estate’ to protect information in all its guises and in all its states.
That was until I came across an organisation that knew it had over 300,000 laptops of which:
- 220,000 were encrypted
- 70,000 were unaccounted for
- 10,000 were ‘waivered’ – i.e. allowed to be outside the expected security policy process.
The number to have outside the scope of security policy requirements was significant and could not be explained away. Obviously, all things are relative and there are always issues with reporting and statistics that make a fool of those reporting them, which does none of us any favours. But this situation was made worse by the decision not to present the findings to the corporate management team for their view and guidance. There was a corporate annual audit taking place the following month and, unfortunately, there were tactics and politics at work. This meant that the decision taken was to maintain the laptop audit report as a ‘confidential draft’ for the subsequent few months, during which it would be possible to create an action plan that would evidence solutions to make the reading ultimately more palatable. Audit reports are not necessarily designed to be ‘palatable’. They are supposed to represent the facts of any situation at the time, as found, and are intended to signpost areas of action required with recommendations for appropriate routes forward.
Remember your memberships – professional bodies have resources to help you through just these kinds of scenario, so don’t be afraid to reach out, in confidence.
As previously advised, work closely with internal (and external) audit, and make sure you can help them in formulating an annual audit plan to cover the areas of highest priority when reflected across threat, vulnerability, risk assessment and business impact, etc.
Increasing and varied security incidents
As a result of having put in an appropriate information security incident reporting process, more information was now being provided to management and the perception was that information security incidents were increasing. This was obviously not the message that needed to be conveyed at a time when money was being spent on improving security! However, it is a risk of opening up the organisation to allow it to be honest about the real state of security. It is definitely a case of ‘it usually gets worse before it gets better’. Once you shine the light on a situation, you see it ‘warts and all’ and this gives you the opportunity to embed more appropriate solutions for the future to help reduce this apparent volume of incidents.
The incidents were being reported mainly because, by now, people were ringing up with their woes, as they realised that what had hitherto been their ‘normal practice’ was probably unwise. An individual called, concerned that they had no keys for their cabinets, but that their work pattern required them to often leave their desk in a hurry, leaving papers out and visible all the time. The easy solution was for them to get into the habit of putting their papers in a drawer, at least.
Laptop incidents
It transpired that a laptop provided to the organisation by external funding was obviously not needed as it was never networked and never used. The individual it was intended for used her husband’s laptop instead, as he also worked for the organisation. What would you do? For transparency, you are supposed to be able to evidence where the money went and what you did with it – obviously. But, given your programme of improvement, what you really want to do is to health-check and update the laptop, and ensure it goes to a user that needs it instead. In straitened times, there is nothing worse than having unused resources.
Some users had laptops, but were told they were not allowed to remove them from the building. However, since they were not needed inside the building, as everyone had desktops to use, they had not been on the intranet for ages and password lock-out had occurred. This was a useless situation for everyone. But it helped to highlight the cultural issue of the perception of ‘it’s my laptop’, rather than ‘it’s an organisational asset’. With the latter attitude, appropriate reallocation is a lot easier!
A user never connected their laptop to the network as they only used it at home. They transferred data to an encrypted USB from their work PC and then worked on the laptop at home. Obviously, they did not realise that this rendered the laptop potentially exposed, as it was never having its anti-virus updated or patches applied.
One particular team was taking photos of what they did and putting them on a laptop, which was neither password protected nor kept in a locked cupboard.
One user was transferring 16,000 records on a laptop to CDs when they were all stolen, laptop and CDs, from the user’s house. This was equivalent to a similar incident by an equivalent organisation that received a significant fine by the regulator, but in this case the user was contracted by an independent third-party provider. Who takes the hit?
Spreadsheets and attachments
Many teams still use spreadsheet and Word attachments in e-mails, as opposed to inputting data into the available corporate systems. Thus, there is a risk of data loss as these e-mails fly around, both inside the safe and secure corporate system and outside it. This is happening every day in most organisations, but it doesn’t mean that the underlying issues don’t need to be resolved. People need to be encouraged to share hyperlinks, rather than e-mailing attachments. Part of the larger task is keeping some kind of time line for the number of available corporate systems and their level of usage, compared to the level of sensitivity of the information contained therein. If data is being ‘lifted’ out in order to put it into a more usable format to suit the user, this is causing greater risk and data loss prevention mechanisms need to be considered.
Postal failures
An original agreement was sent to the wrong person, in the wrong organisation. They were asked to send it back by post, but it went missing. Now, what do you do? To whom should the breach be reported, if at all? These small incidents are occurring all the time and your radar needs to be ‘alive’ to them. Depending on the prevailing circumstances, you will be able to come up with an appropriate solution, but be prepared to be a focus for those concerned as they try and work through their own panic at being caught like a bunny in the headlights.
And yet … a postal guide was produced that made no reference to protective marking or handling of volume data. Again, this is a classic example of people thinking only in a silo, isolated from understanding the need to engage the ISM in all cases of activity relating to information assets – usually from a starting point of just accepting or understanding what an information asset is.
Printing problems
Printer servers were not set up properly as file and print servers and old printers were not properly removed or decommissioned. This is another one of those ‘things to remember’ as it can cause havoc for users when selecting default printers and trying to maintain their usual work patterns and productivity.
Removable media management
Mixed communication messages were being received across departments. One team was told that their department could not afford encrypted USB sticks, so they resorted to buying them from a shop. Other users were backing up data on to a portable hard drive purchased similarly, which was also not encrypted. The portable hard drive was being taken home and the data then used for remote working. If, at any point, it had been lost or stolen, this would have been an embarrassing data breach for the organisation. The larger your organisation is, the harder it is to get the right message to everyone at the same time, unless you have a mandate to do so. But these kinds of incident really illustrate the need to be allowed to do so, as quickly as is humanly possible.
Incidents and frustrations are arising everywhere. A third-party integration provider spent two years trying to get a server to be switched off because it was allowing spam through its appropriate protection software. The software could see it, but the server was erroneously configured, out of date and out of band. Sadly, committee meeting after committee meeting took place with no progress being made. All the while, the organisation was at risk.
Access control issues
There were users in the organisation with full system access through remote connectivity and, therefore, the ability to copy everything to their home PCs. At times like this, your natural instinct is to despair! The ability to retain and maintain control can be extremely limited, given what the regulators expect, if we are honest.
Password management anomalies
Passwords appeared visible, in the clear, when logging into the organisation intranet and the 90-day password reset was not working. The users had been so well prepared for the full password reset roll-out that they were heightened to these kinds of anomalies, which arose as a result of outlying departments not always being captured by system changes. This was definitely something for the ISM to keep putting pressure on IT colleagues to keep abreast of.
Physical security conundrums
An individual attended a security awareness briefing then went back to their desk, left their phone plugged in and charging, their wallet on the desk and dashed out. They came back for their keys, but still left all these other personal belongings. Oh, the irony!
(ISM solution – have a metaphorical toolkit, in which you have available, amongst many other things, a set of postcards that you can use to leave on people’s desks when they do silly things like this!)
In this particular case, the team were working in a building where the doors were not locked until 6:30 pm. People closed the blinds, but left keys in the cabinets and in the key cabinet, and a lot of paperwork and items on desks. There were also roller cabinets that could not be locked.
Guests were not chaperoned out after meetings, and yet it was possible to walk past a number of unlocked screens and see organisational and citizen-sensitive information on display.
These kinds of things can be reported back in the same way as our findings in Chapter 2.
All of this is going on, and yet there are still people who believe that information security is not relevant to them, or that it does not warrant a full-time employee in the role!
Security awareness theme
Start considering messages around a holiday theme. Users go away for their two-week break from June onwards and they return revived and refreshed, but having wiped clean their mind of all things to do with work. They’ve ‘lost’ the synapse that contains their password, too! If the 90-day password reset occurs whilst they are away, and they miss it, that’s even worse! Remember to prepare your help desk for an increase in reset calls in the coming months, too.
Chapter summary
This chapter focused on two particular areas that, put together, provide a time line of understanding for how things come unstuck. Internal and external audit reports will always be available in any organisation. These are a gold-dust resource for the ISM to trawl through and see what the recurring themes have been over time, and whether improvements have been embedded. If not, research the barriers and help come up with workable solutions through the security improvement programme.
It is appreciated that it may just be, sadly, that the culture of the organisation will render it ultimately impossible to achieve sweeping change, but ‘slowly, slowly, catchy monkey’, as one particular saying goes. It is still possible to make some change and achieve improved information security from the bottom up, if doing so from the top down is proving unsuccessful.