| Pawan Kumar Singh Chief Information Security Officer, Tulip Telecom Limited | |
Requires Membership to View
To gain access to this and all member only content, please provide the following information:
By submitting your registration information to searchSecurity.in you agree to receive email communications from the TechTarget network of sites, and/or third party content providers that have relationships with TechTarget, based on your topic interests and activity, including updates on new content, event notifications, new site launches and market research surveys. Please verify all information and selections above. You may unsubscribe at any time from one or more of the services you have selected by editing your profile, unsubscribing via email or by contacting us here
- Your use of searchSecurity.in is governed by our Terms of Use
- We designed our Privacy Policy to provide you with important disclosures about how we collect and use your registration and other information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions.
- If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States.
organization's information security control environment by highlighting
gaps in the adequacy and efficiency of the implementation of various
organizational processes and policies. This helps the organization to
do something proactively and reduce the potential cost of damages
associated with various types of security incidents.The following practices may be adopted to ensure effective internal security audits.
1. Ensure independence
It is of utmost importance that the internal security audit function reports to a body which has oversight of management activities. (In most cases, this body is the audit committee.) This provides the auditor with freedom to determine the scope of internal auditing, and perform the audit activities in an unbiased manner. It also diminishes the probability of any influence in communicating the findings. Independence is critical for any internal security audit function to act effectively.
2. Favor third-party auditors
A third-party team of internal auditors is preferred because of their unbiased approach toward audit activity, as well as because of their wide experience due to their exposure to different industries—and hence different best practices. If an internal team is mature enough to meet the above criteria, it can also perform an internal security audit as effectively.
3. Communicate
It is important that auditors communicate the schedules, scope and methodologies of internal security audits to the auditee. Flash audits should be discouraged.
4. Remember that audits are about fact-finding, not fault-finding
Make your auditee comfortable. Make him understand that internal security audits may bring to light certain facts or possible gaps which may have probable business impacts. There is a great deal of value-add that an internal security audit exercise brings about in an organization to take the organization to a higher level of risk sensitivity. Most businesses realize this only after a few audit cycles.
5. Understand the business
The information security auditor should understand the business of its auditee. This helps in identifying the risks which may be specific to that kind of business. Interactive sessions with the auditee can help the auditor to get a deep insight into the business.
6. Understand the culture
It is important for an auditor to understand the culture and current risk sensitivity of the organization. An organization which has adopted information security very recently will not have the maturity of an organization where information security has already become part of the organizational DNA.
7. Understand the two kinds of audits
Internal security audits are generally conducted against a given baseline. Compliance-based audits are oriented toward validating the effectiveness of the policies and processes that have been documented and adopted by the organization, whereas risk-based audits are meant to validate the adequacy of the adopted policies and processes. A risk-based audit should also be accounted for in the internal security audit schedule in order to enhance the organizational policies and processes. A mix of both the approaches can also be adopted by the auditors.
8. Sample
An internal security audit exercise is very often based on smart sampling. There are widely available methods such as random sampling and statistical sampling. The risk with sampling is the possibility that the chosen sample is not representative of the entire population. Through his judgment, the auditor should ensure that this risk is minimized.
9. Recommend
An internal auditor should provide recommendations to the management for every observation in such a way that it not only corrects the problem, but also addresses the root cause.
10. Submit the audit report
An internal security audit report is the deliverable of the auditor. It is the result of the audit work. It is a good practice for the audit report to start with an executive summary. Apart from the observations, the internal security audit report should carry a brief on the background, the methodology and concluding statements. A statistical view of the criticality of the findings will make it easier for the management team to digest the report. It is also important that you proof read your report so as to avoid any misinterpretations.
About the author: Pawan Kumar Singh is a CISSP and is currently the CISO of Tulip Telecom Ltd. He is specialized in Information Security Management and its governance and has extensive experience in Information Security Audits with large organizations.
This was first published in July 2010